Telkom OpenServe IPC user authentication setup

  1. Set up NAS for POD and Proxy requests
  2. Add custom radius attributes
  3. Set up radius service
  4. Troubleshooting failed disconnections


This is a guide on how to set up a radius user in DataTill to authenticate and disconnect through Telkom IPC.

1. Set up all of the NAS’s that is used for POD and Proxy Requests

  • Go to Radius -> NAS List
  • Add the IP’s that are used for the POD and Proxy requests with Telkom’s secret (telkom_radius_secret).
  • Example IP’s

radius-nas-list2. Add Custom Radius Attributes

  • Go to Radius -> Custom Radius Attributes
  • Click on Add Attribute.
  • Make the Attribute Name ‘Cisco-AVPair’.
  • Make the Operand ‘+=’.
  • Assign the Compatible NAS type as Cisco.
  • Add an Attribute Description if necessary.
  • Click Save Changes.
  • Screenshot below for visual representation.


3. Set up Radius Service

  • Go to Radius -> Radius Services
  • Click on Add Service.
  • Set up the radius service details as usual (click here for a guide on adding a radius service).
  • Navigate to the Radius Attribute tab.
  • Click on Add Custom Attribute.
    • Add the following three Cisco-AVPair attribute values with the quotation marks:
      • Value (Your Loopback Interface): “ip:ip-unnumbered=LoopbackXXXX”
        • LoopbackXXXX is the Loopback interface associated with the address pool.
      • Value (Your Address Pool): “ip:addr-pool=YYYY”
        • YYYY is the address pool name from which an IP address should be allocated to the user.
      • Vallue (Your primary and secondary DNS servers): “ip:dns-servers=a.a.a.a b.b.b.b”
        • Replace a.a.a.a with the IP address of your Primary DNS server and b.b.b.b with your secondary DNS server.
  • After this, the Radius Service can be assigned to a Data Package and then to a Radius User where the Custom Radius Attributes will be applied for IPC Authentication.
  • Below are screenshots of the setup. The first screenshot is the Radius Attributes on the Radius Service and the second screenshot is on the Radius User.

Radius Service Attributes


Radius User Attributes (Automatically assigned after Data Package is assigned to the user)



4. Troubleshooting failed disconnections

If DataTill fails to disconnect Openserve IPC connections then it is most likely related to NAT or firewall issues.

DataTill sends the radius disconnect request to one of the Telkom radius proxy servers in the network range.

The Telkom proxy will only accept requests directed to UDP port 1700 and originating from the IP address associated with your ICP. If the disconnect packets are NAT’ed to another public IP then these requests will be ignored by the Telkom radius proxy.

To test whether your DataTill instance can successfully communicate with the Telkom proxy run the following command on the command line of your DataTill server:

echo ',Acct-Session-Id=0CA77E20022BAD5S0BAD50,Framed-IP-Address=,NAS-IP-Address='|/usr/local/bin/radclient -c '1' -n '1' -r '1' -t '1' -x disconnect telkom_radius_secret

A successful response would look like this:

Sending Disconnect-Request of id 89 to port 1700
User-Name = ""
Acct-Session-Id = "0CA77E20022BAD5S0BAD50"
Framed-IP-Address =
NAS-IP-Address =

rad_recv: Disconnect-NAK packet from host port 1700, id=89, length=26
Error-Cause = Session-Context-Not-Found

The “rad_recv” line indicates a valid response received back from the Telkom radius proxy. The error in the result indicates that the session we wanted disconnected does not exist on their end.

An unsuccessful response will look like this:

Sending Disconnect-Request of id 136 to port 1700
User-Name = ""
Acct-Session-Id = "0CA77E20022BAD5S0BAD50"
Framed-IP-Address =
NAS-IP-Address =

radclient: no response from server for ID 136 socket 3

Note the ‘no response’ section. This indicates that either the packet did not arrive at the Telkom radius proxy or the Telkom radius proxy ignored the request as it originated from a non-authorised source IP.