Modul Radius
Modul Radius
Modul Radius
Divisi Training
PT UFOAKSES SUKSES LUARBIASA
J akarta
nux@ufoakses.co.id
Pengertian
Pusat authorization danaccounting system untuk
bermacam-macamaplikasi network
Dibangundalammikrotikrouter sebagai paket terpisah(
Radius server )
Disebut sebagai user manager
Bekerjasebagai radius server
mikrotikrouterosmempunyai radius client yang dapat
digunakanmengautentikasi untukhotspot, ppp, dll.
Feature
Sections
Status
User search
Active users
Routers
Credits
Users
Sessions
Customers
Reports
Logs
Radius client feature
accounting backup = sebagai backup radius
accounting server
accounting-port ( default : 1813 ) =port radius server
yang digunakanuntukaccounting
MikrotikRadius Client Feature
Property Description
accounting-backup (yes | no; default: no) - this entry is a backup RADIUS accounting server
accounting-port (integer; default: 1813) - RADIUS server port used for accounting
address (IP address; default: 0.0.0.0) - IP address of the RADIUS server
authentication-port (integer; default: 1812) - RADIUS server port used for authentication
called-id (text; default: "") - value depends on Point-to-Point protocol:ISDN - phone number dialled(MSN)
PPPoE - service name
PPTP - server's IP address
L2TP - server's IP address
domain (text; default: "") - Microsoft Windows domain of client passed to RADIUS servers that require domain
validation
realm(text) - explicitly stated realm (user domain), so the users do not haveto provide proper ISP domain name in user
name
secret (text; default: "") - shared secret used to access the RADIUS server
service (multiple choice: hotspot | login | ppp| telephony | wireless | dhcp; default: "") - router services that will use this
RADIUS serverhotspot - HotSpot authentication service
login - router's local user authentication
ppp - Point-to-Point clients authentication
telephony - IP telephony accounting
wireless - wireless client authentication (client's MAC address is sent asUser-Name)
dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)
timeout (time; default: 100ms) - timeout after which the request should be resend
Koneksi dari Mikrotikkeradius
Create first subscriber
First subscriber must be added using Mikrotikterminal
(console).
All the configuration is done under the /tool user-manager
menu.
To create a subscriber you should go to /tool user-manager
customer menu and execute add command.
Example : [nico@USER_MAN] tool user-manager
customer> add login="admin" password="adminpassword"
permissions=owner
After that you can use the web interface
ManajemenRadius
To log on customer web interface type the following
address in your web browser:
http://Router_IP_address/userman
where "Router_IP_address" must be replaced with
IP address of your router.
Use login and password of the subscriber you have
created in console.
Konfigurasi Radius Server
Web interface
UserManTable
Tables are used to display a list of objects: users, routers,
credits, sessions, customers or logs.
Tables have several options:
Sorting;
Filtering (Search);
Division in pages;
Multiple object selection;
Operations with selected objects;
Minimization;
Links to detail form.
Sorting can be done by almost all fields. But there are some "non-sortable" fields, mostly because
they are calculated fields.
Sorting can be ascending (1, 2, 3, ...) or descending (5, 4, 3, ...).
Filtering
Each table can be filtered only by one field:
Users, sessions, logs: by username;
Routers, credits: by name;
Customers: by login.
Some tables cannot be filtered (for example,
specific user's sessions).
Division in pages
A table can contain plenty of records. It could be a
very long operation to display them all.
Therefor records are divided in pages and only one
page, called active page, at a time is displayed.
Multiple object selection
Tables have checkboxes for each object on the right
side of row:
Each object can be selected and actionscan be
performed on selected objects.
On the top of all checkboxes is the select-all
checboxwhich toggles selection of all objects in the
current page:
A title displaying selected object count is located at
the bottom of a table:
Multiple object selection
Operations with selected objects
Different operations can be performed on selected objects.
Web-interface users can have different allowed operations
depending on their permissions
Operations are performed only with users in the active page.
The reason is security. It is very easy to select some objects,
then change the page and forget the selected objects in other
pages. Some operations (like remove) are very dangerous in
such situations. That's why all operations work only with
selected objects in the active page.
All allowed operations (except adding, which is available in
main menu on the left) can be found at the bottom of a table
in a form of popout toolbar.
Operations with selected objects
Minimization
Tables can be minimized with a click on the
minimize button on the top-right corner:
Links to detail form
Almost every table has links to object detail form,
because not all the information can be displayed in
the table.
Detail form Links are displayed as usual html-links,
underlined:
Links to detail form
Sections
Here are described customer page sections. Use
menu on the left side to navigate
Status
This page has several components:
User search;
Active user listing;
Active session listing;
User batch-add form.
User search
Active users
Active user count displayed here. To see a full list of
active users, click on "Show":
Active sessions
Active sessions count displayed here. To see a full list of
active sessions, click on "Show":
User batch-add form
Batch of userscan be added here:
Fields:
Number of users. How many users to add;
Login starts with. Displays user prefix;
Rate limits. hidden by default. Check the box on the right to show
rate limit field group;
Uptime limit;
Prepaid. Credit that will be assigned to users. Unlimited users can
also be created by selecting unlimited as a value.
Generate CSV file. When checked a CSV-file will be generated
containing just created user data;
Generate vouchers. When checked printable vouchers for just
created users will be generated.
Routers
View routers
Add router
Routers
User Manager must know with which routers (IP
addresses) to communicate.
User Manager is like a judge - it receives questions
and must give answers
For example:
HotSpot: "Is user 'nick' allowed to use hotspot?"
User Manager: "Yes, but only 2 hours. And give him IP
192.168.0.40".
Router table contains information about known
routers which are allowed to ask User Manager
questions.
Router
Fields
Name. Router's name. Must be unique per subscriber;
IP Address. Address of the router;
Shared secret. Password used for authentication;
Log events. Specifies which events must be written to
log.
User Manager/Subscribers
Subscriber is a customer with owner permissionswho's
parent is himself;
Subscribers can be thought as domain] - each subscriber
sees everything what happens with his sub-customers,
credits, users, routers, sessions, etc., but has no access to
other subscriber's data;
All data objects (users, routers, credits, logs) belong to one
specific subscriber and can therefor belong to many sub-
customers of the owner subscriber
To separate users among customers of one subscriber, user
prefix is used;
User Manager/User prefix
Every user belongs to specific subscriber. To separate users among customers of the
same subscriber, a specific customer property called user prefix is used.
Example :
[nico@USERMAN] tool user-manager customer>print
0 subscriber=owner login="owner" password="" permissions=owner parent=owner
1 subscriber=owner login="manager" password="" user-prefix="p" permissions=read-
write parent=owner
2 subscriber=owner login="reader" password="" user-prefix="public" permissions=read-
only parent=owner
[nico@USERMAN] tool user-manager user>print
0 subscriber=owner username="differentUser"
1 subscriber=owner username="publicUser1"
2 subscriber=owner username="publicUser2"
3 subscriber=owner username="privateUser1"
4 subscriber=owner username="privateUser2"
5 subscriber=owner username="pztuxy" 6 subscriber=owner username="klztt8xs"
User Manager/User prefix
According to the
situation described
above, customer owner
is subscriber with two
sub-customers: manager
and reader. User
accessibility can be
shown in following table
Credits
Credits are used to control user session time. Each credit
has:
Name. Unique ID;
Time. How long services can be used;
Full Price. How much it will cost if this is the first credit for the
user or user has free credits (with zero-price) only;
Extended Price. How much it will cost if the user already has (at
least) one credit (with price other than zero) and buys this as
additional credit;
Credits belong to subscribers. If a customer creates
credit, it belongs to subscriber which is owner of that
customer.
Credit
Credit
Fields:
Name. Credit's name. Must be unique per subscriber;
Time. How long this credit is valid when started;
Full price. The price of this as the first credit for a user.
When the checkbox at the right is empty, full price is
unavailable - this credit can not be used as a base credit;
Extended price. The price of this as extended credit for a
user (user already has credits before this on). When the
checkbox at the right is empty, extended price is
unavailable - this credit can not be used as an extended
credit;
Users
Users are people who use services provided by
customers;
Each user can have time, traffic and speed
limitations;
Users belong to specific subscriber, not to customer.
Customers can create, modify and delete users but
the owner is the subscriber who is also owner of
these customers;
To separate users among customers of one
subscriber, user prefix is used.
User
User data contains:
Username and password - used to identify user. Different subscribers can have users with the same username;
First name, last name, phone, location. Informational;
Email. Used to send notifications to user (for ex., sign-up email);
IP address. If not blank, user will get this IP address on successful authorization;
Pool name. If not blank, user will get IP address from this IP pool on successful authorization;
Group. Sent to Radius client as Mikrotik-Group attribute. Indicates group (/user group) for RouterOSusers and
profile for HotSpot users. See Radius client documentation for further details, search for "Mikrotik-Group".
Download limit. Limit of download traffic, in bytes;
Upload limit. Limit of upload traffic, in bytes;
Transfer limit. Limit of total traffic (download +upload), in bytes;
Uptime limit. Limit of total time the user can use services. When left blank, user is limited in time only by
credits;
Rate limits. Has several parts. For more detailed description see HotSpot User AAA, search for "rate-limit".
User also have read-only counters:
Uptime used;
Download used;
Upload used.
View users
User detail form
There are groups of fields (for example, private
information, rate limits). These fields are hidden by
default and are accessible by checking the box on
the right:
If the user has creditsassigned the total prepaid time
is shown at the bottom. To see credit details click on
the plus sign (" ") under Prepaid time:
New credits can also be assigned (if permitted) to user. At
the bottom is a select-box called "Extend" (called "Add
time" when user has no credits yet). The price depends on
what kind of credit this is for a user - first or extended. Price
is shown in braces:
Options (buttons at the bottom):
Save - saves edited information, assigns credit, if one selected;
View report - opens single user report.
Remove last credit - removes last credit that's not started yet;
Show sessions - opens window with all sessionsthis user has;
Add user
Sessions
Fields:
Username. Session owner;
From Time. Session start time;
Till Time. Session end time;
Terminate Cause. Session termination reason;
Uptime. = EndTime- StartTime;
Download. Downloaded traffic amount;
Upload. Uploaded traffic amount
View sesion
Session detail form
Customers
Customers are service providers. They use web interface to
manage users, credits, routers;
Customers are hierarchically ordered in a tree structure -
each can have zero or more sub-customers and exactly one
parent-customer;
Each customer can have same or weaker permission level
than it's parent;
Each customer has exactly one owner-subscriber.
Customer with owner permissionsis called subscriber.
Subscriber's parent is himself;
Customer data
Login and password. Used for web interface;
Parent. Enumerator over customers. Used to keep the hierarchy of
customers;
Permissions. Specifies permission level;
Public ID. It's an ID used to identify customer. When a user wants to
log on the user page or to sign up he/she needs to specify, which
customer to use (because user login names are allowed to be equal
among several subscribers). To keep customer login names in secret
(for security reasons) this field is used to identify customers (
subscribers);
Public host. Only for subscribers. IP address or DNS name specifying
public address of this User Manager router. Payment gateways use
this address to send transaction status response. This field hassense
only if users access User Manager site through local IP address (for,
example, http://192.168.0.250/user) and another address is used for
public access (for example, http://userman.mt.lv/user).
Company, city, country. Informational;
Email address. Used to send emails (for ex., sign upinformation) to
users;
User prefix. Used to separate users between customers of one
subscriber;
Sign-up allowed. When checked, this customer allows users to use
sign-up;
Sign-up email subject. When a user completes signs up successfully,
he/she receives an email with authorization information, called sign-
up email. Subject of this email is configurable.
Date format. Used on web pages for data representation. Only allowed
formats (listed in drop-down) can be used. When the value doesn't
match any of allowed (it's possible to enter any value from console)
formats, default is used. See date character constants:
Time zone. Specific for each customer. By default equals to 00:00.
Session and credit info is stored as GMT regardless of ROS time zone
on the User Manager router. This value specifies the way data is
displayed on the User Manager web pages.
Sign-up email body. Text template of sign-up email. Must contain
several specific string constants:
%login% - will be replaced with login name of newly created account;
%password% - will be replaced with password of newly created account.
%link% - will be replaced with link to User page. This field can be omitted;
Authorize.Net fields (only for subscribers and only when using https):
Allow payments. When checked, users are allowed to use Authorize.Net as
payment method for this subscriber;
Login ID, Transaction Key, MD5 Value. Authorize.Net merchant attributes.
Must match those specified in Authorize.Net Merchant gateway security
settings;
Title. The name of this payment method shown to users. For example, if one
changes title to "Credit Card", users will see "Pay with Credit Card" instead of
"Pay with Authorize.Net". This field can be very useful if users don't know what
Authorize.Net means and get confused;
PayPal fields (only for subscribers):
Allow payments. When checked, users are allowed to use PayPal as payment
method for this subscriber;
Business ID (login/email). Business ID of the PayPal account where the money
will be sent;
View customers
Customer detail form
Customers advanced
Add customer
Reports
There are different kinds of reports:
user time and traffic reports over a period of time;
single user report;
user credit vouchers (print page).
User time and traffic report
It is a user time and traffic report for printing. The
configuration panel will not be visible in printable
form, only the results.
Configurable attributes:
Which users will included - prepaid, unlimited or both;
Must time and price or download and upload be shown;
Period - all actions, only last month, this year, etc.
View Report
Single user report
To get single user report in customer web-page:
Open user section;
Click on the login field of desired user in the table. A
user detail form will be shown;
Press the button "View report". The single user report
page will be opened.
View user single report
User credit vouchers
Credit vouchers are printable pages with information
about users - prepaid time, price, login and password
and some additiol information.
Vouchers can be used in hotels, cafes, bars and other
institution who provide HotSpot internet access. Print
vouchers and sell them to users. User gets the login
and password and can start using HotSpot.
Logs
Logs are written when specific requests from routersare received
Log data contains:
Username. Can differ from those registered in user table;
User IP;
Host IP. Router's IP;
Status;
Time;
Description;
NAS Port;
NAS Port type;
NAS Post ID;
ACCT Session ID;
Calling station ID.
View Log