RADIUS

Divisi TrainingPT UFOAKSES SUKSES LUARBIASAJakartanux@ufoakses.co.id

Pengertian

z Pusat authorization dan accounting system untukbermacam-macam aplikasi network

z Dibangun dalam mikrotik router sebagai paket terpisah ( Radius server )

z Disebut sebagai user manager

z Bekerja sebagai radius server

z mikrotik routeros mempunyai radius client yang dapatdigunakan mengautentikasi untuk hotspot, ppp, dll.

Featurez Sectionsz Statusz User searchz Active usersz Routersz Creditsz Usersz Sessionsz Customersz Reportsz Logs

Radius client feature

z accounting backup = sebagai backup radius accounting server

z accounting-port ( default : 1813 ) =port radius server yang digunakan untuk accounting

Mikrotik Radius Client Featurez Property Description

z accounting-backup (yes | no; default: no) - this entry is a backup RADIUS accounting server

z accounting-port (integer; default: 1813) - RADIUS server port used for accounting

z address (IP address; default: 0.0.0.0) - IP address of the RADIUS server

z authentication-port (integer; default: 1812) - RADIUS server port used for authentication

z called-id (text; default: "") - value depends on Point-to-Point protocol:ISDN - phone number dialled (MSN) PPPoE - service name PPTP - server's IP address L2TP - server's IP address

z domain (text; default: "") - Microsoft Windows domain of client passed to RADIUS servers that require domain validation

z realm (text) - explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name

z secret (text; default: "") - shared secret used to access the RADIUS server

z service (multiple choice: hotspot | login | ppp | telephony | wireless | dhcp; default: "") - router services that will use this RADIUS serverhotspot - HotSpot authentication service login - router's local user authentication ppp - Point-to-Point clients authentication telephony - IP telephony accounting wireless - wireless client authentication (client's MAC address is sent as User-Name) dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)

z timeout (time; default: 100ms) - timeout after which the request should be resend

Koneksi dari Mikrotik ke radiusz Create first subscriberz First subscriber must be added using Mikrotik terminal

(console). z All the configuration is done under the /tool user-manager

menu. z To create a subscriber you should go to /tool user-manager

customer menu and execute add command. z Example : [nico@USER_MAN] tool user-manager

customer> add login="admin" password="adminpassword" permissions=owner

z After that you can use the web interface

Manajemen Radius

z To log on customer web interface type the following address in your web browser: http://Router_IP_address/userman

z where "Router_IP_address" must be replaced with IP address of your router.

z Use login and password of the subscriber you have created in console.

Konfigurasi Radius Server

Web interface

UserMan Table

z Tables are used to display a list of objects: users, routers, credits, sessions, customers or logs.

z Tables have several options: Sorting; Filtering (Search); Division in pages; Multiple object selection; Operations with selected objects; Minimization; Links to detail form.

Sorting can be done by almost all fields. But there are some "non-sortable" fields, mostly because they are calculated fields.

Sorting can be ascending (1, 2, 3, ...) or descending (5, 4, 3, ...).

Filtering

z Each table can be filtered only by one field:

Users, sessions, logs: by username; Routers, credits: by name; Customers: by login.

z Some tables cannot be filtered (for example,

specific user's sessions).

Division in pagesz A table can contain plenty of records. It could be a

very long operation to display them all. z Therefor records are divided in pages and only one

page, called active page, at a time is displayed.

Multiple object selection

z Tables have checkboxes for each object on the right side of row:

z Each object can be selected and actions can be performed on selected objects.

z On the top of all checkboxes is the select-allchecbox which toggles selection of all objects in the current page:

z A title displaying selected object count is located at the bottom of a table:

Multiple object selection

Operations with selected objects

z Different operations can be performed on selected objects. z Web-interface users can have different allowed operations

depending on their permissionsz Operations are performed only with users in the active page.

The reason is security. It is very easy to select some objects, then change the page and forget the selected objects in other pages. Some operations (like remove) are very dangerous in such situations. That's why all operations work only with selected objects in the active page.

z All allowed operations (except adding, which is available in main menu on the left) can be found at the bottom of a table in a form of popout toolbar.

Operations with selected objects

Minimization

z Tables can be minimized with a click on the minimize button on the top-right corner:

Links to detail form

z Almost every table has links to object detail form, because not all the information can be displayed in the table.

z Detail form Links are displayed as usual html-links, underlined:

Links to detail form

Sections

z Here are described customer page sections. Use menu on the left side to navigate

Status

z This page has several components: User search; Active user listing; Active session listing; User batch-add form.

z User search

z Active users Active user count displayed here. To see a full list of

active users, click on "Show":

z Active sessions Active sessions count displayed here. To see a full list of

active sessions, click on "Show":

z User batch-add formz Batch of users can be added here: z Fields:

Number of users. How many users to add; Login starts with. Displays user prefix; Rate limits. hidden by default. Check the box on the right to show

rate limit field group; Uptime limit; Prepaid. Credit that will be assigned to users. Unlimited users can

also be created by selecting unlimited as a value. Generate CSV file. When checked a CSV-file will be generated

containing just created user data; Generate vouchers. When checked printable vouchers for just

created users will be generated.

Routers

z View routers

z Add router

Routersz User Manager must know with which routers (IP

addresses) to communicate. z User Manager is like a judge - it receives questions

and must give answers z For example:

HotSpot: "Is user 'nick' allowed to use hotspot?" User Manager: "Yes, but only 2 hours. And give him IP

192.168.0.40". z Router table contains information about known

routers which are allowed to ask User Manager questions.

Router

z Fields Name. Router's name. Must be unique per subscriber; IP Address. Address of the router; Shared secret. Password used for authentication; Log events. Specifies which events must be written to

log.

User Manager/Subscribers

z Subscriber is a customer with owner permissions who's parent is himself;

z Subscribers can be thought as domain] - each subscriber sees everything what happens with his sub-customers, credits, users, routers, sessions, etc., but has no access to other subscriber's data;

z All data objects (users, routers, credits, logs) belong to one specific subscriber and can therefor belong to many sub-customers of the owner subscriber

z To separate users among customers of one subscriber, user prefix is used;

User Manager/User prefixz Every user belongs to specific subscriber. To separate users among customers of the

same subscriber, a specific customer property called user prefix is used. z Example :z [nico@USERMAN] tool user-manager customer> print

0 subscriber=owner login="owner" password="" permissions=owner parent=owner 1 subscriber=owner login="manager" password="" user-prefix="p" permissions=read-

write parent=owner 2 subscriber=owner login="reader" password="" user-prefix="public" permissions=read-

only parent=owner z [nico@USERMAN] tool user-manager user> print

0 subscriber=owner username="differentUser" 1 subscriber=owner username="publicUser1" 2 subscriber=owner username="publicUser2" 3 subscriber=owner username="privateUser1" 4 subscriber=owner username="privateUser2" 5 subscriber=owner username="pztuxy" 6 subscriber=owner username="klztt8xs"

User Manager/User prefix

According to the situation described above, customer owneris subscriber with two sub-customers: managerand reader. User accessibility can be shown in following table

Credits

z Credits are used to control user session time. Each credit has: Name. Unique ID; Time. How long services can be used; Full Price. How much it will cost if this is the first credit for the

user or user has free credits (with zero-price) only; Extended Price. How much it will cost if the user already has (at

least) one credit (with price other than zero) and buys this as additional credit;

z Credits belong to subscribers. If a customer creates credit, it belongs to subscriber which is owner of that customer.

Credit

Creditz Fields:

Name. Credit's name. Must be unique per subscriber; Time. How long this credit is valid when started; Full price. The price of this as the first credit for a user.

When the checkbox at the right is empty, full price is unavailable - this credit can not be used as a base credit;

Extended price. The price of this as extended credit for a user (user already has credits before this on). When the checkbox at the right is empty, extended price is unavailable - this credit can not be used as an extended credit;

Users

z Users are people who use services provided by customers;

z Each user can have time, traffic and speed limitations;

z Users belong to specific subscriber, not to customer. Customers can create, modify and delete users but the owner is the subscriber who is also owner of these customers;

z To separate users among customers of one subscriber, user prefix is used.

Userz User data contains:

Username and password - used to identify user. Different subscribers can have users with the same username; First name, last name, phone, location. Informational; Email. Used to send notifications to user (for ex., sign-up email); IP address. If not blank, user will get this IP address on successful authorization; Pool name. If not blank, user will get IP address from this IP pool on successful authorization; Group. Sent to Radius client as Mikrotik-Group attribute. Indicates group (/user group) for RouterOS users and

profile for HotSpot users. See Radius client documentation for further details, search for "Mikrotik-Group".

Download limit. Limit of download traffic, in bytes; Upload limit. Limit of upload traffic, in bytes; Transfer limit. Limit of total traffic (download + upload), in bytes; Uptime limit. Limit of total time the user can use services. When left blank, user is limited in time only by

credits;

Rate limits. Has several parts. For more detailed description see HotSpot User AAA, search for "rate-limit".

z User also have read-only counters:

Uptime used; Download used; Upload used.

z View users

z User detail form

z There are groups of fields (for example, private information, rate limits). These fields are hidden by default and are accessible by checking the box on the right:

z If the user has credits assigned the total prepaid time is shown at the bottom. To see credit details click on the plus sign (" ") under Prepaid time:

z New credits can also be assigned (if permitted) to user. At the bottom is a select-box called "Extend" (called "Add time" when user has no credits yet). The price depends on what kind of credit this is for a user - first or extended. Price is shown in braces:

z Options (buttons at the bottom): Save - saves edited information, assigns credit, if one selected; View report - opens single user report. Remove last credit - removes last credit that's not started yet; Show sessions - opens window with all sessions this user has;

z Add user

Sessions

z Fields: Username. Session owner; From Time. Session start time; Till Time. Session end time; Terminate Cause. Session termination reason; Uptime. = EndTime - StartTime; Download. Downloaded traffic amount; Upload. Uploaded traffic amount

View sesion

z Session detail form

Customers

z Customers are service providers. They use web interface to manage users, credits, routers;

z Customers are hierarchically ordered in a tree structure -each can have zero or more sub-customers and exactly one parent-customer;

z Each customer can have same or weaker permission level than it's parent;

z Each customer has exactly one owner-subscriber. z Customer with owner permissions is called subscriber.

Subscriber's parent is himself;

Customer dataz Login and password. Used for web interface; z Parent. Enumerator over customers. Used to keep the hierarchy of

customers; z Permissions. Specifies permission level; z Public ID. It's an ID used to identify customer. When a user wants to

log on the user page or to sign up he/she needs to specify, which customer to use (because user login names are allowed to be equal among several subscribers). To keep customer login names in secret (for security reasons) this field is used to identify customers (subscribers);

z Public host. Only for subscribers. IP address or DNS name specifying public address of this User Manager router. Payment gateways use this address to send transaction status response. This field has sense only if users access User Manager site through local IP address (for, example, http://192.168.0.250/user) and another address is used for public access (for example, http://userman.mt.lv/user).

z Company, city, country. Informational; z Email address. Used to send emails (for ex., sign up information) to

users;

z User prefix. Used to separate users between customers of one subscriber;

z Sign-up allowed. When checked, this customer allows users to use sign-up;

z Sign-up email subject. When a user completes signs up successfully, he/she receives an email with authorization information, called sign-up email. Subject of this email is configurable.

z Date format. Used on web pages for data representation. Only allowed formats (listed in drop-down) can be used. When the value doesn't match any of allowed (it's possible to enter any value from console) formats, default is used. See date character constants:

z Time zone. Specific for each customer. By default equals to 00:00. Session and credit info is stored as GMT regardless of ROS time zone on the User Manager router. This value specifies the way data isdisplayed on the User Manager web pages.

z Sign-up email body. Text template of sign-up email. Must contain several specific string constants: %login% - will be replaced with login name of newly created account; %password% - will be replaced with password of newly created account. %link% - will be replaced with link to User page. This field can be omitted;

z Authorize.Net fields (only for subscribers and only when using https): Allow payments. When checked, users are allowed to use Authorize.Net as

payment method for this subscriber; Login ID, Transaction Key, MD5 Value. Authorize.Net merchant attributes.

Must match those specified in Authorize.Net Merchant gateway security settings;

Title. The name of this payment method shown to users. For example, if one changes title to "Credit Card", users will see "Pay with Credit Card" instead of "Pay with Authorize.Net". This field can be very useful if users don't know what Authorize.Net means and get confused;

z PayPal fields (only for subscribers): Allow payments. When checked, users are allowed to use PayPal as payment

method for this subscriber; Business ID (login/email). Business ID of the PayPal account where the money

will be sent;

z View customers

z Customer detail form

Customers advanced

z Add customer

Reports

z There are different kinds of reports: user time and traffic reports over a period of time; single user report; user credit vouchers (print page).

z User time and traffic reportz It is a user time and traffic report for printing. The

configuration panel will not be visible in printable form, only the results. Configurable attributes: Which users will included - prepaid, unlimited or both; Must time and price or download and upload be shown; Period - all actions, only last month, this year, etc.

View Report

z Single user reportz To get single user report in customer web-page:

Open user section; Click on the login field of desired user in the table. A

user detail form will be shown; Press the button "View report". The single user report

page will be opened.

View user single report

z User credit vouchers Credit vouchers are printable pages with information

about users - prepaid time, price, login and password and some additiol information.

Vouchers can be used in hotels, cafes, bars and other institution who provide HotSpot internet access. Print vouchers and sell them to users. User gets the login and password and can start using HotSpot.

Logsz Logs are written when specific requests from routers are received z Log data contains:

Username. Can differ from those registered in user table; User IP; Host IP. Router's IP; Status; Time; Description; NAS Port; NAS Port type; NAS Post ID; ACCT Session ID; Calling station ID.

View Log