One of the most important aspects of setting up an ISP (Internet Service Provider) is ensuring you have a rock solid Radius Server (Also known as AAA – Authentication, Authorization and Accounting) . Radius, which stands for Remote Authentication Dial In User System, controls both access to your network devices and traffic accounting for data used. With a central Radius Server you can quickly allow or disallow network access, see who is currently connected and monitor their network usage.
Below we will look at a typical connection cycle and the radius traffic between the Radius Client and Radius Server.
A typical session to your NAS (Network Access Server) will begin with Radius Authentication and once the user’s session has successfully been authenticated the NAS will send Radius Accounting information to track the session.
Radius Authentication
Let’s start by having a look at the basic flow of Radius Authentication. Let’s say you have client X who is connecting to your Mikrotik PPPOE Server. We use Mikrotik as an example here, but the same holds true for any device which operates over the Radius Protocol.
First off the user will initiate a session over PPPOE and send along a Username and Password for their connection.
The mikrotik will receive these details and construct a Radius Access-Request packet.
A typical Radius Access-Request Packet.
Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 15732834 NAS-Port-Type = Ethernet User-Name = "example@ibill.io" Calling-Station-Id = "00:00:1E:2E:3E:A0" Called-Station-Id = "PPPoE" NAS-Port-Id = "eth1" MS-CHAP-Domain = "ibill.io" CHAP-Challenge = 0xe7da8697192738465509d9fc3dc1d7fd CHAP-Password = 0x0173c707ea3c510bc76b37f3a6b0c29fdc NAS-Identifier = "Mikrotik" Mikrotik-Realm = "ibill.io" NAS-IP-Address = 10.0.0.1
When this packet is received by the radius server a few actions will take place.
- The source ip of the packet will be checked to see if it’s allowed to send traffic to the radius server.
- The User-Name will be checked to see if it’s valid and allowed to connect.
- The password will be verified. There are multiple methods of sending a password, each of these methods uses some form of hashing against the radius secret. (When the radius secret does not match between the radius client and the server the password will always fail to verify.)
- Once the user and password have been verified the server will then reply with either an Access-Accept or Access-Reject.
- Additionally some attributes may be added to the reply. These attributes can include speed limits, transfer limits, IP addresses or various other AVP’s (Attribute Value Pairs) which can change the parameters of the connection.
A typical Access-Accept packet.
Acct-Interim-Interval = 300 Framed-IP-Address = 10.1.1.1 Class = 0x57696d617834122314 Mikrotik-Rate-Limit = "1M/2M"
In this example we send an Access-Accept to say the connection is allowed. Some additional AVP’s are sent here, including the expected Interim for the radius accounting packets, an IP Address to assign to the connection, a rate limit (1 Mbit upload, 2 Mbit download) and a class to identify the session.
Radius Accounting
Once the Mikrotik receives the radius Access-Accept the connection setup will complete and a radius Accounting-Request will be sent to the radius server. The first Accounting-Request which is sent is known as the Accounting Start. This packet signifies that it is a new session which needs to be tracked.
A typical Accounting-Request Start packet.
Acct-Status-Type = Start NAS-Port-Type = Ethernet Calling-Station-Id = "00:00:1E:2E:3E:A0" Called-Station-Id = "PPPoE" NAS-Port-Id = "eth1" User-Name ="example@ibill.io" NAS-Port =15732834 Acct-Session-Id = "80e00136" Framed-IP-Address = 10.1.1.1 Mikrotik-Host-IP = 10.1.0.1 Event-Timestamp = "Dec 20 2016 13:37:00 GMT" NAS-Identifier = "Mikrotik" Acct-Delay-Time = 0 NAS-IP-Address = 10.0.0.1 Class = 0x57696d617834122314
The Accounting start packet contains everything needed to identify the session, include the unique session id on the NAS, the user’s IP address and relevant port/media information of the connection.
After the Acct-Interim-Interval supplied on authentication (this interval can also be directly configured on the device without the need to send it via the accept) has elapsed the NAS will send an Interim-Update Accounting-Request.
The Interim-Update is very similar to the start packet but contains some extra information, such as the length of the session and the amount of data transferred during the lifecycle of the session.
A typical Interim-Update packet.
Acct-Status-Type = Interim-Update NAS-Port-Type = Ethernet Calling-Station-Id = "00:00:1E:2E:3E:A0" Called-Station-Id = "PPPoE" NAS-Port-Id = "eth1" User-Name ="example@ibill.io" NAS-Port =15732834 Acct-Session-Id = "80e00136" Framed-IP-Address = 10.1.1.1 Mikrotik-Host-IP = 10.1.0.1 Event-Timestamp = "Dec 20 2016 13:37:00 GMT" NAS-Identifier = "Mikrotik" Acct-Delay-Time = 0 NAS-IP-Address = 10.0.0.1 Class = 0x57696d617834122314 Acct-Input-Octets = 4762630 Acct-Output-Octets = 124009799 Acct-Session-Time = 300 Acct-Input-Packets = 69492 Acct-Output-Packets = 92722
Here we have the same identifying information for the session as was present in the Start packet. We also have some new information such as Acct-Input-Octets (The amount of bytes sent from the user to the NAS – uploaded bytes), Acct-Output-Octets (Bytes sent from NAS to user – downloaded bytes) and the Acct-Session-Time (Length in seconds that the user has been online for).
When the session is finally terminated the NAS will send one last Accounting-Request packet. This is the Stop request and it signals to the radius server that the session has ended.
A typical Stop packet.
Acct-Status-Type = Stop NAS-Port-Type = Ethernet Calling-Station-Id = "00:00:1E:2E:3E:A0" Called-Station-Id = "PPPoE" NAS-Port-Id = "eth1" User-Name ="example@ibill.io" NAS-Port =15732834 Acct-Session-Id = "80e00136" Framed-IP-Address = 10.1.1.1 Mikrotik-Host-IP = 10.1.0.1 Event-Timestamp = "Dec 20 2016 13:37:00 GMT" NAS-Identifier = "Mikrotik" Acct-Delay-Time = 0 NAS-IP-Address = 10.0.0.1 Class = 0x57696d617834122314 Acct-Input-Octets = 5695632 Acct-Output-Octets = 125013767 Acct-Session-Time = 367 Acct-Input-Packets = 71627 Acct-Output-Packets = 98318 Acct-Terminate-Cause = User-Request
The Stop packet is almost the same as the Interim-Update packet but once again contains extra information. In this case the Acct-Terminate-Cause indicates the reason the connection was closed. The Octets counters also contain the final tally of data used during the session.
We hope this basic overview of the Radius protocol gives you a greater understanding of the interaction that takes place between a NAS and a Radius Server. If you have any questions please feel free to add a comment and we will try answer them for you.
Looking for a Radius Server ?
Try our easy to use ISP Radius and Billing solution and have one available in the cloud in 30 seconds. Our free trial is a great way to learn more by practicing and testing your Radius Configurations.