02. Quick setup tutorial
Quick setup tutorial
For a gentle and quick tutorial on how to setup and configure BlissRADIUS, we will examine a case of an small Internet service provider.
Our ISP services number of wireless as well as LAN clients. It uses MikroTik routers and Microsoft Windows(R) server for BlissRADIUS hosting. Clients are authenticated using PPPoE authentication protocol.
Two account types are provided for clients:
- Monthly prepaid package, with download speed limited to 1 Mbit/sec of download and 512 Kbit/sec of upload. Client is automatically disconnected after period expires and can not reestablish session.
- MB limit prepaid package, with default price of 1$ for 1Gb of downloaded data, with bandwidth limit set to 6 Mbit/sec of download and 1 Mbit/sec of upload. Client is disconnected and disabled upon reaching set MB limit.
All clients are randomly assigned address in range from
184.108.40.206. This is example range and will not work in your case.
You should use your available address range.
Image shows basic network setup with RADIUS, one wireless and one LAN router. They are all connected using central router.
Here is description of RADIUS protocol and network utilization for administrators to take a note of:
- NAS is Network Access Server, an entry point for clients to authenticate and start session. In this setup we have 2 NAS servers, both are MikroTik.
- Session is authenticated client connection that gives him Internet access. Session is not same as wireless connection that all wireless clients establish with their wireless routers.
- RADIUS must be able to communicate with each NAS server using ports 1812 and 1813 and using static IP address or host name. Take special care if there is NAT or restrictive firewall between them. Properly route paths and add exceptions to firewall rules and test connections before continuing.
- Clients never communicate with RADIUS server directly. They do communicate with NAS server for the whole duration of session.
- NAS servers are mediators, they are the one communicate with both RADIUS server and clients.
- In correctly configured network, RADIUS server is not a routing point, but an end point. Internet traffic should never go trough RADIUS server.
- Restart or shutdown of RADIUS server does not interfere with existing client sessions, but it does restrict clients from (re)opening new sessions. If session is finished while RADIUS server is down, it will not be properly accounted.
- Clients receive by default local IP address by DHCP. This address
does not give them Internet access. They are required to
authenticate and upon success, they will be assigned new address
in range of
220.127.116.11(example address range) that gives them Internet access. Network should be properly routed so this is possible.
MikroTik NAS setup
Both MikroTik's in network must be configured first. After log on using WinBox(R) this must be executed:
System > Identity string must be set to something meaningful. It will be known as NAS identifier. No two routers on network may share same NAS identifier.
Go to option RADIUS > + to add new RADIUS server. Set values to:
service = PPP
- address = IP address of BlissRADIUS server
- secret = chose secret password and remember it for later use
timeout = 1000ms-3000ms (if router is connected over slow or wireless network, you should increase this option to 3000ms or more)
RADIUS incoming enables MikroTik to accept packet of disconnect (PoD) and change of authorization (CoA) from BlissRADIUS. It must be
enabled if you want to disconnect or change client sessions remotely. For port number leave 1700.
Go to PPP > Secrets > AAA to enable accounting request and interim update. Interim update should be set in 30 second to 5 minute range, depending of your usage requirements.
Go to PPP > Interfaces > PPPoE to create PPPoE server. Leave options to default.
Go to SNMP > + and enable read only access from BlissRADIUS servers address. This is not crucial for system to work. Remember community string for later.
BlissRADIUS should be set using browser. Login to Admin portal on
http://localhost:8800 (replace address with RADIUS servers address).
admin as username and password.
There are couple of things that must be configured here:
- setup NAS servers
- create 2 account types
- create couple of client accounts and activate them
Only then we can proceed to test connection.
Setting up NAS servers
This must be done for both MikroTik routers. Go to Admin > NAS and click on button Add.
Set options to:
- NAS ID = NAS identifier that you have set previously during MikroTik setup
- NAS IP address = NAS address
- Secret = secret you have set
- SNMP community = community string (optional)
- Interim update interval = number of seconds you have set for this NAS. This setting is more important than the one on MikroTik, as it overrides it.
Interim update interval setting on MikroTik is in minutes while BlissRADIUS uses seconds.
- NAS type = MikroTik
Leave rest of the options to default. Upon finishing this you should see 2 MikroTik routers on NAS server list.
Creating account types
For a first type of account (a monthly limited) go to Admin > Account types and click Add button. Set options to:
Monthly accountor something else you like
Limit interval =
Assigned IP address =
18.104.22.168-255(here we define IP address pool clients will receive upon authentication).
RADIUS response =
Then create second type of account with options:
Limit MB =
Assigned IP address =
RADIUS response =
MB total =
Use MikroTik documentation to check on avaliable RADIUS attributes.
Creating client accounts
Go to Users > Search and click Add button. Select username and one of two created account types.
After creating client account, you must click on Add payment button and create default payment.
When done, a green indicator under Active field will show that client account is ready for use.
Testing client connections
By here, BlissRADIUS and NAS servers are configured for use. Now it is time to try to connect using one of created client accounts. Using clients computer, do the following:
Create PPPoE connection. Use username and password of client account you just have created. Under authentication settings set Encryption to optional and use only PAP, CHAP, MS-CHAP or MS-CHAP-V2 encryption.
Try to connect. If everything is right, you should receive indicator of new connection, and have a new IP address assigned (one in range of
Try opening some web page.
Again, IP address range is just an example and will not work with your network setup. You must set address range to something appliable to your case.
If this failed then open NAS using WinBox and open RADIUS settings. Click on Status tab and check counters.
If counters do not increment on connection attempts then there is problem in connection between NAS and client, or client connection is not configured properly, or NAS PPPoE server is not set right. Check client connection again. Try to ping NAS server from client computer.
If counter with failures is incrementing then there is problem in communication between NAS and BlissRADIUS. Try to ping BlissRADIUS from NAS. Check if address and secret settings on BlissRADIUS and NAS do match.
If counter with rejects is incrementing then the problem is probably with client account setting or password. Login to BlissRADIUS admin portal and go to Monitoring > Auth log. There should be useful message describing why client connection attempt has been rejected by BlissRADIUS.
Procedure described here should be used as first step when debugging client problems. Make effort that all of your support personnel learn about it.
Copyright © 2014 - 2018 LightBulb Software™ All Rights Reserved.
- BlissRADIUS Embedded™ 1.6 is out with incremental improvements and new usability features.
- BlissRADIUS Embedded™ 1.5 is released with new proxy features and advanced caching for better resilience.
- BlissRADIUS Embedded™ 1.4 maintenance release is out! No significant changes, lot of small fixes. And we finally updated documentation on custom integration.
- BlissRADIUS Embedded™ 1.3 is released. It is incremental release with more fixes and tweaks than new features.
- BlissRADIUS Embedded™ 1.2 is out! It brings many performance and stability enhancements.
- BlissRADIUS Embedded™ 1.0 is out! This is important milestone that marks more than a year of successful production use. 1.0 is backward compatible with 0.x and brings incremental improvements and bug fixes.
- BlissRADIUS Embedded™ 0.9 brings integration with Blesta billing. There is also a new "local" standalone mode to run program without third-party billing. Manual has been updated accordingly.