Radius

In order to ensure universal utilization of the software for the management of the Internet network, independent RADIUS module is implemented in ISPadmin to enable client verification.

 

Basic module information

Radius module provides especially for the following:

  • Verification via username and password, or MAC address
  • Support of HotSpot MikroTik system / PPPoE support
  • Statistics of verified clients
  • Graphs of clients´ traffic
  • Authorization for WINbox / SSH
  • Verification of technician accesses into MikroTik routers

More information available at:

 

Purchase

This is a separate module which is not part of the basic system installation, and thus needs to be purchased separately. For more information re trials and/or activation of the module, contact our Sales Department at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

Module installation

The installation is performed by our technical support. They will upload a new license with Radius module while installing the module.

If you used the module in the past and need to have it up and running following a system migration / re-installation, follow this guide.

If you´re installing Radius for the first time, you will need to do the following to switch the module on:

 

Get current password to your database

cat /data/support/ispadmin/config/config.php |grep DBPASS

 

Write the mysql password to /etc/freeradius/sql.conf, replacing default password isp123.

nano /etc/freeradius/sql.conf
# Connection info:
server = "localhost"
login = "ispadmin"
password = "isp123"

 

Edit /usr/share/freeradius/dictionary file and check if $INCLUDE dictionary.mikrotik row is present If not, write it there.

nano /usr/share/freeradius/dictionary

 

Restart Radius

/etc/init.d/freeradius restart

 

Setting up ISPadmin to verify clients via Radius

 

Adding a new Radius tariff

In Settings Tariffs Internet, select Radius client type, fill in tariff description, abbreviation, and price. Client´s speed will be set according to values in Download, Upload, Burst limit, Burst threshold, Burst time, and Priority. Add the tariff to a client while adding a service.

Speed-limitation attribute will be created automatically based on tariff speed setup, yet you have an option to change its parameters by manually adding Mikrotik-Rate-Limit attribute. You may add more attributes to a tariff manually, either to all Radius clients (in Settings Tariffs Internet, click on ), or to an individual client.

If you use Unlisted tariff for a client, defined speeds won´t be applied to the configuration, and you will have to add Radius parameter with the requested speed manually to the client. So please use Unlisted tariff rarely.

 

Radius-oriented router configuration

Set up router in ISPadmin

When editing a router, check the Activate radius box, and fill in Password for communication with radius. A brown Radius button will be displayed in router header when Radius is activated. Click on it to get more information about Radius on the router (see Router Description > Basic router info > RADIUS), such as a number of in-/active clients or clients without a router. Also, you may unlock all clients who are locked to a router. You can do so in Hardware Routers Radius Account Statistics, too.

 

Mikrotik setup

  • Click on + to create New Radius Server in Radius menu.
  • Fill in the following parameters:
Service wireless (Check also ppp, if you need to verify PPPoE services) *
Address IP address of ISPadmin server
Secret Password used while editing a router as Password for communication with radius.
Authentication Port 1812
Accounting Port 1813
Accounting Backup no

* In MikroTik, for ppp service check Use Radius and Accounting in PPP > PPP Authentication & Accounting menu.

/ppp aaa print
 use-radius: yes
 accounting: yes
 interim-update: 10s

Then just each Radius-service type client needs to have the proper tariff. You may then debug individually each PPPoE service in MikroTik based on its profile etc.

900px Pppoe server radius

 

Verification of technicians on MikroTik routers via Radius

 

If you have bought the RADIUS module, activated it and set it properly, you can use the Mikrotik login function. If you do not know whether the RADIUS module in your application is active or not, you can check it out in Clients Home.

 

If you decide to use it, you will not have to set up special accounts for technicians (with corresponding rights) on each router. Also, when a technician leaves your company, it will not be necessary for you to remove their accounts on all routers. Access to the RADIUS server is automatically configured, which enables MikroTik login for technicians (through WinBox, SSH etc., depending on the rights settings). Manual configuration of all routers is thus unnecessary, which speeds up the whole process.

 

To activate the management of technicians’ access rights to routers, you have to set the service_mikrotik_login key to 1 in Settings Syst. settings Mikrotik. By doing this, you activate the MikroTik login through RADIUS feature on all routers in the system.

 

By default, a given administrator has access to all routers.

 

If you do not want anyone to have access to a certain router (for example: main gateway or CORE router), then you can uncheck the Login of technicians to Mikrotiks via Radius box in the settings of a given router in Hardware Routers All. If this box is not checked, it is not possible to log in through any account created in Settings Administrators Mikrotik Login.

 

If everything is set correctly and you start RADIUS, the system automatically activates communication with the RADIUS server on all routers, sets up relevant access groups (information about individual groups’ rights must be saved directly to routers) and allows technicians to log in according to their authorization.

 

alert icon ATTENTION alert icon

 

If you want to use this function, it is necessary to check the setting of the server_ip key in Settings Syst. settings General. You have to enter here the IP address of the ISPadmin server that is accessible from all routers. This IP address will be set as the IP address of the RADIUS server on all routers. If you set it incorrectly, access to routers through RADIUS will not be possible because of a non-existent RADIUS server.

 

The MikroTik login through RADIUS feature is functional only if the RADIUS module in the ISPadmin system is activated. If it is not activated, the feature is not functional.

 

You can easily check whether and how the function works by having a technician connect to one of the routers or through WinBox - in the Radius menu and in the System / Users / Groups menu.

 

Groups

 

On this page, you can define in detail the rights of individual groups that will be used for the management of technicians’ access to routers. Then you assign individual users (technicians) to the groups you have created. You may create as many groups with various rights as possible.

 

A new group can be added by clicking on . On the page that appears, enter the name of a given group and set the individual rights the way you want. You can also modify the settings in the overview of existing groups. There is a list of rights for each group along with information about how you have configured them (icon check ok / icon check ko). You can change the configuration by clicking on individual icons. 

 

You can set the following rights:

 

local A given group of technicians is / is not allowed to log in through a local console.
telnet A given group of technicians is / is not allowed to log in through telnet.
ssh A given group of technicians is / is not allowed to log in through SSH.
ftp A given group of technicians is / is not allowed to log in through FTP. Such technicians can read, write and delete.
reboot A given group of technicians is / is not allowed to reboot a router.
read A given group of technicians is only allowed to read. No configuration changes are possible.
write A given group of technicians is / is not allowed to modify configurations (with the exception of user management - setting up further user accounts for access to routers). If you want to allow this group to read as well, you have to modify the read item accordingly.
policy A given group of technicians is / is not allowed to set up further administrator accounts for access to routers.
test A given group of technicians is / is not allowed to carry out the following tests: ping, traceroute, bandwidth-test, wireless scan, sniffer a snooper.
web A given group of technicians is / is not allowed to log in through the web interface.
winbox A given group of technicians is / is not allowed to log in through WinBox.
password A given group of technicians is / is not allowed to change passwords to individual user accounts.
sensitive A given group of technicians is / is not allowed to see sensitive data, such as passwords, wireless keys etc.
api A given group of technicians is / is not allowed to log in through API.
sniff A given group of technicians is / is not allowed to use a sniffer utility.

 

You can edit a particular group by clicking on icon edit.

You can delete a particular group by clicking on icon check ko grey.

 

Clients

 

You can add a new user (technician) by clicking on . Enter the login name and password of a given technician on the page that appears. Since every single user has to belong to a certain group (with a given set of rights), assign this technician to a particular group. Furthermore, you can add a note to them. Finish the process by clicking on Save.

 

The overview of users contains the following details: user, group and note.

 

You can edit a particular user by clicking on the icon edit icon.

You can delete a particular user by clicking on the icon check ko grey icon.

 

 

Examples of configuration

900px PPPoE schema

 

PPPoE Server

Set up IP address on eth1 - 192.168.1.112/24 Set up default gateway - 192.168.1.1 Create PPPoE profile Add bridge for PPPoE
1step 2step 3step 4step
Add ports to bridge PPPoE server is going to listen on bridge (eth2-5) or it could be listening on one port only, so you may add switch behind it to be able to connect more clients. PPP / PPPoE Server - Enable PPPoE server to bridge_PPPoE with PPPoE profile Set up IP address and network on bridge Set up NAT at your discretion The example shown uses 10.0.0.0/24
5step 6step 7step 8step
Select Masquerade from Action menu In PPP > Secrets, check Use Radius and set 00:00:10 in Interim Update Radius menu - 192.168.1.200 is ISPadmin´s IP address where Radius server is running, and Secret is a password for Radius communication between MikroTik (Radius client) and ISPadmin (Radius server). The same password has been used in router setup in ISPadmin.  
9step 10step 11step  

 

PPPoE Client

PPPoE client is any MikroTik located at client´s premises, which is connecting as PPPoE client to MikroTik (PPPoE server). Or it is possible to have PC with Windows as PPPoE client and access details are filled in directly in Windows.

Enable PPPoE for client e.g. on port eth2 Fill in User name and Password for authentication via Radius User name and password for authentication via Radius are displayed in the Client card > Internet service Check out that the client got IP address which was assigned for him/her when the new active service was created (10.0.0.50/24) and also it is necessary to check the default IP gateway of PPPoE server (10.0.0.1)
1step 2step 3step

 

How to in ISPadmin

 

Problems with Radius

In case of any problems, it is advisable that you run Radius in a debugging mode directly from the console.

Firstly, turn running Radius off with:

/etc/init.d/freeradius stop

Then, start Radius with output to the console:

freeradius -X

You will see a detailed list of communication. I.e. verification requirements with server responses, and possible errors. Information on verification and connection time are clearly visible in Hardware Routers Radius Access Log, too.

When finished, start Radius with:

/etc/init.d/freeradius start

Tips on how to use this documentation

 

Search

 Searching required information is possible either via structured menu which is divided into sections, or via full-text search of the entire contents of this on-line documentation.
Breadcrumbs

This aid will make it possible for you to find out where exactly you are at the moment.

If, for example, the following appears beneath the main menu - ISPadmin Wiki / ENG / Client management / Menu - CLIENTS / Clients / Message Board / Groups - it means that you are:

 

  • in the Wiki documentation of the ISPadmin system
  • in its English localization
  • in the Client management section
  • in the Clients tab
  • in the Message board subtab
  • in the Groups sub-subtab

Changelog

 It contains newly added functionalities and modifications of the system which are displayed by versions and issue date. Changelog articles are also displayed in individual sections / pages of the documentation which relate to new functionality or modification. 

Basic orientation

 You will find a welcoming menu with basic instruction on trying / implementing / using below. 

FAQ

 Frequently asked questions along with most important procedures and settings are listed in FAQ section. 

Colours

 Items which refer to real system menu are highlighted in corresponding colour, including their graphical background. Eg. Invoicing Settings Templates Reminders. This is also a working reference to an article. 

CONTACT

NET service solution, s.r.o.
Žerotínova 3056/81a
787 01 Šumperk
Czech Republic
  +420 588 887 777
  support@ispadmin.eu
  wiki@ispadmin.eu
  sales@ispadmin.eu