To configure general and advanced settings for RADIUS, navigate to Config → Networking → Radius
.
- Reject IP 0 - Reject IP range when a user is not found (real);
- Reject IP 1 - Reject IP range when a user is blocked, not active or not in system;
- Reject IP 2 - Reject IP range when a user has a negative balance or a filter is applied;
- Reject IP 3 - Reject IP range when a user has the wrong MAC address (if enabled) or other error;
- Reject IP 4 - Reject IP range when a user has entered the wrong password.
Select the NAS type you are going to use and click on the Load button. You can use a default type or create a new NAS type. More information about NAS type creation is available here.
A new configuration section will appear:
- Prevent duplicate session - if a customer is online and tries to connect, it sends a disconnect package to the online session;
- Allow with a negative account balance - allows a connection when the account balance of the customer trying to connect is less than the specified minimum balance;
- Allow without IP/MAC - if disabled, IP/MAC will be checked during authorization, and if enabled, authorization will be allowed with any IP/MAC;
- MAC address field - different NAS routers can use different fields of MAC addresses, default is "Calling-Station-Id";
- Bind MAC on - choose a source for MAC binding when enabled 'Bind MAC address on first connect';
- Port ID attribute for PPP - the attribute is used for authorization of PPP connections via Port ID value;
- Port ID attribute for DHCP - the attribute is used for authorization of DHCP connections via Port ID value;
- Inverse rate limit - change rate limit of upload by download and vice versa;
- Inverse accounting - change accounting of upload by download and vice versa;
- Process accounting without IP - enables/disables processing of accounting without IP;
- Split session with zero accounting - enables/disables splitting of session to a new one if the accounting has sent zero in usage;
- Accounting interval (in seconds) - set time to update accounting. Recommended value is 300 sec, and minimal value is 60 sec;
- Accounting interval factor - set how many accounting intervals the system should wait to consider the customer online and begin accounting. Default = 2;
- Ignore processing traffic on accounting packet - if this option is enabled, traffic from radius accounting packets will be ignored, MikroTik API or another API accounting can be used;
- Ignore username and password for PPP - if enabled, login and password will be ignored for PPP connection. MAC address or Port ID values will be used for authorization;
- Customer attributes field - specify the customer additional field which will be used to send RADIUS attributes. Used for RADIUS customization;
- Plan attributes field - specify the tariff additional field which will be used to send RADIUS attributes. Used for RADIUS customization;
- Rate-Limit attributes - list of rate-limit attributes. Recommended to keep default;
- Customer Block - when a customer's status is going to be "blocked", "inactive" and customer is online;
- CoA Block attributes - list of CoA block attributes. Please keep default;
- CoA Restore attributes - list of CoA restore attributes. Please keep default;
- Cards Rate-Limit attributes - list of rate-limit attributes. Please keep default;
- Radius incoming port - set port for incoming RADIUS;
- FUP CoA Rate-Limit attributes - list of FUP CoA rate-limit attributes. Please keep default;
- FUP Block - set FUP blocking type;
- FUP CoA Block attributes - list of FUP CoA block attributes. Please keep default;
- FUP CoA Restore attributes - list of FUP CoA restore attributes. Please keep default;
- Overwrite CoA IP - all CoA requests will be sent to this IP. Leave blank to use NAS-IP-address;
- Overwrite PoD IP - all PoD requests will be sent to this IP. Leave blank to use NAS-IP-Address;
- COA & POD parameters - send session ID with CoA & PoD requests;
- Use reject IP [0-4] - Enable this to use the IP's 0-4 explained in the first step.
- Reject [0-4] Attribute - list of attributes of reject pools;
-
Error session time limit - limitation of the session time (in seconds) in case of an authorization error, forcing users to reconnect after a time out (for customers that do not have any active services).
This is necessary in order that after activation, the customer received his address from Splynx, without manual reconnection on their part;
-
Use admin login - when enabled, it allows logins to the router with administrator credentials;
-
Attribute for Read Group - specify the attribute for read group;
-
Attribute for Write Group - specify the attribute for write group;
-
Attribute for Full Group - specify the attribute for full group;
There are two buttons at the bottom of the page to Restart radius and Clear all online sessions.
- Restart radius - will restart radius. Customer's connections can be dropped;
- Clear online sessions - will clear current online sessions.
In this section, you can configure extended features for RADIUS.
In Splynx we have two Radius servers. We use Freeradius as an external Radius server; it accepts connections from clients (from routers). Freeradius transfers Radius requests to the internal Radius server called splynx_radd. Here we can configure where splynx_radd listens to connections.
- Listen Ip - IP of the splynx_radd server.
- Listen port - splynx_radd port.
If you change the configuration here, you should also change it in the PeerAddr and PeerPort configuration in the /etc/freeradius/splynx/splynx.pl file.
¶ Debug and Logs
- Short log - enables/disables Radius short logs;
- File (short log) - Radius short.log file location;
- Debug - enables/disables Radius debug log (/var/www/splynx/logs/radius/debug.log). The radius debug mode will automatically turn off in 60 minutes;
- Debug level - debug level (0 - 10), 10 - more detailed;
- Console - push debug messages to console, not recommended;
- Syslog - push debug messages to syslog, not recommended;
- File - push debug messages to file: /var/www/splynx/logs/radius/debug.log
-
Check online - checks if a customer is already online. If online, do not allow a new connection (with the same credentials). If disabled, customers can connect multiple times with the same credentials;
-
DHCP (Send framed-route attribute) - send a framed-route from the Radius server;
-
DHCP (Add customer to online after login) - when we use DHCP, add customers to the online list, immediately after they connect. If disabled, customers will be added to the online list, only when their traffic reaches the accounting limit (under Config → Networking → MikroTik API "Min bytes for accounting");
-
Bind MAC address on first connect - if the MAC attribute is empty in the internet service settings, this adds the MAC/IP from where the customer connects for the first time;
-
Maximum unique MAC addresses - maximum number of MAC addresses that can be added into the internet service settings;
-
Overwrite oldest mac in case of new trying to log-in - enable this toggle to overwrite the previous MAC address when there is a new trying to log-in.
- Allow admins to access unknown NAS devices - allows administrators access in case the NAS is not found on Splynx;
- Default NAS ID - NAS ID, needed if access without NAS is enabled.
-
Force the specified network to use one NAS - enables/disables forcing a network to use only one NAS;
-
Network - specify the network (for example: 10.10.0.0/20) if the previous settings is enabled;
-
Default NAS ID - NAS ID which will be used by default for the network from the previous setting;
-
Set static IP on connect - if enabled, static IPs will be set to services on connecting.
- Enable proxy accounting - enables/disables proxy accounting;
- Radius host - IP:Port;
- Radius secret - Radius secret;
- NAS type ID - request for this NAS Type will be proxied to the next radius, 0 - all.
-
Link locations - link the customer location to the IP pool location. This will work in a case where, in the customer service, "Any pool" is selected, and all locations will cover different pools;
-
Use IP pool with "Location = All" - in case if the pool associated with the customer location is not found, we can use Pools with Location = All.
We can specify periodic restarts of the radius server to prevent memory leaks here. The use of this feature is highly recommended.
-
Enable - enables/disables periodic restarts;
-
Restart once per - select a period for the periodic restart (day, week, month);
-
Hour - time when the radius server will be restarted. Recommended time: late at night, midnight or after.
- Restart radius - the radius server can be restarted with this button. Recommended to use after new configurations have been made to apply the changes, after the reboot.
Be attentive - for a brief period unauthorized customers will not be able to log in via Radius. Radius restart usually takes up to 15 seconds.