Syed Jahanzaib Personal Blog to Share Knowledge !

March 11, 2016

Mikrotik with Freeradius/mySQL # Part-1

Filed under: freeradius — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 3:42 PM

fre


 


Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others

Regard's
Syed Jahanzaib~

Personnel Note:

This is another post about freeradius. My aim is to let people know that creating your own Radius Billing system is not ROCKET SCIENCE as some PRO in the industry try to pose. You can do it as well, the only thing required is the ultimate passion to achieve the goal. And with the right search, reading, understanding logic’s, you can do all on your own. I strongly encourage to read the FR mailing list and Google


Make your own Billing system in Linux with Freeradius 2.1.10 / MySQL 5.5.47
# Part-1

[This Guide will be updated with many further supporting posts)

The aim of writing this post was that there are number of radius products available on the internet with lots of features, each have some unique features. But this is also true that none of them is 100% perfect for every type of ISP. The reason is that every ISP/Network have different sort of local requirements and billing mode. If you ahve searched on google you will find that there are tons of guides for freeradius implementation, but most of them have either incomplete data , or difficult explanation, or does not meet the practical requirements of Desi ISP. Thats why I started this guide so that info that is not common on the net can be shared here. plus most important you can learn on your own using this baby step.

In this post I have made some quick guide to install a very basic level of billing system by using Freeradius/mysql on UBUNTU 12.4 [32bit]. Mikrotik is being used as NAS to connect user and freeradius will be used for authentication/accounting billing system.

Quick Code to get started.

Radius IP = 101.11.11.245
Mikrotik IP = 101.11.11.255

Let’s Rock …


 

First Update Ubuntu (12.4  32bit) and install the required modules

# Update Ubuntu First
apt-get update
# Install Required pre requisites modules
apt-get -y install apache2 mc wget make gcc mysql-server mysql-client curl
apt-get -y install phpmyadmin
apt-get install freeradius freeradius-mysql freeradius-utils

This may take some moments as average of 100+MB will be downloaded from the net and will be installed automatically. Sit back and relax.

After update/installation of components done, Proceed to MYSQL configuration below …

TIP: Use phpmyadmin, it will be much easier for you to add/edit/delete records from DB using its GUI …



MYSQL  CONFIGURATION:

Create Freeradius Database in MYSQL

Now create Freeradius Database in mySQL.

Login to mysql (use mysql root password that you entered in above steps)

mysql -uroot -pzaib1234
create database radius;
grant all on radius.* to radius@localhost identified by "zaib1234";

Import Freeradius Database Scheme in MYSQL ‘radius’ DB

Insert the freeradius database scheme using the following commands, Make sure to change the password ####

mysql -u root -pzaib1234 radius < /etc/freeradius/sql/mysql/schema.sql
mysql -u root -pzaib1234 radius < /etc/freeradius/sql/mysql/nas.sql

# For Ubuntu 18, use below...
# mysql -u root -pzaib1234 radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Create new user in MYSQL radius database (For Testing Users)

User id = zaib
Password = zaib
Rate-Limit = 1024k/1024k

mysql -uroot -pzaib1234
use radius;
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES ( NULL , 'zaib', 'Cleartext-Password', ':=', 'zaib');
INSERT INTO radreply (username, attribute, op, value) VALUES ('zaib', 'Mikrotik-Rate-Limit', '==', '1024k/1024k');
exit

Note:
You can skip the Framed-IP-Address part or modify it as per required.


FREERADIUS CONFIGURATION:

SQL.CONF

NAS SECTION:

We have to add a NAS entry either in radius NAS table, or in clients.conf so that this NAS will be allowed to send auth request to this freeradius

To enable NAS table via sql, we need to enable it in sql.conf file, follow below method …

Edit following file  /etc/freeradius/sql.conf

nano /etc/freeradius/sql.conf file

Change the password to zaib1234 (or whatever you set in mysql if required) and Uncomment the following

readclients = yes

So some portion of the file may look like following, after modifications

# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "zaib1234"
readclients = yes

sql-mod

Save and Exit the file


/etc/freeradius/sites-enabled/default

Now edit the /etc/freeradius/sites-enabled/default

nano /etc/freeradius/sites-enabled/default

Uncomment the sql option in the following sections

accounting

# See “Authorization Queries” in sql.conf

sql

session

# See “Authorization Queries” in sql.conf

sql

Post-Auth-Type

# See “Authorization Queries” in sql.conf

sql

[/sourcecode]

Save and Exit the file


RADIUSD.CONF

Now edit /etc/freeradius/radiusd.conf file

nano /etc/freeradius/radiusd.conf

#Uncomment the following option

$INCLUDE sql.conf

Save and exit the file


/etc/freeradius/sites-available/default

Last but no least , edit /etc/freeradius/sites-available/default

nano /etc/freeradius/sites-available/default

Search for LINE

#  See “Authorization Queries” in sql.conf

and UN-COMMENT the SQL word below it.

Example After modification

#  See “Authorization Queries” in sql.conf

sql

Save and exit.


ADDING ‘NAS’ [Mikrotik] in CLIENTS.CONF

To accept connectivity of Mikrotik with the Freeradius, we need to add the mikrotik IP and shared secret in clients.conf

Edit  /etc/freeradius/clients.conf

nano /etc/freeradius/clients.conf

and add following lines at bottom

client 101.11.11.255 {
secret          = 12345
shortname       = Mikrotik
}

Note: Change the IP /Secret according to your Mikrotik Network Scheme.

after any changes either to clients.conf or NAS table, you must restart the freeradius service in order to take changes effect, its a security measure


Last but not least, download mikrotik dictionary from

https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary

and copy it in /usr/share/freeradius folder

If freeradius is already running, stop it and restart it.


TESTING USER AUTHENTICATION ON FREERADIUS:

Now stop the free radius server

/etc/init.d/freeradius stop

and start in DEBUG mode so that we can monitor for any errors etc

freeradius -X

Now OPEN another TERMINAL/CONSOLE window and issue following command to TEST USER AUTHENTICATION

radtest zaib zaib localhost 1812 testing123

and you should ACCESS-ACCEPT MESSAGE as below …

root@ubuntu:~#  radtest zaib zaib localhost 1812 testing123

Sending Access-Request of id 38 to 127.0.0.1 port 1812
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address = 101.11.11.245
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=38, length=39
Mikrotik-Rate-Limit = "1024k/1024k"

mt

Another method

echo "User-Name = zaib, Password = zaib, Calling-Station-Id =00:0C:29:35:F8:2F" | radclient -s localhost:1812 auth testing123

root@apnaradius:~# echo "User-Name = zaib, Password = zaib, Calling-Station-Id =00:0C:29:35:F8:2F" | radclient -s localhost:1812 auth testing123
Received response ID 101, code 3, length = 56
Reply-Message = "zaib - Your account has expired. \r\n"

Total approved auths: 0
Total denied auths: 1
Total lost auths: 0

:~) Alhamdolillah


 

MIKROTIK SECTION:

I assumed you already have pppoe server configured and running.

Add Radius Entry as showed in the images below …

nas1

nas2


 

TEST FROM CLIENT WINDOWS PC:

Create pppoe dialer at client end, and test the user ID created in earlier steps.

c1

Once it will be connected, you can see entries in Mikrotik LOG / Active Users Session.
As showed in the image below …

ml1

and dynamic queue of 1mb will also be created (that we added in attributes section in radius/mysql)

queue


DISCONNECT Active ppp USER : COMMAND FROM RADIUS

If you want to disconnect a single active connected user , use following command (many other methods available as well)

echo user-name=zaib | radclient -x 101.11.11.255:1700 disconnect 12345

Result

discon command

dc

disconnect user

Another Method to disconnect ppp user on mikrotik via radclient with account session ID

First check active user Accounting Session ID in RADACCT table.

 mysql -uroot -pzaib1234 -s --skip-column-names -e "use radius; select acctsessionid from radacct where username ='zaib' AND acctstoptime is NULL;"

this way you will get account session id from radacct table,
Now issue disconnect command [You may fill up variables with actual values, following is an example only]

echo user-name=$USERNAME,Acct-Session-Id=$ACCTSESID | radclient -x $NAS disconnect $RADSECRET

Disconnect HOTSPOT user with acct session id and framed ip

#!/bin/bash
#set -x
SQLUSER="root"
SQLPASS="PASSWORD"
SQLHOST="localhost"
SQLPORT="3306"
DB="radius"
CMD="mysql -u$SQLUSER -p$SQLPASS -h$SQLHOST --port=$SQLPORT --skip-column-names -e"
NAS_IP=`$CMD "use $DB; select nasipaddress from radacct where username ='$USR' AND acctstoptime is NULL;"`
NAS_SECRET=`$CMD "use $DB; select secret from nas where nasname = '$NAS_IP' ;"`
NAS_COA_PORT="1700"
ACCTSESID=`$CMD "use $DB; select acctsessionid from radacct where username ='$USR' AND acctstoptime is NULL;"`
FRAMEDIP=`$CMD "use $DB; select framedipaddress from radacct where username ='$USR' AND acctstoptime is NULL;"`
echo user-name=$USR,Acct-Session-Id=$ACCTSESID,Framed-IP-Address="$FRAMEDIP" | /usr/local/bin/radclient -x $NAS_IP:$NAS_COA_PORT disconnect $NAS_SECRET > /dev/null

Preventing Simultaneous Use by using simultaneous-Use attribute

To LIMIT USER SIMULTANEOUS SESSION: [command is phpMyadmin base format]

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'zaib', 'MD5-Password', ':=', MD5( 'zaib' ) ),
(NULL , 'zaib', 'Simultaneous-Use', ':=', '1');

NOTE: For sim-use i had to disable (comment) the “radutmp” entry in /etc/freeradius/sites-enabled/default .

ACCOUNTING SECTION
SESSION SECTION

Now modify the  /etc/freeradius/sql/mysql/dialup.conf file

nano /etc/freeradius/sql/mysql/dialup.conf

& UNCOMMENT following

# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"

NOTE:
YOU MUST RESTART FREERADIUS SERVER IN ORDER TO TAKE CHANGES EFFECT. SO DO IT.

Result of above attributes:

already


Add Calling-Station-Id attribute to restrict mac CALLED ID

If we want to restrict bind user name with specific mac address, first edit

nano /etc/freeradius/sites-enabled/default

and un comment following attribute “checkval“, Example is below …

checkvalsave and restart radius.

Now login to mysql , select radius database, and use below command to add user, with mac address.

INSERT INTO `radius`.`radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value`)
VALUES (
NULL , 'zaib', 'Calling-Station-Id', ':=', '12:34:56:78:70:00'
);

If user uses different station to connect with this ID he will be rejected as showed in the image below …

phpadmin

 

reject-mac-wrong

 


Add Static IP Address and Pool in radreply group.

To Assign user FIX IP Address, use following …

INSERT INTO radreply ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Framed-IP-Address', '==', '1.2.3.4');

To Assign user IP from POOL, use following …

INSERT INTO radreply ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Framed-Pool', '==', '512k-pool');

 


Adding Expiration Date for user

If you want to Expire the Account after XX days, you can use following

INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Expiration', ':=', '13 Mar 2016');

In above Example User will expires on 13th March, 2016 at 00:00 [Midnight].

If you want to EXPIRE user at some other specific Time, use following format in time

INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Expiration', ':=', '13 Mar 2016 08:00');

ZAIB 🙂 GOT IT


Limit User Total Online time (Access by Period) Started from first login

If you want to start user online time (like in hours) but it should be calculated from first access, then use following.

edit the file /etc/freeradius/sites-enabled/default

nano /etc/freeradius/sites-enabled/default

and add following under “authorize { section

accessperiod

so that it may look like below …

default

now edit file /etc/freeradius/modules/sqlcounter_expire_on_login

nano /etc/freeradius/modules/sqlcounter_expire_on_login

and add following

sqlcounter accessperiod {
counter-name = Max-Access-Period-Time
check-name = Access-Period
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = '%{%k}' AND AcctSessionTime >= 1 ORDER BY AcctStartTime LIMIT 1"
}

now add user attribute in radchceck table (Following is 1 hour Uptime limit example, and it will start after first login)

INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Access-Period', '=', '3600');

Once the time period is over, user will be disconnected.


 

Limit User Total Online time , Example one hour, which can be used in parts as well.

If we want to allow user one hour which user can use in parts as well, like ten minutes now, then next day he can use rest of his available time.  Use following

edit the file /etc/freeradius/sites-enabled/default

nano /etc/freeradius/sites-enabled/default

and add following under “authorize { section

Max-All-Session

now edit file /etc/freeradius/modules/sqlcounter_expire_on_login

nano /etc/freeradius/modules/sqlcounter_expire_on_login

and add following

sqlcounter timelimit {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct where UserName='%{%k}'"
}

Save and Exit.

Now add user attribute in radchceck table (Following is 1 hour Uptime limit example, which can be used in parts as well no first login applied here)

INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Max-All-Session', ':=', '3600');

QUOTA LIMIT FOR USER with CUSTOM MEANINGFUL REJECT REPLY MESSAGE

To limit user data volume limit (either daily, weekly or monthly) use below code.

edit the file /etc/freeradius/sites-enabled/default

nano /etc/freeradius/sites-enabled/default

and add following under “authorize { section

totalbytecounter{
reject = 1
}
if(reject){
update reply {
Reply-Message := 'ZAIB-RADIUS-REPLY - You have reached your bandwidth limit'
}
reject
}

now edit file /etc/freeradius/modules/sqlcounter_expire_on_login

nano /etc/freeradius/modules/sqlcounter_expire_on_login

and add following

sqlcounter totalbytecounter {
                counter-name = Mikrotik-Total-Limit
                check-name = Mikrotik-Total-Limit
                reply-name = Mikrotik-Total-Limit
                sqlmod-inst = sql
                key = User-Name
                reset = never
                query = "SELECT ((SUM(AcctInputOctets)+SUM(AcctOutputOctets))) FROM radacct WHERE UserName='%{%k}'"
}

Save and Exit.

Now add user attribute in radchceck table (Following is 1 MB total data limit example, which can be used in parts as well )

Note: Value is in bytes, so use it accordingly

INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Mikrotik-Total-Limit', ':=', '1000000');

Once the user quota over, he will get access deny message, and in radius log, you can see following 🙂

radreply

Note:

There is a problem with above attribute. Radius will not AUTO disconnect user once he reaches his limit. he will continue to use his account. he will only be denied further login on his next login attempt.

[later I found that if you will add expiration check in radcheck section, NAS will auto DC the user, no need to disconnect the user manually 🙂 ) Look the next article which have EXPIRATION post.

Following is an workaround for it.

Make the following bash script. It will check for online users, and will check if those users have quota limit using ‘Mikrotik-Total-Limit’ attribute. Then it will check there usage against quota limit. If it will found above quota, it will simply disconnect users, else ignore. You can add this script in crontab to run every X minutes.

#!/bin/bash
#set -x
# HEADER -----------
# SCRIPT to fetch data of active radius users into file, then check there quota limit against there usage.
# if quota is over , disconnect them.
# Syed Jahanzaib / aacable@hotmail.com / https://aacable.wordpress.com
# 17-MAR-2016

# Setting FILE Variables
TMPFILE="/tmp/activeusers"
FINALFILE="/tmp/finalfile"

# Make list of ONLINE USERS using radwho command, very handy 🙂
radwho  | awk '{print $2}' | sed '1d' > $TMPFILE
# if you fail to configure radwho, then use following
# mysql -uroot -pSQLPASS --skip-column-names -e "use radius; SELECT username FROM radacct WHERE acctstoptime IS NULL;" | cut -f1 -d/ 

# Mikrotik NAS Details
NAS="101.11.11.255"
NASPORT="1700"
SECRET="12345"
CURDATE=`date`

# MYSQL user credentials
SQLUSER="root"
SQLPASS="zaib1234"

# Apply Formula to get QUOTA limit data for each user in $FINALFILE (EXCLUDING USER WHO DONT HAVE ANY QUOTA LIMIT USING MIKROTIK-TOTAL-LIMIT ATTRIBUTE)
num=0
cat $TMPFILE | while read users
do
num=$[$num+1]
ACTIVEID=`echo $users | awk '{print $1}'`
mysql -u$SQLUSER -p$SQLPASS --skip-column-names -e "use radius; SELECT username,value FROM radcheck WHERE attribute='Mikrotik-Total-Limit' AND username='$ACTIVEID';" > $FINALFILE
done

# Apply Formula to get username and QUOTA LIMIT from $FINALFILE and check there usage againts assigned quota
num=0
cat $FINALFILE | while read users
do
num=$[$num+1]
username=`echo $users | awk '{print $1}'`
QLIMIT=`echo $users | awk '{print $2}'`
QUSED=`mysql -u$SQLUSER -p$SQLPASS --skip-column-names -e "use radius; SELECT ((SUM(AcctInputOctets)+SUM(AcctOutputOctets))) FROM radacct WHERE UserName='$username'"`

# PRINT GENERAL INFO
echo "------ $CURDATE"
echo "$username QUOTA LIMIT= $QLIMIT"
echo "$username QUOTA USED= $QUSED"

# IF QUOTA IS ABOVE LIMIT, DISCONNECT USER USING RADCLIENT OR YOU CAN CHANGE THE USER SERVICE AS WELL 🙂 / zaib
if [ $QUSED -gt $QLIMIT ]
then
echo "QUOTA REACHED! Disconnecting $username from NAS $NAS"
echo user-name=$username | radclient -x $NAS:$NASPORT disconnect $SECRET

# ELSE JUST SHOW USER USED DATA WHICH IS IN LIMIT AT A MOMENT / zaib
else
echo "$username quote is under Limit"
echo "------"
fi
done

> $TMPFILE
> $FINALFILE
# SCRIPT END / Syed Jahanzaib

script-quota

Allah Shuker 🙂


BANDWIDTH CHANGE ON THE FLY – CHANGE OF AUTHORITY (COA) _for pppoe_

To change bandwidth speed for already connected users ON THE FLY , means without disconnecting him. Use following code. Its well tested with Freeradius 2.x and Mikrotik 6.34.2

Change the User Name / Rate Limit/ Mikrotik IP  and PORT/SECRET as per network.

echo User-Name := "zaib", Mikrotik-Rate-Limit = 512k/512k | radclient -x 101.11.11.255:1700 coa 12345

cOA


CHANGE BANDWIDTH PACKAGE TO LOWER AFTER DAILY QUOTA REACH

If you want to enforce FUP (fair usage policy) like if 1mb speed allowed user consumed X MB in a day, then his bandwidth package should DROP to lower speed, e.g: 512k for that day.

Add the COUNTER for daily counting

nano /etc/freeradius/modules/sqlcounter_expire_on_login


counter-name = Mikrotik-Total-Limit
check-name = Mikrotik-Total-Limit
reply-name = Mikrotik-Total-Limit
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctInputOctets)+SUM(AcctOutputOctets) FROM radacct WHERE UserName='%{%k}'"
}

Now add the action for the above counter in sites-available (or enable) file

nano /etc/freeradius/sites-available/default


dailyquota {
reject = 1
}
if (reject) {
ok
update reply {
Mikrotik-Rate-Limit := "512k/512k"
Reply-Message := "You have reached your transfer limit. Limited bandwidth"
}
}

Get Online User Names

mysql -uroot -pSQLPASS --skip-column-names -e "use radius; SELECT username FROM radacct WHERE acctstoptime IS NULL;" | cut -f1 -d/ | sort | uniq -d

Sample of sites-enabled/default file

authorize {
### ZAIB Section-1 Start Here ##
preprocess
chap
mschap
digest
# If user name not found, print error
sql{
notfound = 1
}
if(notfound){
update reply {
Reply-Message = 'Username not found'
}
reject
}

# Check mac, if invalid, then give this user ip from expired-pool
checkval{
reject = 1
}
if(reject){
ok
update reply {
Reply-Message := "Incorrect MAC!"
Framed-Pool := "expired-pool"
Mikrotik-Rate-Limit := "1k/1k"
}
}

# If user is expired by date, then provide him from expired pool
expiration{
userlock = 1
}
if(userlock){
ok
update reply {
Reply-Message := 'Exp-Mod-Reply: Your account has expired.'
Framed-Pool := "expired-pool"
Mikrotik-Rate-Limit := "1k/1k"
}
pap
}
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
}

preacct {
preprocess
acct_unique
suffix
}

accounting {
detail
unix
sql
exec

}
session {
sql
}

### ZAIB Section-2 Start Here ## Default error
post-auth {
exec
Post-Auth-Type REJECT {
update reply {
Reply-Message = 'Wrong Password'
}
sql
attr_filter.access_reject
}
}
### ZAIB Section-2 ENDS Here ##

pre-proxy {
}

post-proxy {
eap
}

USERS file

DEFAULT Auth-Type := PAP

SIMULTANOUS-USE is ignored

in NAS type, make sure you select nas type to other if you are using Mikrotik, or else sim-use will not be checked on user login.


Reject Authentication based on RADGROUP

Create group name entry like disabled in radgroupcheck table,

radgroupcheck.JPG

now tag user name with this group name in radusergroup

radusergroup


Regard’s

Syed Jahanzaib

November 30, 2012

DMASOFTLAB Radius Manager: Install + Backup + Restore [Short Reference Guide]


Ubuntu

dmalogo

LAST UPDATED:  8th JANUARY , 2014

Note:

You can also use radius manager automated installation script to install RM 4.0.4 and 4.1.0

https://aacable.wordpress.com/2014/01/04/automated-installation-script-for-radius-manager-v-4-0-44-1-4-with-latest-patch/

▼▼▼

Following is a short reference guide for DMASOFTLAB Radius Manager on Ubuntu Distro

Part-  1)         Installation Of RM with some TIPS,
Part- 2)         Complete Backup for RM and RM DB,
Part- 3)         Restore RM Data to new Installation.

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

PERSONNEL NOTE:

Please be informed that you can get better installation instructions in details from DMASOFTLAB official manual. This guide is a extracted version of original manual with my custo modifications. Please consult with the original manual and DMA helpdesk for official support. I have no affiliation with the DMA, its just my personnel experience you are reading in this guide. It can be wrong, or might not be working as per your requirements. Just drop me an message or email for any correction or modification if required.

aacable [at] hotmail.com

Thank you
Syed Jahanzaib

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

.

.

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

Part-1 # Installation of Radius Manager 4.x on Ubuntu 10.4 [32/64 bit versions]

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

DMASOFTLAB Radius Manager 4.0 Short reference manual guide for UBUNTU 10.4  *** 32 /64 Bit Version

If you have 64bit OS, then you have to download compatible 64bits packages from the dmasoftlab download section, just note down the 32bit files in this guide, and download 64bit version of same package from the DMA page.

After you have installed Ubuntu, configure IP address and enable internet access on it.

Now open Terminal Window and issue the below command to install required Modules. but make sure you do update ubuntu  before doing any further process.

Create temp directory where you will download things


mkdir /temp
cd /temp
apt-get update
apt-get install mc wget rcconf make gcc mysql-server mysql-client libmysqlclient15-dev libperl-dev curl php5 php5-mysql php5-cli php5-curl php5-mcrypt php5-gd php5-snmp

### For 32bit Only, download following two items and install them
wget http://www.dmasoftlab.com/cont/download/libltdl3_1.5.24-1ubuntu1_i386.deb
wget http://www.dmasoftlab.com/cont/download/libltdl3-dev_1.5.24-1ubuntu1_i386.deb
dpkg -i libltdl3_1.5.24-1ubuntu1_i386.deb
dpkg -i libltdl3-dev_1.5.24-1ubuntu1_i386.deb

### For 64bit Only, download following two items and install them
wget http://www.dmasoftlab.com/cont/download/libltdl3_1.5.26-1ubuntu1_amd64.deb
wget http://www.dmasoftlab.com/cont/download/libltdl3-dev_1.5.26-1ubuntu1_amd64.deb
dpkg -i libltdl3_1.5.26-1ubuntu1_amd64.deb
dpkg -i libltdl3-dev_1.5.26-1ubuntu1_amd64.deb

IONCUBE Installation:

Now Download ioncube library

### For 32bit
wget http://www.dmasoftlab.com/cont/download/ioncube_loaders_lin_x86.tar.gz

### For 64bit
wget http://www.dmasoftlab.com/cont/download/ioncube_loaders_lin_x86-64.tar.gz

Untar it in any temp folder for example /temp/ioncube

### For 32bit
tar zxvf ioncube_loaders_lin_x86.tar.gz

### For 64bit
tar zxvf ioncube_loaders_lin_x86-64.tar.gz

Create new folder for ioncube in usr/local

mkdir /usr/local/ioncube

and copy the whole folder in /usr/local

cd /temp/ioncube
cp * /usr/local/ioncube/

Now Add the appropriate ionCube loader to your php.ini

e.g: in following files.

echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so" >> /etc/php5/apache2/php.ini
echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so" >> /etc/php5/cli/php.ini

.

.

.

Installation procedure of FreeRadius

cd /temp

wget http://www.dmasoftlab.com/cont/download/freeradius-server-2.2.0-dma-patch-2.tar.gz
tar zxvf freeradius-server-2.2.0-dma-patch-2.tar.gz

cd freeradius-server-2.2.0/

### Now proceed with the compilation of FREERAIDUS , applicable for all
./configure
make
make install

ldconfig

Now test RADIUS by issuing following command:


radiusd -X

You will see something like below . . .

radius-ready
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

TIP: After issuing make command , if you see errors like below

gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libfreeradius-eap.so -lnsl -lresolv -lpthread
/usr/bin/ld: .libs/radeapclient.o: undefined reference to symbol ‘fr_perror’
/usr/bin/ld: note: ‘fr_perror’ is defined in DSO /root/freeradius-server-2.1.8/src/lib/.libs/libfreeradius-radius-2.1.8.so so try adding it to the linker command line
/root/freeradius-server-2.1.8/src/lib/.libs/libfreeradius-radius-2.1.8.so: could not read symbols: Invalid operation
collect2: ld returned 1 exit status
make[6]: *** [radeapclient] Error 1
make[6]: Leaving directory `/root/freeradius-server-2.1.8/src/modules/rlm_eap’
make[5]: *** [common] Error 2
make[5]: Leaving directory `/root/freeradius-server-2.1.8/src/modules’
make[4]: *** [all] Error 2
make[4]: Leaving directory `/root/freeradius-server-2.1.8/src/modules’
make[3]: *** [common] Error 2
make[3]: Leaving directory `/root/freeradius-server-2.1.8/src’
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/freeradius-server-2.1.8/src’
make[1]: *** [common] Error 2
make[1]: Leaving directory `/root/freeradius-server-2.1.8′
make: *** [all] Error 2

To solve this this problem,Add followign directive

-lfreeradius-radius-2.1.8

in freeradius-server-2.1.8/src/modules/rlm_eap/Makefile .
Open it in nano/vi or any text editor by,

nano freeradius-server-2.1.8/src/modules/rlm_eap/Makefile

Before editing

    $(LIBTOOL) –mode=link $(CC) $(LDFLAGS) $(RLM_LDFLAGS) -o radeapclient radeapclient.lo $(CLIENTLIBS) $(LIBS) $(OPENSSL_LIBS)

After editing done

$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(RLM_LDFLAGS) -lfreeradius-radius-2.1.8 -o radeapclient radeapclient.lo $(CLIENTLIBS) $(LIBS) $(OPENSSL_LIBS)

Save & Exit.

now run make and make install again.

make
make install


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Set the correct ownership on FreeRadius configuration files
================================================

chown www-data /usr/local/etc/raddb
chown www-data /usr/local/etc/raddb/clients.conf

TIP:

Review and edit (if required) the MySQL credentials in /usr/local/etc/raddb/sql.conf (Just in case you have mentioned different password/id for mysql)

.

Creating MySQL databases with MySQL command line tool
===============================================

mysql -u root -ppassword

CREATE DATABASE radius;
CREATE DATABASE conntrack;
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'yourpass';
CREATE USER 'conntrack'@'localhost' IDENTIFIED BY 'yourpass';
GRANT ALL ON radius.* TO radius@localhost;
GRANT ALL ON conntrack.* TO conntrack@localhost;
exit

==================================
Time to Install RADIUS MANAGER 4.0.4

==================================

Copy the radius manager radiusmanager-4.0.4.tgz (or your version) in any temp folder
now extract it using


tar zxvf radiusmanager-4.0.4.tgz
cd radiusmanager-4.0.4/
chmod +x install.sh

Start RADIUS MANAGER Installation script

Execute the installation Script . . .

(If you are new to radius manager installation, use default password scheme, it will save you from few headaches, BUT later on as you will get familiar with the system, CHANGE the default passwords as its risk to use default password)


./install.sh

Now the install script will ask few questions . . . Select answers as per your local design.

For example:
Select the Operating  System
2
(For Ubuntu)

Select Installation type:
1
(New Installation)

WWW root path:
Press Enter to select the Default , which is /var/www

Radius Database host:
Press Enter to select the Default , which is localhost

Radius Database username:
Press Enter to select the Default , which is radius

Radius Database password:
Press Enter to select the Default , which is radius123

CTS Database host:
Press Enter to select the Default , which is localhost

CTS database username:
Press Enter to select the Default , which is conntrack

CTS database password:
Press Enter to select the Default , which is conn123

Freeradius UNIX User:
Press Enter to select the Default , which is root

Httpd Unix User:
Press Enter to select the Default , which is www-data

Create rmpoller service:
Press Enter to select the Default , which is y (yes)

create rmconntrack service:
Press Enter to select the Default , which is y (yes)

Backup Radius database:
Press Enter to select the Default , which is y (yes)

Now it will ask if you want to start the installation
Press y and press ENTER to continue the installation.

and at the end you will INSTALLATION COMPLETE!


As showed in the image below . . .

radius-installation-complete

Now copy the two license files (that you receive from DMASOFTLAB) in /var/www/radiusmanager

lic.txt
mode.txt

Now access the admin panel from your browser

http://yourip/radiusmanager/admin.php

As showed in the image below . . .

rm-admin-panel

.

rm-admin-panel-2

Adding NAS (Mikrotik) in Radius Manager + Mikrotik Radius Configuration for RM

RADIUS MANAGER SECTION:

Login to Administration Control Panel (ACP) of RM.
Goto NAS / NEW
Fill the required info, Like Mikrotik name, IP address, Secret
As showed in the image below . . .

new-nas1

new-nas2.

.

.

.

▼▲▼▲▼▲▼▲▼▲▼▲

MIKROTIK SECTION

▼▲▼▲▼▲▼▲▼▲▼▲

 

Now Login to Mikrotik,
Goto PPP Section
Click on PPP Authentication & Accounting
Click on Use Radius
As showed in the image below . . .

mikrotik-rad-1

mikrotik-rad2

Now create any user in RM, and connect it from client end using pppoe (or test it via radtest).

Examples.

rm-online-users

.

all-showed

radius-2

radtest

TIPS:

.

Testing Radius via radtest

First edit /etc/hosts

and change the system name to local host ip i.e 127.0.0.1
as showed in the example below. . .

radius-hosts

Don’t forget to restart radiusd after making changes to the NAS list!

service radiusd restart

Now issue following commands to test.


radtest user 1111 127.0.0.1 1812 testing123

and you may see following. (with access-accept)

radius-radtest-OK

Various Errors & Troubleshooting . . .

1# : IF YOU ARE USING CUSTOM PASSWORD (NOT DEFAULT)

If you see the following error while accessing admin.php

Could not connect to localhost

could-not-connect-mysqlsIf you are using your own password (other then default password of rm, ) then Make sure your passwords for radius and conntrack hosts are set correctly in


/etc/radiusmanager.cfg

/var/www/radiusmanager/config/system_cfg.php

/usr/local/etc/raddb/sql.conf

2# :Blank page is showing while accessing admin.php

If you see blank page while accessing admin.php , following could be wrong.
a- Your license files are not valid or expired.
b- you have not installed ioncube library correctly.

To test if your license is valid, tail the /var/log/apache2/access.log and error.log , they will show you if your license have issues like expired or invalid dueto mac address restrictions.

To test IONCUBE LIBRARY , Open Terminal and Type

php -v

& you should see something similar to below . . . (Focus on Last line that says with the ioncube php loader . . .)

root@zaib-desktop:~# php -v

PHP 5.3.2-1ubuntu4.18 with Suhosin-Patch (cli) (built: Sep 12 2012 19:33:42)
 Copyright (c) 1997-2009 The PHP Group
 Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
     with the ionCube PHP Loader v4.2.2, Copyright (c) 2002-2012, by ionCube Ltd.

3# : Incorrect User name & Passowrds in Mikrotik LOG

you are seeing ‘Incorrect user name and password error’ in mikrotik logs for the users created on RM, then make sure you have defined correct password in  /usr/local/etc/raddb/sql.conf

4# : NAS NOT FOUND in RADTEST

If you see NAS NOT FOUND in radtest, please see the heading “Testing Radius via radtest“.

If the hostname is different than localhost, (like you have some other hostname name for the machine e.g: radius, then

Edit /etc/hosts

and change the system name to local host ip i.e 127.0.0.1

As showed in the example below . . .

radius-hosts

Don’t forget to restart radiusd after making changes to the NAS list!


service radiusd restart

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

Part-2 # COMPLETE BACKUP

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

Use the following link to get the backup script.

https://aacable.wordpress.com/2011/11/16/dmasoftlab-radius-manager-backup-script/

Or use the manual method

To take full backup use the following.

Create backup folder in root /


 mkdir /backup

Now copy whole contents of following folders ,

/etc
/usr/local
/var/www
/var/lib/mysql



TIP: You can use following commands to copy whole contents and zip it

tar cfz /backup/myrmbackup.tgz /etc /home/root /usr/local /var/www /var/lib/mysql

You can schedule it run on daily basis.

Now Create mysql dump of mysql database of DB RADIUS
(which have RM User and other Data)

mysqldump -u radius -pRADIUSPASSWORD radius > /backup/db_full_type_current_date.sql
gzip -f /backup/db_full_type_current_date.sql

(Tip# To unzip the .gz file, use gzip -d filename.gz )

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

Part-3 # RESTORE FROM BACKUP

▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲▼▲

If somehow your server crashes, and you got to re-built it from scratch , you can restore the database using below procedure. (To simplify things, use the same OS)

1) Install OS (Same as previous one, in this example Ubuntu)
2) Install RM with the same same config you used for previous installation, e.g: radius db passwords and folders locations
3) Restore all the folders from the backup to there original locations.(backup that taken in part-2 backup part)
by using command in / folder (main root folder)

tar zxvf full_data.tgz (or file name)

4) Now its time to restore mysql radius DB, use the below command to restore DB in mysql.

mysql -u root -prootpassword radius < db_full_type_current_date.sql

Change the db_full_type_current_date.sql to match your mysql backup file.

Now restart your box onc time.

If you receive ‘cannot connect to localhost‘ check the passwords in

/etc/radiusmanager.cfg
/var/www/radiusmanager/config/system_cfg.ph
/usr/local/etc/raddb/sql.conf

Also check the DB password for user radius  in mysql , You can change the DB password via using this command

mysql -u root -pYOURPASSWORD
use mysql;
SET PASSWORD for 'radius'@'localhost' = PASSWORD('radius123');
# MORE EXAMPLE for RADIUS MANAGER RELATED
SET PASSWORD for 'conntrack'@'localhost' = PASSWORD('conn123');


Now restart your box and hopefully everything will be restored back to normal

.

.

.


▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼▼

Some  TiPS  For  Customizations . . .

▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲


Howto Configure Email notifications 

To configure Email server, edit following,

/var/www/radiusmanager/config/system_cfg.php

Goto SMTP section, and modify it as per your local SMTP server/user/domain.
Example:

// SMTP definitions

define('smtp_relay', '1.2.3.4');                          // SMTP relay
define('smtp_port', 25);                                    // SMTP port
define('smtp_auth', FALSE);                             // SMTP authentication
define('smtp_user', 'syed.jahanzaib');           // SMTP user name
define('smtp_psw', 'my_pass');                       // SMTP password
define('mail_from', 'zaib@xyz.com');             // sender address
define('mail_fromname', 'Syed Jahanzaib');  // sender name
define('mail_newuser', 'zaib@xyz.com');      // self registered new user notification
define('mail_localdomain', 'xyz.com');           // default domain name

Now configure some settings in ACP / Systems / Ssytem Settings

email-sms-alert-config

.

.

.


HOWTO REPLACE/MODIFY DMASOFTLAB RM LOGO and TEXT !!!

You can Replace/Edit the default DMASOFTLAB logo files. by default, Images are available where you have installed the radiusmanager. Look into the images folder of radiusmanager.

For example I installed RM in /var/www/html/radiusmanager. There will be a folder name ‘images’ Look for these files.

dmalogo_small.gif
radmanlogo_small.gif
main1_01.gif
main1_02.gif
main1_03.gif
emailheader.gif

.

.

.


Edit Various Text/headings Show at UCP/ACP

You can also edit the texts/descriptions in language description files in radiusmanager/lang/english folder.
look for texts.txt and strings.txt


.

.

.


To Add Logo in Prepaid Cards

You can modify its base image at radiusmanager/lang/english/card folder.
look for classic_bg.png and refill_bg.png

To add logo in prepaid classic cards, copy classic_bg.png to your windows desktop, Edit it in any image editing software (I used MS Paint Brush default), add Your logo , Save this file in .jpg extension like classic_bg.jpg , now upload this file back to radiusmanager/lang/english/card

Now edit following file,

/var/www/radiusmanager/config/system_cfg.php

and rename the classic_bg.png  to >  classic_bg.jpg ,

As showed in the image below …

refill_2

Save & Exit.

Now generate your cards, and you will see your logo shining 🙂

refill_3

.

.


To clear LOGS in RM ACP [last syslog events]

mysql -uroot -pSQLPASSWD -e "truncate rm_syslog" radius

.

.


PHP Warning: main(config/payfast_cfg.php): failed to open stream: No such file or directory in /var/www/radiusmanager/user.php on line 0

If you received following error

PHP Warning: main(config/payfast_cfg.php): failed to open stream: No such file or directory in /var/www/radiusmanager/user.php on line

Just rename the following file

/var/www/radiusmanager/config/payfast_cfg.php.dist

to

/var/www/radiusmanager/config/payfast_cfg.php

.

.


Simultaneous Session config for user in Mikrotik/RM

If you want to allow simultaneous session for specific Users …

1- Set SHARED USERS option in User Profile to required number of simultaneous users … As showed in the image below …

3-mt-hotspot-default-profile-user

2- In USER EDIT properties, modify the number of simultaneous users you want to allow (specific User or Group) … As showed in the image below …

2-rm user shared user option

3- Now test by login same ID with 2 computers … As showed in the image below …

1- rm

.


.

.


Modify Country Listing

To modify country list appear in the country list, you can modify following file

/var/www/radiusmanager/config/system_cfg.php

Look for // Country List, and modify it as per requirements, Modified Example is below …

rm_country_list

.

Save, Exit, and reload RM ACP page, and you will see new country listing in the list.



AP’S STOPS SHOWING SIGNALS IN ONLINE USERS

If AP’s Signals stops showing in Online Users, try

Delete the stale lockfile (/tmp/wlanpoller.pid).


Allow Special characters in Username / Passwords

By default special characters are not allowed even dash, at the rate sign etc. To allowt hem open the config file (in ubuntu path is following,

nano /var/www/radiusmanager/config/system_cfg.php

for centos  user,

nano /var/www/html/radiusmanager/config/system_cfg.php

and

Search following


regexp_username

regexp_managername

regexp_psw

and replace old values with following

define('regexp_username', '/^[a-z0-9._!@#$%&*]+$/');                  // regular expression for validating user names

define('regexp_managername', '/^[a-z0-9._!@#$%&*]+$/');               // regular expression for validating manager names

define('regexp_psw', '/^[a-zA-Z0-9._!@#$%&*]+$/');                    // regular expression for validating passwords

Save and exit. and reload the admin page in browser.


 Radius LOGS

/usr/local/var/log/radius


Create short name for Radius Admin Panel

Example: If you want to access radius admin panel using short name , something like

http://10.0.0.1/panel

then Edit file `/etc/apache2/sites-enabled/000-default`

and add lines in the end (but before /virtualhost directive, so the last line of this files should be like this…

<sourcecode>
Alias /panel /var/www/radiusmanager
<Directory /var/www/radiusmanager>
DirectoryIndex admin.php
Options Includes Indexes FollowSymLinks MultiViews
</Directory>
</VirtualHost>
</sourcecode>


While generating prepaid cards, it gets stuck

The OP reported that while generating prepaid cards, the browser stucks, and the card does not generate. After enabling the mysql.log I observed that it was looping through the rm_cards table. The system had 11000 Cards users and 7000 users were expired and remained there from long time. I used following script to clean them up.


#!/bin/sh
#set -x
SQLPASS="MYSQL-PASSWORD"
export MYSQL_PWD=$SQLPASS
> /tmp/expired.users.txt
#mysql -uroot -e "use radius; select username from rm_users where expiration BETWEEN '2010-01-01' AND '2019-04-30';" |sort > /tmp/expired.users.txt
#delete from rm_users where expiration BETWEEN '2010-12-01' AND '2019-04-01';

#GET LIST OF USERS THAT ARE EXPIRED (LEAVE CURRENT 2 MONTHS USERS)

mysql -uroot -e "use radius; select username from rm_users where expiration  /tmp/expired.users.txt
num=0
cat /tmp/expired.users.txt | while read users
do
num=$[$num+1]
USERNAME=`echo $users | awk '{print $1}'`
echo "$USERNAME ---- user record from all relevant tables"
mysql -uroot -e "use radius; DELETE FROM rm_cards WHERE cardnum = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM rm_users WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM rm_changesrv WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM radcheck WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM radacct WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM rm_radacct WHERE username = '$USERNAME';"
done


Allah Hafiz

🙂

.

Regard’s
Syed Jahanzaib
aacable [at] hotmail.com

%d bloggers like this: