Radius Setup Guide

What is Radius:

Radius is AAA (Authentication, authorization, and accounting) networking protocol that manages network access. The user or machine send a request to a network access server (NAS) to gain access to particular network resource using access credentials, these credentials are passed to the NAS via LINK-LAYER protocol, such as: Point-to-point protocol (PPP).

The NAS send a radius access request message to the radius server, requesting authorization to grant access via the radius protocol. This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Radius is a client/server protocol that’s runs in the application layer.

Radius Services:

To effectively use Radius, a radius service is required to:

  • Control the speed of a radius user.
  • Set data limits.
  • Time band control limits.
  • Service limit type (Once-off, Daily, Monthly)
  • Authentication types (Accept, Reject)
  • Cancellation date of the service

To add a Radius service:

  • Go to Data > Radius Setup > Radius services.

Service attributes:

  • Service code

You will need this when creating a radius product. It is advised to develop a naming system that includes the up and down speed. Check with your ISP if you have any conventions in this regard.

  • Service Title

Usually pops up as a description for the product.

  • Data Limit

The data product will override this limit. Giving this a value could lead to confusion.

  • Time duration limit

Only works every day.

  • Service limit type (Once Off, Daily, Monthly)

Specify whether the service runs.

  • Time band limit (from when to when will the service be disabled)
  •  Speed limit (Up/Down)

If the speed is set to zero, the speed will be zero.

  • Authentication (Accept/Reject)
  • Expiry date

If no date is set the service will not expire.

Add Service:

  • Go to Data > Radius Setup > Radius services.
  • To add a service, click on Add service button on the top right of the page.
  • Please refer to the list above for all the Radius Service attributes and their functions.

Radius service operations:

Click on  to show assigned radius users:

Edit Service:

Click on  to edit the radius service.

Clone Service:

Click on  to make a copy of the service.

Delete Service:

Click on  to delete the service. Note that this product cannot be recovered.

Data Products:

Data Products control the Cap of a Radius Service. If the customer needs a custom data expiry and data roll over settings this can be changed in the customer’s settings. Go to Data->Data products.

Products fields:

  • Products code

Check with your company if you have any naming conventions for the product code. Here is a product Naming convention of some ISP.

  • Products Title

You will need this when creating a radius user.

  • Labels

Here you can select your specific label you want to use.

  • Product Group

Select the Radius service that the product will use. I.e., the speed of the data product.

  • Monthly Cap Size

Sets the Cap limit for the product. This overrides any pre-set Radius service monthly data limit. A monthly Cap Size of zero will make the product uncapped (0 = uncapped)

  • Uncapped Product

(On/Off) This does not make the product uncapped. It merely shows the product in the appropriate category.

  • Auto Rollover

(On/ Off) When the user reaches their Cap limit, the user will be moved onto another service. A service once capped is required. This will be until all the products are reset at the start of the month.

  • Visible to admin

If disabled admin users won’t be able to select this product when editing radius accounts. E.g. it will not be possible to select the product when creating a radius user.

  • Visible to customer

If disabled, then customers won’t be able to select this product when signing up or switching product.

  • Show cap on usage reports.

If hidden the Cap Size above acts as a soft cap in conjunction with the Service below.

  • IP pool

Leave blank if not using IP pooling. Spaces are not recommended.

  • IP pool once capped.

Leave blank if not using IP pooling. Spaces are not recommended.

  • Service once capped.

Once the cap limit is reached the service is changed to the selected service. This can be used to switch the customer’s connection off by putting them onto a service with speed of zero. Or the customer could be put on a super slow product so that they can still go online and purchase more data.

  • Monthly cost
  • Top up cost/GB

Add Data Product:

  • Click on 
  • Fill in all the necessary fields.
  • Please refer to the data product field above for information on the fields.
  • Click on Add product on the bottom of the model.

Product operations:

Click on  to edit the data product.

Click on  to disable the data product.

Click on  to disconnect active radius sessions, this will disconnect all active radius sessions linked to this data product.

Click on to regenerate all radius attributes.

Note: When using the radius regenerate attributes button, this will regenerate attributes for all data accounts linked to this data product such as (Auth-Type, Soft-Cap, and Total-Cap-Size. etc.)

Data Pricing Matrix:

Go to Data -> Product Pricing Matrix. This page is part of Radius. The data pricing matrix is an easy way to create and manage related Radius data products. Each Pricing Cell represents a Radius Data product, these data products are treated just like the rest of the data product.

  • Product matrix title

This is the title of the pricing matrix.

  • Product Title Prefix

This is a prefix added to the product title of each data product in the pricing matrix.

  • Product Code Prefix

This is a prefix added to the code of each data product in the pricing matrix.

  • Technology

The pricing matrix can be used for Wireless, Fibre, and ADSL. Found under the technology dropdown list.

  • Target Market

The pricing matrix can be assigned to a unique target market: for example. Creating a pricing matrix for specials.

  • Sales Account

This pricing matrix can be linked to an account: navigate to SageOne to add the account and choose Sales Accounts for the account type: Then navigate to SageOne Data-> list of Account click sync Accounts, This will add the account to the sales account in the sales account dropdown list in the pricing matrix to sync to sage.

  • Uncapped

This will make all products in the pricing matrix uncapped (No data Limit)

  • Unshaped

This will make all products in the pricing matrix unshaped (No speed reductions)

  • Speed title

This is the title of the product group.

  • Line Speed

This is the speed of the data product in the pricing matrix (Mb/s).

  • Data Cap

If uncapped is set to off, you can specify the data cap for each data product line in the pricing matrix.

  • Top-Up Cost

This is the price of cost per GB for the data product line.

  • Price (incl. VAT)

This is the price of the data product line.

Note: You can add as many data product lines as you would like, which can also be removed using the X: You can also add up to 10 columns per pricing matrix using the add column button. You can also remove columns using the remove column button.

Once you are happy with all fields you can then proceed to save all your changes.

Radius Users:

Radius users are created for a customer and allow the user to connect to the Radius service. They are dependent on customers and data products.

Radius User Fields:

  • Customer

In this field you will select the customer.

  • User type

In this field you need to choose the correct user type. There are three user types to choose from: Radius user login, Radius MAC address login, Mikrotik win box login.

  • Connection Type

In this field you will add the connection type you want to use, there is 7 different connection types to choose from: Wireless, Hotspot, Fibre, DFA Fibre, Frogfoot Fibre, Liquid Fibre, and Openserve Fibre.

  • Login Username

In this field you will put in the customer login name.

  •  Password

In this field the password will be generated for the customer.

Note: these credentials are used for Radius authentication.

  • Account alias

In this field you can add the customer Account/Device alias 

  • Account description

In this field you can add your Account/Device description

  • Labels

In this field you can filter through and choose the correct label you want to use.

  • Traffic counted via

In this field you can choose between Radius accounting and IP accounting depending on the accounting type that you will need to use.

Radius Accounting

Default 802.1X standard.

IP Accounting (Layer 3)

  • Account type

In this field there are two accounts to choose from which is: Normal Account and Sub Account.

  • Data Product

In this field you can choose the data product you want to add.

  • Cancellation date

In this field you can choose the cancellation date for the product.

  • Concurrent sessions

Maximum number off simultaneous sessions.

  • IP Adress Mode

  • Manual IP Adress mode – (Fixed IP, Briged CPE IP, Queue router)

  • IP from High site – Bridged CPE IP, High site router, Fixed IP (Selection from high site IP pool), Queue router (Pope over VLAN sessions to control QoS)

Note: QoS (Quality of service)

Note: To add a high site navigates to Devices-> High sites -> High sites.

  • Fixed IP Adress

In this field you can add a fixed IP address.

  • Briged CPE IP Adress

In this field you can add a Briged CPE IP Address.

  • Queue Routers

In this field you can add queue routers, note: Leave blank to use data product default value.

  • Authentication

If authentication is disabled, the user will not be able to authenticate with radius and thus will not be able to gain access to the network.

Pricing Details:
Here you can set the monthly price and top-up price if you do not want to use the default price.

  • Monthly Pricing
  • Top-up Pricing

Data Limits:

Enable Top-ups:

If enabled, the data cap will automatically be topped up until the maximum top up amount below is reached. This is not applicable to uncapped accounts.

  • Auto Top up Increments

Each time the account reached 100% usage limit it will be topped up with this amount of data, until the maximum auto top up size defined below is reached.

  • Auto Top up Limit

The maximum size all auto to pups for the month. Once this limit is reached the account will be capped. Manual to pups can still be added once this limit is reached. A limit of 0 means no maximum limit.

  • Send Notification

If enabled a notification will be send to the customer each time the account is auto topped up.

Radius user operations:

Go to Data -> Data Accounts.

Add Radius User Account:

Click on  to add a Radius User Account. Please see above for info on the add radius user fields.

Edit Radius User:

Click on  to edit the radius user.

When you added a Data Account you are provided with 4 additional tabs:

  • Adress

In this Tab you will find the Users Location details.

  • Radius Attributes

In this Tab you can view the data accounts radius attributes and you can also add radius attributes.

  • Audit Trail

In this tab you can find an audit trail that tracks changes on a data account.

  • Test

This tests the status, radius attributes and authentication of a data account.

Edit User:

Click on  to edit the customer linked to this radius User.

Radius Attributes:

Here you can add the custom radius attributes to the radius user that you have set up. More on Custom Radius Attributes here.

Custom Radius Attributes:

Custom attributes can be added to radius accounts. When added to a user it can be given a value, which can be a text and/or numbers. This can be used to give additional information to radius users.

Add Radius Attributes:

Click on  to add a radius attribute.

Click on  to edit the radius attribute.

Here is an example of the Radius Attributes in a Radius user.

View usage:

Click on  to view the data usage used by the user to date.

This will show a brief summary of the data usage for the radius user.

Edit Customer:

Click on  to edit the customer linked to the radius user.

Delete Radius User:

Click on to delete the radius user.

Block/Unblock Radius User:

Radius users can be blocked and unblocked. Click on edit customer button; navigate to the data account section on the edit customer page. Click on the block account button to block the radius user. To unblock the radius user, click on the blocked button.

Client Device & IP Address Authentication:

If enabled the client will need to be authorized via MAC address before the devices will be allowed onto the network.

Unauthorized Device pool Name:

Name of the IP pool to use when allocation IPs to these unauthorized devices. An IP from this pool will be assigned to all unauthorized devices when connecting to the network. If the IP pool is not defined in DataTill under Devices, IP Pools, then it must exist on the NAS where the devices are connecting.

Auto Approve New Client Devices:

If enabled, all new client devices will be auto approved as they connect to the network.

Block Devices on all NAS routers:

If enabled unauthorized client devices will be blocked on all NAS routers

NAS routers to block Devices on:

NAS devices (Mikrotik Routers) on which to block unauthorized client devices.

Block Un-authorized Pope Connections:

If enabled, this function will block Un-authorized Pope Connections.

Block Un-authorized Hotspot Connections:

If enabled, this function will block Un-authorized Hotspot Connections.

Enable IP Address Authorization:

If enabled, all IP addresses that requires internet access will need to be authorized before these connections will be allowed to access the internet.

Active Radius Session IP Address List Name:

  • This is the Name of the Address List to maintain with all active radius session IP addresses.
    • This is the Adress list to use for active radius session IP addresses.

Valid Devices IP Address List Name:

  • This is the Name of the Address List to maintain with all valid network devices IP addresses.
  • Adress list to use for valid devices IP address.

Approved Exceptions IP Address List Name:

  • This is the Name of the Address List to maintain with all manually approved IP addresses.
  • Adress list to use for approved exceptions IP addresses.

Blocked Exceptions IP Address List Name:

  • This is the Name of the Address List to maintain with all manually blocked IP addresses.
  • Adress List to use for blocked exceptions IP addresses.

Blocked Exceptions IP Address List Name:

  • This is the Name of the Address List to read with all Mikrotik auto added unknown IP addresses.
  • Adress List to use for blocked exceptions IP addresses.
  • To populate this address list on the Mikrotik router add a firewall rule to add all outbound IP addresses to this address list if the src IP does not exists in the above four address lists.

Routers on which to maintain these address list:

  • Devices (Mikrotik Routers) on which to maintain the address lists defined above

Schedule product Changes:

  1. Navigate to Data -> Data product changes or Customers ->Data product changes.
  2. Click on  button.
  3. Select the account for which the data product needs to be changed.
  4. Select the new data product.
  5. Select an activation date. This is when the product change will become effective.
  6. Click on Submit product change.

Radius sessions:

Active Radius Sessions:

  • Navigate to Data-> Radius sessions->active radius sessions.
  • Bulk Disconnect Last Month – Disconnect all radius sessions prior to this month.
  • Disconnect Last month – Disconnect individual radius sessions prior to this month.
  • Disconnect old – Disconnect all old radius sessions (within the last 10 minutes)
  • Bulk Disconnect All – Disconnects all radius sessions across all connected network devices.
  • Disconnect All – Individually disconnects all radius sessions.
  • Mark Duplicates Closed – This option should be used if the user has sessions still marked as active but no longer registered on the NAS devices.
  • Mark All Closed – Thes session will not be physically disconnected. It will only be marked as such within the database and will reappear as active when it sends the next accounting update.
  • All Closed Sessions – To view all closed sessions.
  • Recently Disconnected Sessions – to view recently disconnected sessions.
  • Restart – This restarts the entire radius service, therefor radius will disconnect all sessions, stop its processes, and restart its processes.

Active Session Health:

  • Navigate to Data > Radius sessions >active session health.
  • This section is similar to the active radius sessions section, but is focused on duplications, unallocated entries and stale sessions.
  • Disconnect stale sessions – Disconnect all old radius sessions (within the last 10 minutes)

Un-Disconnected Radius Sessions:

This section is focused on connected radius sessions.

Radius Disconnect Request:

This section is focused on disconnected radius requests.

Radius Server Status:

Navigate to data > Radius server status.
Gives a quick overview of Radius Authentication Requests, Active Radius Sessions and Total Radius Session Traffic /radius/status.

Restart Radius Server – This restarts the entire radius service, therefor radius will disconnect all sessions, stop its processes, and restart its processes.

Radius server Log File:

Navigate to Data > Radius status > Radius Server Log File

Here you can find an in-depth log of the radius server. There are a few things to keep in mind when reading the log file such as the format:

  • A Time Stamp
    • Auth/Acct/Error/Info
    • RadAcct ID/rlm_perl
    • User_status
    • Username, followed by an ‘@’
    • NAS identifier (NAS IP)
    • Port (Port number)
    • Cli, Followed by the MAC address.
    • The Radius status reply message.

Note: Here is an example of the format:

Fri Aug 31 12:00:00 2023: Auth: RadAcct ID: User_status: Username @ NAS identifier (NAS IP) Port (Port number) cli MAC address – Radius status reply message

Note: The Radius server Log File can be customized to show a set number of lines to display from the log file. This will display from the latest line to the oldest line within the given line limit.

Hourly Data Usage Summary:

Navigate to Data > Radius status > Hourly data usage summary.