Testing Radius Configure


Testing Radius Configure
Rad_tester Utility
The rad_tester utility replicates the functionality of a terminal server by sending RADIUS packets to the RADIUS server. This is useful for testing and developing code. After a request is accepted, you can manually send another request packet.

Configuring rad_tester
rad_tester configure Oracle Communications Billing and Revenue Management (BRM) RADIUS Manager. You must also configure the accounting and authentication ports, the client from where you will run the rad_tester utility, and the dictionary file. You can then create the authentication, start accounting, and stop accounting RADIUS input packet files.

Configuring Authentication Ports
The accounting and authentication ports are defined in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config, where BRM_home is the directory in which BRM components are installed). This was done during RADIUS server configuration.

Setting IP Port
listen {
port = 1812
}
listen {
port = 1813
}

Client in the RADIUS Configuration File
Ensure that the client computer is included in the client list. The client list is defined in the section of the RADIUS configuration file (BRM_home/apps/radius/config).

client {
addr = IP-Address
secret = testing123
}

client {
addr = IP-Address
secret = testing123
}

Creating Input Packets
Create three input RADIUS packets: auth, start, and stop. You can include all three packets in a single file, or you can use three separate files (to test opcode, use a single file; to simulate timing, use three files). Place these files in a directory on the client.

Attribute_name = Attribute value

Running rad_tester
Starting rad_tester, ensure that the RADIUS server is running. Running rad_test Command as Follows

rad_test -h host_name -p 1812 -a 1813 -s testing123 -O 30

Authentication Request
An auth input packet simulates an authentication request from a Network Access Server (NAS).

Request-Type    =    Auth-Req
User-Name       =    username
User-Password   =    userpassword
NAS-Identifier  =    1.1.1.1
NAS-Port        =    1

Start Accounting Request
Start input packet simulates a start accounting request from the NAS. The Acct_Session_Id value must be changed to a different value each time this request is sent to RADIUS Manager. Each session ID number must be unique because RADIUS Manager discards duplicate requests.

Request-Type    =       Acct-Req
User-Name       =       username
NAS-Identifier  =       1.1.1.1
NAS-Port        =       1
Acct-Status-Type =      Start
Acct-Session-Id  =      10

Stop Accounting Request
Stop input packet simulates a stop accounting request from the NAS. The Acct_Session_Id value must be identical to the one specified in the corresponding start request packet.

Request-Type       =    Acct-Req
User-Name          =    username
NAS-Identifier     =    1.1.1.1
NAS-Port           =    1
Acct-Status-Type   =    Stop
Acct-Session-Id    =    10
Acct-Delay-Time    =    1
Acct-Session-Time  =    3600

Interim Accounting Request
Interim input packet simulates an update accounting request from the NAS. The Acct_Session_Id value must be identical to the one specified in the corresponding start request packet.

Request-Type       =    Acct-Req
User-Name          =    username
NAS-Identifier     =    1.1.1.1
Framed-IP-Address  =    1.1.1.1
NAS-Port           =    1
Acct-Status-Type   =    Interim-Update
Acct-Session-Id    =    10
Acct-Delay-Time    =    1
Acct-Session-Time  =    3600

Sending Input Packets to the RADIUS Server
Sending the sample input packets to the RADIUS server. Commands to simulate authentication and to Start & Stop Accounting for Users

rad_tester -h host_name -p 1812 -a 1813 -s testing123 -O 30 -f auth_pkt.sample
rad_tester -h host_name -p 1812 -a 1813 -s testing123 -O 30 -f start_pkt.sample
rad_tester -h host_name -p 1812 -a 1813 -s testing123 -O 30 -f stop_pkt.sample

Advertisements

OS Compatibility


OS Compatibility
Radius Manager requires a Linux server with Intel compatible CPU (32 or 64 bit). The system has been fully tested on various Linux systems.

System Requirements
PHP 5.1 or better (5.3)
MySQL 5 or better (5.5)
Glibc 2.4 or better

OS Recommendation
CentOS 6.X
Fedora 5, 6, 7, 8, 9, 10, 11, 12, 13 & 14
Ubuntu 10, 11, 12 & 13
RHEL 5.X
Debian 4, 5, 6, 7

Hardware Requirements
CPU 1.5 GHz+
1 GB RAM
80 GB HDD or more

Software Requirements
FreeRadius 2.2.0 DMA patch
PHP 5 or better
MySQL 5 or better
32 bit glibc
mysql-devel
php-mysql
php-mcrypt
php-snmp
php-gd
php-curl
php-process
net-snmp
net-snmp-utils
curl
glibc 2.4 or better
GNU C/C++ compiler
DHCP server version 3 (DOCSIS only)
ionCube runtime libraries
Javascript enabled WEB browser

Web Interface Tools
Webmin
Its a Web Based Linux Configuration Tool

Phpmyadmin
Its a Web Based Mysql Database

 

NAS Compatibility


NAS Compatibility
Mikrotik 2.8
Use final releases only, RC versions are not recommended. The supported main  features  are:  PPPoE,  PPtP,  L2tP,  Hotspot  and  Wireless Access  List  authentication  and accounting.

Chillispot
running  on  Linux  or  on  a  DD-WRT  device.  You  can  download  the  tested  Linux version from our download portal.

StarOS v2 or v3 server
Supported features: full PPPoE and partial RADIUS Wireless Access List support.

Cisco  NAS
Correct  IOS  version  is  required.  VPDN,  BBA  GROUP  and  Virtual  template support is necessary to accept RADIUS authenticated PPPoE, PPtP and L2tP calls.

pfSense
Hotspot server.

History Of Radius Manager


History Of Radius Manager
RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866).

Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP is often used for remote monitoring and keep-alive checking of a RADIUS server. RADIUS proxy servers are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).

The Diameter protocol was intended as the replacement for RADIUS. While both are Authentication, Authorization, and Accounting (AAA) protocols, the use-cases for the two protocols have since diverged. Diameter is largely used in the 3G space. RADIUS is used elsewhere. One of the largest barriers to having Diameter replace RADIUS is that switches and Access Points typically implement RADIUS, but not Diameter.

Diameter uses SCTP or TCP while RADIUS typically uses UDP as the transport layer. As of 2012, RADIUS can also use TCP as the transport layer with TLS for security.

 

Radius Packet structure


Radius Packet structure
The RADIUS packet data format is shown to the right. The fields are transmitted from left to right, starting with the code, the identifier, the length, the authenticator and the attributes.

Access-Request – 1
Access-Accept  – 2
Access-Reject  – 3
Accounting-Request – 4
Accounting-Response – 5
Access-Challenge – 11
Status-Server – 12
Status-Client – 13
Reserved – 255

The Length field indicates the length of the entire RADIUS packet including the Code, Identifier, Length, Authenticator and optional Attribute fields.The Authenticator is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords; its length is 16 bytes.

Radius Manager Roaming


Radius Manager Roaming
RADIUS is commonly used to facilitate roaming between ISPs.
by companies which provide a single global set of credentials that are usable on many public networks.
by independent, but collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution, such as in ERduroam.

RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.

How Radius Manager Works


How RADIUS Manager Works
A terminal server or Network Access Server (NAS), and the terminal server communicates with RADIUS Manager. Terminal servers authenticate incoming connections, authorize customers, then (if enabled) start accounting. To perform these operations, the NAS uses the RADIUS protocol to communicate with the pin_radiusd daemon. The pin_radiusd daemon accesses your BRM database. See “pin_radiusd_sig”.

Description of Figure 1-1 follows

RADIUS protocols
BRM Databases
Text-Based User Files
UNIX Password Files
IPass Databases
Proxy Databases
VPDN Databases

What You Can Do with RADIUS Manager


What You Can Do with RADIUS Manager
RADIUS Manager to perform the authentication, authorization and accounting services required when customers use your terminal server or Network Access Server (NAS) to connect to BRM.

DMA Radius Manager is an easy to use RADIUS and DOCSIS provisioning system.
It is suitable for  ISPs,  Internet  cafes,  airports  and  other  places  where  public  Internet  access  is  available.
The system is running on Linux OS, utilizing a very stable
FreeRadius 2.x
RADIUS server with MySQL database backend.
The integrated software components ensure high stability and reliability.

RADIUS Manager Tasks
Authentication
Authorization
Accounting

Authentication
The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol – for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user’s physical point of attachment to the NAS.

RADIUS server then returns one of three responses to the NAS
Access Reject
Access Challenge
Access Accept

Authentication-configuration-example

Authorization
Authorization attributes are conveyed to the NAS stipulating terms of access to be granted.When a client is configured to use RADIUS, any user of the client presents authentication information to the client. This might be with a customizable login prompt, where the user is expected to enter their username and password. Alternatively, the user might use a link framing protocol such as the Point-to-Point Protocol (PPP), which has authentication packets which carry this information.

The specific IP address to be assigned to the user
The address pool from which the user’s IP should be chosen
The maximum length of time that the user may remain connected
An access list, priority queue or other restrictions on a user’s access
L2TP parameters
VLAN parameters
Quality of Service (QoS) parameters

Drawing_Roaming_RADIUS

Accounting
When network access is granted to the user by the NAS, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value “start”) is sent by the NAS to the RADIUS server to signal the start of the user’s network access. “Start” records typically contain the user’s identification, network address, point of attachment and a unique session identifier.

Periodically, Interim Update records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value “interim-update”) may be sent by the NAS to the RADIUS server, to update it on the status of an active session. “Interim” records typically convey the current session duration and information on current data usage.

img_radius_acct

 

What is Radius Manager


What is Radius Manager
Radius Manager is an easy to use administration and billing solution for Mikrotik, Cisco, StarOS, ChilliSpot, pfSense NAS and various CMTS devices. It can be used in wireles, dialup and DOCSIS cable systems. Radius Manager supports Byte and time capping, bandwidth shaping, prepaid and postpaid accounts. Automatic disconnection feature for expired accounts with all supported NAS types. It supports Unix account synchronization to synchronize the email accounts with the RADIUS database. A separate control panel is available for administrators and regular users. Includes an integrated prepaid card generator. Billing module generates invoices for both postpaid and prepaid users. PayPal, Authorize.net, DPS, Netcash online payment gateways are supported. TCP/UDP connection logger module is available in CTS version.

The RADIUS Protocol is an industry standard protocol for authentication, authorization, and accounting (AAA). Terminal servers or Network Access Server (NAS) use the RADIUS protocol to communicate AAA requests to, and return results from, a database of customer information.

RADIUS Manager uses the RADIUS protocol to provide AAA services in the BRM environment.

RADIUS –> Remote Authentication Dial-In User Service

dpm_aintro_arch

 

mt-basic