06. Frequently asked questions
Frequently asked questions
FAQ is collection of answers to questions that are still not moved to (or have no) proper place in the manual.
How do I assign IP address to a user?
There are two ways:
- If you want user to have static IP address each time he authenticates, then assign it using RADIUS attribute, namely add Framed-IP-Address=192.168.0.11 line to 'RADIUS reply' field in users edit page.
- If you want user to get dynamic address from a pool, then add 192.168.0.1-255 line to 'IP pool' field and first currently available address from pool's range will be used.
IP pool accepts only certain entries per line you can combine as much as you like:
- single IPv4 or IPv6 address
- IPv4 range (C class) in format 192.168.0.1-255
Using IPv6 addresses
Same rules apply as with configuring IPv4 address.
- You can add IPv6 address to any IP pool or configure it using RADIUS attribute like Framed-IPv6-Address=1:2::
- NAS address can be set by using IPv6. All incoming Access and Accounting RADIUS packets will contain NAS-IPv6-Address attribute that will be used to identify NAS.
- Other RADIUS attributes found in RFC 3162, 4818 and 6911 are supported.
Important: BlissRADIUS server is only capable running on IPv4 address. You will still need it configured on BlissRADIUS for internal communication with NAS servers and serving HTTP pages.
Authenticating user by MAC address
Users can be authenticated by MAC address, local IP address or any other value provided as 'Calling-ID' in access request sent by NAS.
Using this option will skip username and password check if user has matching 'Calling-ID' and automatically accept request.
Important: This is not considered secure as many devices can have its MAC address easily changed. Anyone knowing users MAC address can authenticate as that user.
For wireless users that is usually MAC address of device, for PPPoE cable users it is local IP address etc. You should test it to find out. You can do it by looking at BlissRADIUS admin portal under Monitoring > Auth log page under 'MAC/CallingID' column when user tries to authenticate.
To enable this feature go to BlissRADIUS admin portal to Admin > RADIUS page and navigate to 'MAC/CallingID' tab. Enable option 'Auth enabled'. User attribute in 'MAC/CallingID input field' list on same page will tell you which user attribute (edited in user profile page) should hold MAC/IP address for this user.
Go to desired user and edit its attribute to MAC address.
How will I know if WHMCS and BlissRADIUS are in sync?
Each time you make a page view in WHMCS admin portal an error message will pop up if BlissRADIUS is not reachable. If nothing pop ups, then all is working OK.
You can also check all system actions in BlissRADIUS admin portal under Monitoring > Syslog with category WHMCS. You should visit it once in a while because you can find a lot of useful information.
How do I set speed for user connection?
Setting speed is NAS dependent. It is done by setting correct vendor specific RADIUS attributes, so you will have to read documentation of each vendor separately, eg. for MikroTik you have to check MikroTik manual to know you have to add line:
to RADIUS reply attributes to limit connections to 1MB/512KB of download/upload (order is reversed). If you are using WHMCS integration then you will set this value from WHMCS admin portal.
How to automatically set lower rate limit when download limit is reached?
It is possible to do it using programs Disabled Accounts feature (Admin > RADIUS > Disabled Accounts page in BlissRADIUS portal). When clients service reaches limit (upload or download GB limit or expire date) clients service is terminated and client is disconnected. Client is prevented from establishing new connection unless Disabled Accounts option is enabled.
Disabled Accounts has separate set of service parameters (IP address ranges, RADIUS attributes and rate limits) so you can configure it to provide limited or slower access for clients without active service.
How to manually disconnect online user?
For this to work you will have to enable special feature on your NAS (RADIUS incoming on MikroTik, see quick tutorial). This allows BlissRADIUS to send packet of disconnect (PoD) and change of authorization (CoA) request to NAS. BlissRADIUS will send requests on both standard ports: 1700 and 3799.
Once you are done with it, clicking on "Disconnect" on Monitoring > Online BlissRADIUS admin portal page will send request and user will be offline in matter of seconds.
Important: enabling this configuration is required for some other features to work, like automatic disconnecting when MB limit for users session is reached.
Why user keeps disappearing from online list after few minutes but I know he is online?
Short answer: most likely Interim-Update miss configuration on NAS side or you have bad network connection between NAS and RADIUS.
BlissRADIUS expects regular updates from NAS each minute or so (feature called Interim-Update or Accounting-Update). Exact frequency is configured in BlissRADIUS admin portal under NAS settings. When user authenticates, NAS receives in access accept response a Acct-Interim-Interval attribute with number of seconds between expected updates. This should work in most cases as NAS respects that number and keeps RADIUS updated.
But sometimes NAS local settings may interfere with interim update interval or completely disable that feature (or require it to be explicitly enabled).
Other possibility is that update packets are lost in network between NAS and RADIUS, but this is not likely.
Whatever the reason is, after few missed updates BlissRADIUS assumes users session in question is not alive anymore or NAS is offline and removes user from online report.
Best way to know what is happening is to enable RADIUS accounting debug in Config > System > Debug and monitor Monitoring > System log for incoming update packets.
Is it possible to handle NAS devices behind dynamic IP or behind NAT?
Yes, authentication and accounting it will work with extra care. Some other features may not.
If NAS is behind dynamic IP address or NAT, then you must make sure that NAS identifier is configured correctly both on NAS and BlissRADIUS as it is only way to identify requests (NAS address is useless).
Responses from RADIUS are sent back to the address request was received from. In case of dynamic IP, NAS will receive response only if NAS address has not changed since request was sent (it usually takes second or two). But if NAS is behind NAT, you will have to configure NAT to route responses back correctly. All communication is done using UDP datagrams, so this may require advanced routing skills.
Some features like disconnecting online sessions or changing session parameters on the fly may not work.
Does BlissRADIUS supports COA (Change Of Authorization) requests?
Yes. BlissRADIUS can initiate COA if client is online and clients account reaches defined limits (eg. time or GB upload/download limit). New set of attributes that will be used in COA request are configured in clients account type under RADIUS > Radreply for disabled account field or RADIUS Attributes for disabled accounts in WHMCS portal product setting. Using this you can set different speed on the fly. Session will be visible as "disabled/coa" type in Monitoring > Online report.
For this to work you must disable "Disconnect on MB/time limit reached" option for that account type.
COA changes are limited (you can't change sessions IP address). For that you need to use "Disabled accounts access" instead to force client to reconnect.
Why does our connections always drop every X hours/minutes ?
There might be few configuration reasons for this.
Look for Idle-Timeout and Session-Timeout RADIUS attributes in WHMCS product settings and change them or completely remove them. These are number of seconds after session will end (idle seconds or total seconds).
One more place to look for these attributes is in BlissRADIUS portal in Admin > RADIUS page. These will be used as default if they are not set in WHMCS, so also change them if needed.
Lastly, you can debug problem using Monitoring > System log. Turn on debug for RADIUS auth requests in Config > System > Debug and check System log all entries for AUTH-ACCEPT event. These are attributes received by client when authenticating. There you will see final attributes (if any) that clients session will use. If Idle-Timeout and Session-Timeout are not there, then reason for session termination is something else (bad connection, client disconnected, session terminated by remote COA request due to MB limit reached etc.)
Copyright © 2014 - 2019 LightBulb Software™ All Rights Reserved.
- BlissRADIUS Embedded™ 1.7 maintenance release is out.
- BlissRADIUS Embedded™ 1.6 is out with incremental improvements and new usability features.
- BlissRADIUS Embedded™ 1.5 is released with new proxy features and advanced caching for better resilience.
- BlissRADIUS Embedded™ 1.4 maintenance release is out! No significant changes, lot of small fixes. And we finally updated documentation on custom integration.
- BlissRADIUS Embedded™ 1.3 is released. It is incremental release with more fixes and tweaks than new features.
- BlissRADIUS Embedded™ 1.2 is out! It brings many performance and stability enhancements.
- BlissRADIUS Embedded™ 1.0 is out! This is important milestone that marks more than a year of successful production use. 1.0 is backward compatible with 0.x and brings incremental improvements and bug fixes.
- BlissRADIUS Embedded™ 0.9 brings integration with Blesta billing. There is also a new "local" standalone mode to run program without third-party billing. Manual has been updated accordingly.