by

LMS8000 / LMS4000
WaveRider LMS RADIUS Integration:
FreeRADIUS and MySQL*

tn068F

*Part of the “WaveRider Free Solutions” series of articles

RELEASE 1.6.2, September 2008 Proprietary to Vecima Networks Inc. © by Vecima Networks Inc., 2008 Permission to Reproduce Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Vecima Networks Inc., provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Vecima Networks Inc. is identified as the source; and that the reproduction is not represented as an official version of the information reproduced. This publication is also available electronically on the World Wide Web at the following address: www.wr.vecimasupport.com Vecima Networks Inc. reserves the right to revise this publication and to make changes in content from time to time without obligation on the part of Vecima Networks Inc. to provide notification of such revision or change. Vecima Networks Inc. provides this guide without warranty of any kind, either implied or expressed, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Vecima Networks Inc. may make improvements or changes in the product(s) described in this manual at any time. Specifications subject to change without notice.

Getting Support An extensive knowledge base is available at http://www. Training Vecima offers a complete training program. could result in damage to.Preface Conventions The following conventions are used throughout this document:       Replace existing text or enter exact text that is highlighted in bold System prompts and/or pre-existing configuration file text are non-stylized. TIP: Whenever you see this icon and heading.wr. the equipment or software. testing. which. the associated text discusses an issue. tn068F i . Visit the web page to:  Get the latest announcements from Vecima Networks. or operation of the equipment or software.com. Priority support Vecima also offers priority telephone and email support. the associated text provides a tip for facilitating the installation.  Consult the KnowledgeBase for troubleshooting information. Please contact you sales representative for training information. or other information about the WaveRider product line. EUM ID) CAUTION: Whenever you see this icon and heading. or improper use of. manuals.  Register and contact technical support to help you with unexpected problems.vecimasupport. normal font Special characters/instructions are italic Emphatic terms and words are red Continuation of configuration file text or special characters is indicated with “…” Values surrounded by square brackets ( [ ] ) are variable (ie. if not followed.  Download product related software. application notes. Please contact your sales representative for details.

.............................................................................................. 3 3..........................................................2...Contents Preface ....................................................................................... 1 2 Installation ........................................................................................................... 3 3........................................................ 9 5 Administration .................................... i 1 Introduction .............................................................................................................................................................................2 Network Diagram ........................................................2 MySQL....... 5 4 Implementation ................................................................................................................................................................................................................................... 4 3............................................................................................................................2............................................................................................................... 13 5.............................................. 15 7 Appendix .............................................................................................................................................2............................................................................................................................................................................................................................... 16 Tables Table 1: FreeRADIUS Default File Locations ...................................................................................................................................... 5 Table 3: MySQL method FreeRADIUS configuration .................................................................................................. 12 5................1 FreeRADIUS log files (static files method)..................1 Detailed Tasks .................................2..................... 16 Figures Figure 1: System Topology Example ................ 1 1....................................................................................................................................................2 FreeRADIUS ....................................................................................................................................................................................................................... 13 6 Resources ................................1 Static File Authentication........................1 CCU3000 / CCU3100 / CCU8000.....................................................................................................2 Monitoring.....................................................................................................................................................................................................................................2 MySQL....................................................................................................................................................................................................................................................................................................................... 12 5............................... 4 3................................................................................................. 2 3 Configuration................................................................................................................. 4 Table 2: Static files method FreeRADIUS configuration....1 MySQL ........ 1 tn068F ................................................... 6 Table 4: WaveRider Vendor-Specific Attributes................................. 1 1....... 13 5.......................................................................................................

or a MySQL (v5. as well as accumulate RADIUS accounting statistics. Download and install FreeRADIUS and MySQL 3.10) installation of FreeRADIUS (v1. the system will allow FreeRADIUS to update the CCU3000.1 Detailed Tasks 1.0. It is understood that systems and/or network administrators customize the configurations to best suit the topology and needs of their own deployment requirements.1. CCU3100 or CCU8000 authorization tables.1 Introduction This technical note presents step-by-step configuration and examples for installing and configuring a Linux (Ubuntu Edgy Eft v6. 1. The configuration examples detailed in this document were not designed or intended to work in every WaveRider® LMS deployment.3) using either the static configuration files included with the software. Configure WaveRider® CCU3000. thus allowing auto-configuration of the EUMs. and populate MySQL database 5. Configure FreeRADIUS a) static file authentication method b) MySQL authentication method 4. Once successfully installed and configured. administration and monitoring of FreeRADIUS and MySQL is also addressed. CCU3100 or CCU8000 RADIUS client 2. It is highly recommended that the administrator following these examples possesses a solid understanding of Linux fundamentals in order to take the necessary precautions towards securing the configured system. Vecima’s WaveRider AES does not support or troubleshoot the Linux operating system. Implementation. Administrate and monitor FreeRADIUS implementation 1.2 Network Diagram Figure 1: System Topology Example tn068F 1 . Start the FreeRADIUS server daemon 6. log in to.41) database. Create.

i. Download and install FreeRADIUS using either the Synaptics Package Manager (GUI) or manually via ftp://ftp.2 Installation Following the steps below to install the latest version of FreeRADIUS.cnf) Optional:  mysql-query-browser-common (Architecture independent files for MySQL Query Browser)  mysql-query-browser (Official GUI tool to query MySQL database)  mysql-navigator (GUI client program for MySQL database server)  mysql-admin-common (Architecture independent files for MySQL Administrator)  mysql-admin (GUI tool for intuitive MySQL administration) tn068F 2 . Download and install MySQL and its associated modules by using either the Synaptics Package Manager (GUI) or manually by simply typing the following commands in a terminal window: sudo apt-get install mysql-server sudo apt-get install mysql-server-5.html.freeradius./configure  make  make install Package Manager download/install Required:  mysql-server-5./configure  make  make install Package Manager download/install  freeradius (‘A high performance and highly configurable RADIUS server’)  freeradius-mysql (‘MySQL module for FreeRADIUS server’) The FreeRADIUS tarball must be downloaded and extracted to retrieve the MySQL database schema for later use: http://freeradius. Manual download/install  tar xvf freeradius.gz  cd freeradius  .g.0 (mysql database client binaries)  mysql-client (mysql database client current version)  mysql-common (mysql database common files (e.tar. /etc/mysql/my.0 (mysql database server binaries)  mysql-server (mysql database server current version)  mysql-client-5.tar.gz  cd mysql  . Check the release notes or search the extracted files for the mysql.org/pub/radius or by simply typing “sudo apt-get install freeradius” and “sudo apt-get install freeradius-mysql” (if the SQL authorization method is to be used) in a terminal window.sql schema template file.0 sudo apt-get install mysql-client-5. ii.org/getting.0 sudo apt-get install mysql-client sudo apt-get install mysql-common Manual download/install  tar xvf mysql.

time=5 ms 64 bytes from 192.1. See the ‘clients.1.. Access the CLI using telnet via the local link or operator-configured static IP.1. 5 packets received. ii.PING 192.1 and 3.168.1.1.1.254: icmp_seq=1.1.254 Press any key to stop.168.conf’ file configuration in section 3.168.253 PING Statistics---5 packets transmitted.253: icmp_seq=0.168.254: icmp_seq=2.168.PING 192.1.253 Press any key to stop.2.1.168.254 Enter password (up to 16 chars): waverider123 The shared secret (‘password’ shown above) can be any 1-16 alpha-numeric value. time=15 ms 64 bytes from 192. 5 packets received.254: icmp_seq=0.254 PING Statistics---5 packets transmitted. time=5 ms 64 bytes from 192. time=5 ms 64 bytes from 192.154: 56 data bytes. time=5 ms 64 bytes from 192. 0% packet loss round-trip (ms) min/avg/max = 5/7/15 iii.. Configure the secondary RADIUS server IP†: 64:08:05*CCU> auth rad sec 192.168.253: icmp_seq=2.2.168.3 Configuration 3. i. time=5 ms 64 bytes from 192.1.168. time=5 ms ----192.1. All configuration commands are required unless otherwise indicated (†).168.1. time=5 ms ----192.168.253 Enter password (up to 16 chars): waverider123 tn068F 3 . time=5 ms 64 bytes from 192.168.1. Configure the primary RADIUS server IP and shared secret: 64:08:05*CCU> auth rad pri 192.. 490 ms interval (accurate to +.1. 0% packet loss round-trip (ms) min/avg/max = 5/7/15 64:08:05*CCU> ping 192..254: icmp_seq=4. 490 ms interval (accurate to +. sets the client request period to 5 minutes. iv. enables and sets the accounting method to stop/start.253: icmp_seq=4.168.5 ms) 64 bytes from 192. The secret configured on the CCU RADIUS client and on the RADIUS server must match.1 CCU3000 / CCU3100 / CCU8000 The following example configures the CCU RADIUS client with a primary and secondary RADIUS server with a shared secret.253: icmp_seq=1.1.1.253: 56 data bytes. and enables the RADIUS client.254: icmp_seq=3.168.168.1. Verify CCU can ping the RADIUS servers: 64:08:05*CCU> ping 192.253: icmp_seq=3. time=15 ms 64 bytes from 192.168.5 ms) 64 bytes from 192.168.1.2.168.

Change the RADIUS client request period† (default = 60 minutes): 64:08:05*CCU> auth rad per 5 vii. adds the primary and secondary CCU RADIUS clients to the clients.v.254 { [tab]… secret [tab]… = waverider123 [tab]… shortname [tab]… = CCU1 } client 192.conf file with IP address. editing only each EUM ID and its applicable attribute values.2 FreeRADIUS FreeRADIUS may be configured to use either a static file (the ‘users’ file) OR an SQL database with which to authorize EUMs. Enable the RADIUS client: 64:08:05*CCU> auth rad enable * Refer to section 5.253 { [tab]… secret [tab]…… = waverider123 [tab]… shortname [tab]… = CCU2 4 . shared secret and short name. Also. 3. the network administrator can control RADIUS authentication directly. † Optional configuration. the operator is limited to using only the RADIUS-related fields defined in the dictionary file.conf /etc/freeradius logdir /var/log/freeradius raddbdir /etc/freeradius radacctdir /var/log/freeradius/radacct log_file /var/log/radius.1.conf log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes authorize { … files tn068F clients.conf client 192. it has more administrative overhead as changes need to be tracked and performed manually and is therefore not well suited for front-office business reference functions such as customer billing. 3.168. Using the ‘users’ file for authorization is most efficient on the server system’s resources.conf /etc/freeradius Table 1: FreeRADIUS Default File Locations The following example instructs FreeRADIUS to use the static file authorization and accounting method (radiusd.log libdir /usr/lib/freeradius pidfile ${run_dir}/freeradius. etc.1 Static File Authentication Using the static ‘users’ file. Each subsequent paragraph entry can be copied and pasted at the end of the file. Configuration files may be edited using Vi (command line – Linux server installation) or a Linux text editor (via KDE or GNOME GUI).1.pid clients.2. radiusd. adds two (2) EUMs to the users file that defines the GOS (grade of service) to be used for each. Configuration File or Folder Default Path radiusd. and sets the maximum number of customers (hosts) that can access the radio link through each EUM. Enable RADIUS accounting†*: 64:08:05*CCU> auth rad acc stopstart vi. The database configuration example below uses the popular MySQL platform.conf /etc/freeradius users. EUMs (users) are added by their EUM IDs in the ‘users’ configuration file in paragraph form. However.168.conf).4 of the WaveRider ‘Managing the Network’ guide (lms052_ap_01) for more detail on the start/stop and update RADIUS accounting modes. location.

vecimasupport. User-Password == buywavc [tab]… WaveRider-Grade-of-Service = gold. comment out entries in the users file and update radiusd.conf as shown below. [tab]… WaveRider-Max-Customers = 3 Table 2: Static files method FreeRADIUS configuration The ‘User-password’ is not to be confused with the shared secret as configured on the CCU RADIUS client in section 3.1 and in the ‘clients. The ‘sql.1 and 3. thus avoiding data entry duplication errors. as well as monitor RADIUS activity.2. #[tab]… WaveRider-Max-Customers = 1 #61:1a:87[tab]… Auth-Type := Local. is a much more robust way to add. . [tab]… WaveRider-Max-Customers = 1 61:1a:87[tab]… Auth-Type := Local. edit. For instance.2 MySQL To use a database. grade of service). The sql. As well.… } accounting { … detail sql_log … } } users 61:1e:1c[tab]… Auth-Type := Local. the operator may also choose to include an unlimited number of front-office business function fields such as CAP site name.2.2.conf file is configured to specify the server location (‘localhost’ = this server) database to connect to. The following example changes the radiusd. This allows for quick and efficient querying of data to extract useful information or make changes to a specific user record.conf’ file is edited to indicate that an SQL database will provide the authorization data. A ‘#’ character is placed at the beginning of each of the entry’s lines to instruct FreeRADIUS to ignore them. although slightly more taxing on the server system’s resources. ASP or other web-based application) to allow a single point of entry for customer data. etc. delete and query user records. User-Password == buywavc #[tab]… WaveRider-Grade-of-Service = bronze. For example.conf) is edited to include the server name (remote or local.NET. The EUMs will no longer be authenticated and configured using the instructions in the users file. This value is hard-coded for every RADIUS request and has nothing to do with the EUM password. password. the SQL table schema can be modified to suit the operator’s purposes. area. 3. address. Be sure to periodically check back for new releases of this file. The ‘radiusd. radiusd. This method of operation. in addition to the three required authorization fields (username. business model and/or imagination. Download the WaveRider dictionary file from http://www.2.1) to the SQL method.wr.2.conf log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes authorize { tn068F users #61:1e:1c[tab]… Auth-Type := Local.conf file from the static authorization and accounting method (configured in section 3. The ‘User-Password’’ value for each user entry must be ‘buywavc’ (all lowercase).g. and the Linux user account and password used to connect. DNS may be used) and database login credentials. The scalability of this method is limited only by operator’s understanding of SQL.conf’ file in sections 3. the database may be integrated with a front-office financial accounting system (e. User-Password == buywavc [tab]… WaveRider-Grade-of-Service = bronze. customer name.com and install it in the /usr/share/freeradius/ directory on the Linux system.conf’ file (/etc/freeradius/sql. User-Password == buywavc 5 .

Grant all permissions to the database for the ‘admin’ Linux user account and exit the MySQL client: mysql> grant all on radius to admin@ubuntu-server. The ‘radius_db’ value can be any name. imports the FreeRADIUS schema. Switch focus to the new ‘radius’ database: mysql> use radius v. Login to the MySQL client: admin@ubuntu-server:~# mysql iii. i. Create the database: mysql> create database radius. as defined during the creation of the MySQL DB (see below).) that FreeRADIUS will use to authenticate and authorize WaveRider EUMs: tn068F 6 . To ensure functionality.conf may vary. ‘password’ values in sql. The following commands create the ‘radius’ SQL database.4 of the ‘Managing the Network’ user guide (lms052_ap_01) for available WaveRider attributes and their definitions.… #files sql … } accounting { … detail #sql_log sql … } #[tab]… WaveRider-Grade-of-Service = gold. Refer to section 5. Extract the freeradius. and populates the tables with appropriate data. #[tab]… WaveRider-Max-Customers = 3 sql. ‘login’. The table structure in the following example groups EUMs by the GOS attribute value.gz –C /home/admin ii.gz installation package to the admin user’s home directory: admin@ubuntu-server:~# tar –zxvf freeradius_[version]. iv.tar. assigns all privileges to the ‘admin’ Linux user account. mysql> quit vi.tar.conf sql { … server = “localhost” login = “admin” password = “admin123” … radius_db = “radius” … } Table 3: MySQL method FreeRADIUS configuration ‘Server’. verify the Linux user account used to access the MySQL DB has the appropriate permissions to access and write to the associated tables. The method the network or systems administrator will use to group the RADIUS profiles. attributes and users in the SQL tables will depend entirely on the topology of the LMS and management systems in use as well as business and customer service requirements. Import the table structure (from the schema template file extracted in step i.

’home_lite’.’denied’. 1 row affected xi. Create the ‘denied’ group: mysql> insert into radgroupcheck values Type’. 1 row affected mysql> insert into radgroupcheck values (‘’. Query OK.admin@ubuntu-server:~# mysql –uadmin –padmin123 radius < /home/admin/freeradius-[version]/[path]/mysql. modify each to allow 50 characters: mysql> alter table radreply modify attribute varchar(50). Due to a number of the WaveRider vendor-specific attributes (VSA) being longer than the ‘radreply’ and ‘radgroupreply’ tables’ attribute fields’ default 32 characters in length. 1 row affected mysql> insert into radgroupcheck values (‘’.00 sec) ix. 1 row affected mysql> insert into radgroupcheck values (‘’.’home_standard’.’buywavc’).’home_standard’. Query OK. Log into the MySQL client and the ‘radius’ database as the admin Linux user: admin@ubuntu-server:~# mysql –uadmin –padmin123 radius viii. 0 rows affected (0.’Auth- tn068F 7 . Query OK.’:=’.05 sec) Records: 0 Duplicates: 0 Warnings: 0 x.’AuthType’. 0 rows affected (0.’:=’. Verify the tables have been successfully created in the database: mysql> show tables.sql vii. GOS) groups: mysql> insert into radgroupcheck values (‘’. Query OK. Query OK. Query OK.’Password’.05 sec) Records: 0 Duplicates: 0 Warnings: 0 mysql> alter table radgroupreply modify attribute varchar(50). Query OK.’AuthType’.’buywavc’).’:=’.’==’.’:=’.’Password’.’home_lite’. 1 row affected (‘’.’Local’).’denied’).’Local’). Create the valid package type (ie. +------------------+ | Tables_in_radius | +------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | usergroup | +------------------+ 8 rows in set (0.

’:=’..’enabled’). Query OK.’home_lite’. Query OK.’home_standard’.’silver’). 1 row affected mysql> insert into usergroup values (’64:be:66’. 1 row affected . Query OK.’WaveRider-MaxCustomers’. Query OK. Query OK..’gold’). Query OK.’5’).’home_standard’).’WaveRider-CurrentPassword’. Query OK.’:=’. 1 row affected mysql> insert into radgroupreply values (‘’. Query OK.’WaveRider-CurrentPassword’.’home_lite’.’enabled’). tn068F 8 . 1 row affected The ‘WaveRider-Current-Password’ and correct value must be included when changing WaveRider VSA values such as ‘WaveRider-SNMP-Contact’.’[EUM_password]’). Assign users (EUM IDs) to the groups created in step x and xi by populating the ‘usergroup’ table: mysql> insert into usergroup values (’61:1c:1e’.’WaveRider-Grade-ofService’. It is therefore recommended that all EUMs in each group share the same password. 1 row affected mysql> insert into usergroup values (’61:1a:87’. 1 row affected mysql> insert into radgroupreply values (‘’.’home_lite’.’home_lite’.’:=’.’5’). Query OK. 1 row affected mysql> insert into radgroupreply values (‘’.’:=’.’WaveRider-Gradeof-Service’.’[EUM_password]’). grouping by package type (note second column is the ‘groupname’ field – value is operator’s choice and should be descriptive): mysql> insert into radgroupreply values (‘’. Query OK.’WaveRider-MaxCustomers’.’:=’.’home_standard’.’WaveRider-PriorityEnabled’.’:=’. 1 row affected mysql> insert into radgroupreply values (‘’.xii. Populate the ‘radgroupreply’ table with the applicable WaveRider VSAs. Query OK.’:=’.’WaveRiderPriority-Enabled’.’:=’. 1 row affected mysql> insert into radgroupreply values (‘’. xiii.’home_standard’. 1 row affected mysql> insert into radgroupreply values (‘’.’home_lite’.’home_lite’).’denied’). 1 row affected mysql> insert into radgroupreply values (‘’.

#0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle. the CLI output should end with ‘Ready to process requests’. foreground process (-f) and debug mode (-x) (visible transactions): admin@ubuntu-server:~# freeradius –sfx The FreeRadius daemon program will execute and configure itself using the values configured within the files edited in Table 1 or Table 2. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Using deprecated naslist file. Start the FreeRADIUS server daemon in “single server” (-s). Support for this will go away soon. #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle.4 Implementation Follow the steps below to initiate RADIUS operation (examples shown for FreeRADIUS configured with MySQL). similar to the following: admin@ubuntu-testlab:~# freeradius -sfx Starting . Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to admin@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle.reading configuration files ... #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 tn068F 9 . #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle. If no errors occur. i.

#4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. If desired.254 port 1025 WaveRider-Grade-of-Service := silver WaveRider-Max-Customers := 30 WaveRider-Priority-Enabled := disabled WaveRider-SNMP-Location := "Toronto" WaveRider-Downlink-Min-Modulation := CCK2 WaveRider-Downlink-Max-Modulation := 64Q2 WaveRider-Uplink-Min-Modulation := CCK2 WaveRider-Uplink-Max-Modulation := 64Q2 Pay particular attention to the ‘Access-Accept’ and/or ‘Access-Reject’ messages in the Linux CLI. use the CCU command <auth del [eumid]> to delete the static entry and allow the EUM to register via RADIUS.254 NAS-Port = 1 User-Password = "buywavc" rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): User 61:1c:1e not found in radcheck rlm_sql (sql): Released sql socket id: 0 Login OK: [61:1c:1e/buywavc] (from client CCU1 port 1) Sending Access-Accept of id 23 to 192. the EUM ID may have been erroneously entered into the ‘usergroup’ table of the ‘radius’ database. For example: rad_recv: Access-Request packet from host 192.rlm_sql (sql): Connected new DB handle. id=23. which in turn will display the authorization request details in the Linux terminal window or CLI process.168.1.1. EUM ID) entered into the usergroup table of the radius database. tn068F 10 .254:1025. Power on the EUM corresponding to the username (ie.168. or force a deregistration of the EUM using the CCU command ‘air fdereg [eum_id]’ if it is already registered with the CCU. If ‘static’ is displayed. The CCU will immediately send an access-request to the RADIUS server on behalf of the EUM. length=60 User-Name = "61:1c:1e" NAS-IP-Address = 192.168. If an EUM is incorrectly rejected. ii. iii.1. a static entry exists on the CCU. Check the CCU’s authorization table to verify the EUM’s authentication type (‘radius’).

168. id=180.254 | 2008-05-16 11:13:10 | 2008-05-16 11:19:48 | | 61:1c:1e | 192.Accounting stop/start or update messages will also appear (if accounting is configured on the CCU): rad_recv: Accounting-Request packet from host 192.254 NAS-Port = 1 Acct-Status-Type = Interim-Update Acct-Session-Id = "f4f40001" Acct-Input-Octets = 352176697 Acct-Input-Packets = 6658474 Acct-Output-Octets = 1827342061 Acct-Output-Packets = 2615193 rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 Sending Accounting-Response of id 174 to 192.254:1025.1. nasipaddress. +----------+---------------+---------------------+---------------------+ | username | nasipaddress | acctstarttime | acctstoptime | +----------+---------------+---------------------+---------------------+ | 61:1c:1e | 192.168.168.1.168. RADIUS client IP address and date/time stamps for both accounting stop and start messages: admin@ubuntu-server:~# mysql –uadmin –padmin123 radius mysql> select username.1.254 NAS-Port = 1 Acct-Status-Type = Start Acct-Session-Id = "f4f40004" rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 Sending Accounting-Response of id 179 to 192.1.168.254 | 2008-05-16 11:26:25 | 2008-05-16 11:33:02 | +----------+---------------+---------------------+---------------------+ 3 rows in set (0. length=82 User-Name = "61:1c:1e" NAS-IP-Address = 192.254 port 1025 rad_recv: Accounting-Request packet from host 192. acctstoptime from radacct.1.168.1.254 | 2008-05-16 11:19:48 | 2008-05-16 11:26:25 | | 61:1a:87 | 192.1.168.254 port 1025 rad_recv: Accounting-Request packet from host 192.1.1.168. length=82 User-Name = "61:1c:1e" NAS-IP-Address = 192.1.168. length=58 User-Name = "61:1c:1e" NAS-IP-Address = 192.1.168. id=174.254 NAS-Port = 1 Acct-Status-Type = Stop Acct-Session-Id = "f4f40004" Acct-Input-Octets = 1653 Acct-Input-Packets = 24 Acct-Output-Octets = 1722 Acct-Output-Packets = 26 rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 Sending Accounting-Response of id 180 to 192.254:1025.254:1025.1.168. acctstarttime. id=179. A number of records should appear containing the username (EUM ID).00 sec) tn068F 11 .254 port 1025 iv. Verify that accounting messages are being stored in the MySQL database.168.

troubleshooting. The following examples use the CLI method of administration. Add attributes to a particular group.’denied’). it is beneficial that the administrator possess a fundamental understanding of database structure and SQL syntax to be able extract detailed information using more complex queries. Change an EUM’s group membership (ie. Attribute value changes.’:=’.1 MySQL Use the following commands to perform routine administration including adding a new user. Both FreeRADIUS and MySQL applications may be administrated using CLI commands or with the graphic client tools (ie. ‘home_standard): mysql> insert into usergroup values (’61:1c:1e’. removing a user. Disable EUM communication by assigning it to the ‘denied’ group: mysql> insert into usergroup values (’61:1c:1e’. MySQL Query Browser) provided by the FreeRADIUS and MySQL software. to ‘home_standard’): mysql> update usergroup set groupname=’home_standard’ where username=’61:1c:1e’. The following are examples of SQL queries used to perform various administrative tasks such as adding new subscriber units to the RADIUS system.‘Toronto’). This example adds the SNMP location ‘Toronto’ to the ‘home_standard’ group: mysql> insert into radgroupreply set values (‘’. etc. View all EUMs by name or group: mysql> select * from usergroup order by [username|groupname].5 Administration How the network or systems administrator chooses to monitor and operate his or her RADIUS is a matter of preference of the available tools and whether or not the Linux server was installed with a graphical user interface (GUI). Remove an existing EUM: mysql> delete from usergroup where username=’61:1c:1e’. <air fdereg [EUM_ID]> is performed on the CCU. tn068F 12 . or additions or deletions of EUM records in RADIUS will not take effect until the CCU’s RADIUS client’s update period has cycled OR the <air flush>. editing an existing user. 5.’home_standard’.’WaveRider-SNMP-Contact]’. changing a customer’s service level (ie. bronze to gold). etc. changing a user’s group membership. 61:1c:1e) by assigning it to a group (ie.’home_standard’). OR the EUM is reset or power cycled. The examples serve as a starting point. Add a new EUM (ie.

2 MySQL View accounting stop or start records by EUM (ie. The file contents are plain-text searchable.2. May 26 to May 28. The process is executed daily (‘@daily’) at midnight.1. username from radacct where nasipaddress=’192. ‘home_standard’): mysql> delete from radgroupreply where groupname=’home_standard’.2 Monitoring 5.168.1. 2007): mysql> select acctstarttime|acctstoptime. View accounting stop or start records by time period (ie. and thus having an adverse effect on system performance. Each paragraph-formatted entry is time-stamped (e. The operator will become accustomed to checking the ‘radius. the default cron job’s user email notification is disabled (‘>/dev/null 2>&1’): Open the crontab editor (Nano): admin@ubuntu-server:~# crontab –e tn068F 13 . View accounting stop or start records by RADIUS client (CCU IP. Also.254): mysql> select acctstarttime|acctstoptime.conf’ file. Update (interim-update). 5.log’ log file on a regular basis to ensure RADIUS authorization is occurring as expected.1 FreeRADIUS log files (static files method) Authorization: FreeRADIUS will log authorization attempts as long as the ‘log_auth = yes’ entry is included in the ‘radiusd. 61:1c:1e): mysql> select acctstarttime|acctstoptime from radacct where username=’61:1c:1e’. The default location of this file upon installation is ‘/var/log/freeradius’. max custs): mysql> update radgroupreply set value=‘10’ where groupname=’home_standard’ and attribute=’WaveRider-Max-Customers’. rolling over to a new file in tandem with the system clock.2. username from radacct where acctstarttime|acctstoptime >= ’2007-05-26’ and acctstarttime|acctstoptime <= ‘2007-05-28’. Remove entire group (ie. 5. ie. The following example creates and schedules a crontab file that deletes all records with an accounting stop time (‘acctstoptime’) older than one month from the ‘radius’ SQL database.254’. stop and start RADIUS accounting messages are appended to each file.g. ‘home_standard’ group. The file contents are plain-text searchable. a cron job should be scheduled to automatically delete old records.168. 192. To prevent the ‘radacct’ table from becoming unmanageably large. weekday month day hh:mm:ss yyyy) with useful tracking and troubleshooting information. FreeRADIUS automatically creates subdirectories grouped by RADIUS client IP address and date. Accounting: The accounting logs are located by default in the ‘/var/log/freeradius/radacct’ directory.Edit existing attribute values in a particular group (ie.

~/crontab [enter] crontab: installing new crontab tn068F 14 .In Nano. type the following cron instructions (one line entry): @daily mysql radius –e “delete from radacct where acctstoptime < date_sub(curdate(). interval 30 day)” >/dev/null 2>&1 Exit and save the crontab file: Ctrl-x Save modified buffer (ANSWERING “No” WILL DESTROY CHANGES) ? y File Name to Write: /tmp/crontab.

vecimasupport.freeradius.mysql.com/doc/refman/5.mysql.com/community/CronHowto http://crunchbang.org/ FreeRADIUS man pages: http://www.com/doc/refman/5.0/en/tutorial.com/freeradius.html http://dev.wr.6 Resources http://www.org/archives/2007/10/26/howto-setup-a-crontab-file/ tn068F 15 .html https://help.com/penguin/man/8/freeradius.ubuntu.frontios.html FreeRADIUS Configuration example: http://www.mysql.penguin-soft.com/ http://dev.html MySQL web site: MySQL tutorial: MySQL statement syntax: Ubuntu cron help: Crontab how-to: http://www.0/en/sql-syntax.com WaveRider by Vecima Support: FreeRADIUS web site: http://www.

‘nomadic’. ‘silver’. ‘disable’ Table 4: WaveRider Vendor-Specific Attributes tn068F 16 . ‘enabled’ [User-defined] N/A [User-defined] [User-defined] ‘auto’. [9052 – 9248] (even values) [User-defined] [User-defined] [IP_addr]:[name] [User-defined] [User-defined] [User-defined] [0-50] [15-26] [3-11] “ “ “ [0-4094] [0-7] ‘enable’. ‘bronze’. ‘gold’ ‘disabled’.7 Appendix Attribute Name WaveRider-Grade-of-Service WaveRider-Priority-Enabled WaveRider-Authentication-Key (reserved) WaveRider-Current-Password WaveRider-New-Password WaveRider-Radio-Frequency WaveRider-SNMP-Read-Community WaveRider-SNMP-Write-Community WaveRider-SNMP-Trap-Server WaveRider-SNMP-Contact WaveRider-SNMP-Location WaveRider-SNMP-Name WaveRider-Max-Customers WaveRider-Rf-Power WaveRider-Downlink-Min-Modulation WaveRider-Downlink-Max-Modulation WaveRider-Uplink-Min-Modulation WaveRider-Uplink-Max-Modulation WaveRider-Uplink-VLAN-ID WaveRider-Uplink-VLAN-Priority WaveRider-Downlink-VLAN-Strip Tag 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Accepted Value(s) ‘be’.

by http://www.com .vecimasupport.wr.