3. Preface
Conventions
The following conventions are used throughout this document:
Replace existing text or enter exact text that is highlighted in bold
System prompts and/or pre-existing configuration file text are non-stylized, normal font
Special characters/instructions are italic
Emphatic terms and words are red
Continuation of configuration file text or special characters is indicated with “…”
Values surrounded by square brackets ( [ ] ) are variable (ie. EUM ID)
CAUTION: Whenever you see this icon and heading, the associated text discusses an
issue, which, if not followed, could result in damage to, or improper use of, the
equipment or software.
TIP: Whenever you see this icon and heading, the associated text provides a tip for
facilitating the installation, testing, or operation of the equipment or software.
Getting Support
An extensive knowledge base is available at http://www.wr.vecimasupport.com. Visit the web
page to:
Get the latest announcements from Vecima Networks.
Download product related software, manuals, application notes, or other information about
the WaveRider product line.
Consult the KnowledgeBase for troubleshooting information.
Register and contact technical support to help you with unexpected problems.
Training
Vecima offers a complete training program. Please contact you sales representative for training
information.
Priority support
Vecima also offers priority telephone and email support. Please contact your sales
representative for details.
tn068F i
5. 1 Introduction
This technical note presents step-by-step configuration and examples for installing and configuring a Linux
(Ubuntu Edgy Eft v6.10) installation of FreeRADIUS (v1.1.3) using either the static configuration files included
with the software, or a MySQL (v5.0.41) database. Implementation, administration and monitoring of FreeRADIUS
and MySQL is also addressed. Once successfully installed and configured, the system will allow FreeRADIUS to
update the CCU3000, CCU3100 or CCU8000 authorization tables, thus allowing auto-configuration of the EUMs,
as well as accumulate RADIUS accounting statistics.
The configuration examples detailed in this document were not designed or intended to work in every WaveRider® LMS deployment. It is
understood that systems and/or network administrators customize the configurations to best suit the topology and needs of their own
deployment requirements. It is highly recommended that the administrator following these examples possesses a solid understanding of
Linux fundamentals in order to take the necessary precautions towards securing the configured system. Vecima’s WaveRider AES does not
support or troubleshoot the Linux operating system.
1.1 Detailed Tasks
1. Configure WaveRider® CCU3000, CCU3100 or CCU8000 RADIUS client
2. Download and install FreeRADIUS and MySQL
3. Configure FreeRADIUS
a) static file authentication method
b) MySQL authentication method
4. Create, log in to, and populate MySQL database
5. Start the FreeRADIUS server daemon
6. Administrate and monitor FreeRADIUS implementation
1.2 Network Diagram
Figure 1: System Topology Example
tn068F 1
6. 2 Installation
Following the steps below to install the latest version of FreeRADIUS.
i. Download and install FreeRADIUS using either the Synaptics Package Manager (GUI) or manually via
ftp://ftp.freeradius.org/pub/radius or by simply typing “sudo apt-get install freeradius” and “sudo apt-get
install freeradius-mysql” (if the SQL authorization method is to be used) in a terminal window.
Manual download/install
tar xvf freeradius.tar.gz
cd freeradius
./configure
make
make install
Package Manager download/install
freeradius (‘A high performance and highly configurable RADIUS server’)
freeradius-mysql (‘MySQL module for FreeRADIUS server’)
The FreeRADIUS tarball must be downloaded and extracted to retrieve the MySQL database schema for later use:
http://freeradius.org/getting.html. Check the release notes or search the extracted files for the mysql.sql schema
template file.
ii. Download and install MySQL and its associated modules by using either the Synaptics Package Manager (GUI)
or manually by simply typing the following commands in a terminal window:
sudo apt-get install mysql-server
sudo apt-get install mysql-server-5.0
sudo apt-get install mysql-client-5.0
sudo apt-get install mysql-client
sudo apt-get install mysql-common
Manual download/install
tar xvf mysql.tar.gz
cd mysql
./configure
make
make install
Package Manager download/install
Required:
mysql-server-5.0 (mysql database server binaries)
mysql-server (mysql database server current version)
mysql-client-5.0 (mysql database client binaries)
mysql-client (mysql database client current version)
mysql-common (mysql database common files (e.g. /etc/mysql/my.cnf)
Optional:
mysql-query-browser-common (Architecture independent files for MySQL Query Browser)
mysql-query-browser (Official GUI tool to query MySQL database)
mysql-navigator (GUI client program for MySQL database server)
mysql-admin-common (Architecture independent files for MySQL Administrator)
mysql-admin (GUI tool for intuitive MySQL administration)
tn068F 2
7. 3 Configuration
3.1 CCU3000 / CCU3100 / CCU8000
The following example configures the CCU RADIUS client with a primary and secondary RADIUS server with a
shared secret, enables and sets the accounting method to stop/start, sets the client request period to 5 minutes,
and enables the RADIUS client. All configuration commands are required unless otherwise indicated (†).
i. Access the CLI using telnet via the local link or operator-configured static IP.
ii. Verify CCU can ping the RADIUS servers:
64:08:05*CCU> ping 192.168.1.254
Press any key to stop...PING
192.168.1.154: 56 data bytes, 490 ms interval (accurate to +- 5 ms)
64 bytes from 192.168.1.254: icmp_seq=0. time=15 ms
64 bytes from 192.168.1.254: icmp_seq=1. time=5 ms
64 bytes from 192.168.1.254: icmp_seq=2. time=5 ms
64 bytes from 192.168.1.254: icmp_seq=3. time=5 ms
64 bytes from 192.168.1.254: icmp_seq=4. time=5 ms
----192.168.1.254 PING Statistics----
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 5/7/15
64:08:05*CCU> ping 192.168.1.253
Press any key to stop...PING
192.168.1.253: 56 data bytes, 490 ms interval (accurate to +- 5 ms)
64 bytes from 192.168.1.253: icmp_seq=0. time=15 ms
64 bytes from 192.168.1.253: icmp_seq=1. time=5 ms
64 bytes from 192.168.1.253: icmp_seq=2. time=5 ms
64 bytes from 192.168.1.253: icmp_seq=3. time=5 ms
64 bytes from 192.168.1.253: icmp_seq=4. time=5 ms
----192.168.1.253 PING Statistics----
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 5/7/15
iii. Configure the primary RADIUS server IP and shared secret:
64:08:05*CCU> auth rad pri 192.168.1.254
Enter password (up to 16 chars): waverider123
The shared secret (‘password’ shown above) can be any 1-16 alpha-numeric value. The secret configured on the
CCU RADIUS client and on the RADIUS server must match. See the ‘clients.conf’ file configuration in section 3.2.1
and 3.2.2.
iv. Configure the secondary RADIUS server IP†:
64:08:05*CCU> auth rad sec 192.168.1.253
Enter password (up to 16 chars): waverider123
tn068F 3
8. v. Enable RADIUS accounting†*:
64:08:05*CCU> auth rad acc stopstart
vi. Change the RADIUS client request period† (default = 60 minutes):
64:08:05*CCU> auth rad per 5
vii. Enable the RADIUS client:
64:08:05*CCU> auth rad enable
* Refer to section 5.4 of the WaveRider ‘Managing the Network’ guide (lms052_ap_01) for more detail on the start/stop and update RADIUS
accounting modes.
† Optional configuration.
3.2 FreeRADIUS
FreeRADIUS may be configured to use either a static file (the ‘users’ file) OR an SQL database with which to
authorize EUMs. The database configuration example below uses the popular MySQL platform.
3.2.1 Static File Authentication
Using the static ‘users’ file, the network administrator can control RADIUS authentication directly. EUMs (users)
are added by their EUM IDs in the ‘users’ configuration file in paragraph form. Each subsequent paragraph entry
can be copied and pasted at the end of the file, editing only each EUM ID and its applicable attribute values.
Configuration files may be edited using Vi (command line – Linux server installation) or a Linux text editor (via
KDE or GNOME GUI).
Using the ‘users’ file for authorization is most efficient on the server system’s resources. However, it has more
administrative overhead as changes need to be tracked and performed manually and is therefore not well suited
for front-office business reference functions such as customer billing, location, etc. Also, the operator is limited to
using only the RADIUS-related fields defined in the dictionary file.
Configuration File or Folder Default Path
radiusd.conf /etc/freeradius
logdir /var/log/freeradius
raddbdir /etc/freeradius
radacctdir /var/log/freeradius/radacct
log_file /var/log/radius.log
libdir /usr/lib/freeradius
pidfile ${run_dir}/freeradius.pid
clients.conf /etc/freeradius
users.conf /etc/freeradius
Table 1: FreeRADIUS Default File Locations
The following example instructs FreeRADIUS to use the static file authorization and accounting method
(radiusd.conf), adds the primary and secondary CCU RADIUS clients to the clients.conf file with IP address,
shared secret and short name, adds two (2) EUMs to the users file that defines the GOS (grade of service) to be
used for each, and sets the maximum number of customers (hosts) that can access the radio link through each
EUM.
radiusd.conf clients.conf
log_stripped_names = yes client 192.168.1.254 {
log_auth = yes [tab]… secret [tab]… = waverider123
log_auth_badpass = yes [tab]… shortname [tab]… = CCU1
log_auth_goodpass = yes }
authorize { client 192.168.1.253 {
… [tab]… secret [tab]…… = waverider123
files [tab]… shortname [tab]… = CCU2
tn068F 4
9. … }
}
accounting { users
…
detail 61:1e:1c[tab]… Auth-Type := Local, User-Password ==
sql_log buywavc [tab]… WaveRider-Grade-of-Service = bronze,
… [tab]… WaveRider-Max-Customers = 1
}
61:1a:87[tab]… Auth-Type := Local, User-Password ==
buywavc [tab]… WaveRider-Grade-of-Service = gold,
[tab]… WaveRider-Max-Customers = 3
Table 2: Static files method FreeRADIUS configuration
The ‘User-password’ is not to be confused with the shared secret as configured on the CCU RADIUS client in section
3.1 and in the ‘clients.conf’ file in sections 3.2.1 and 3.2.2. The ‘User-Password’’ value for each user entry must be
‘buywavc’ (all lowercase). This value is hard-coded for every RADIUS request and has nothing to do with the EUM
password.
Download the WaveRider dictionary file from http://www.wr.vecimasupport.com and install it in the /usr/share/freeradius/
directory on the Linux system. Be sure to periodically check back for new releases of this file.
3.2.2 MySQL
To use a database, comment out entries in the users file and update radiusd.conf as shown below. The ‘sql.conf’
file (/etc/freeradius/sql.conf) is edited to include the server name (remote or local; DNS may be used) and
database login credentials. The ‘radiusd.conf’ file is edited to indicate that an SQL database will provide the
authorization data.
This method of operation, although slightly more taxing on the server system’s resources, is a much more robust
way to add, edit, delete and query user records, as well as monitor RADIUS activity. As well, the SQL table
schema can be modified to suit the operator’s purposes. For example, in addition to the three required
authorization fields (username, password, grade of service), the operator may also choose to include an unlimited
number of front-office business function fields such as CAP site name, customer name, address, area, etc. This
allows for quick and efficient querying of data to extract useful information or make changes to a specific user
record.
The scalability of this method is limited only by operator’s understanding of SQL, business model and/or
imagination. For instance, the database may be integrated with a front-office financial accounting system (e.g.
.NET, ASP or other web-based application) to allow a single point of entry for customer data, thus avoiding data
entry duplication errors.
The following example changes the radiusd.conf file from the static authorization and accounting method
(configured in section 3.2.1) to the SQL method. The EUMs will no longer be authenticated and configured using
the instructions in the users file. A ‘#’ character is placed at the beginning of each of the entry’s lines to instruct
FreeRADIUS to ignore them. The sql.conf file is configured to specify the server location (‘localhost’ = this server)
database to connect to, and the Linux user account and password used to connect.
radiusd.conf users
log_stripped_names = #61:1e:1c[tab]… Auth-Type := Local, User-Password ==
yes buywavc
log_auth = yes #[tab]… WaveRider-Grade-of-Service = bronze,
log_auth_badpass = yes #[tab]… WaveRider-Max-Customers = 1
log_auth_goodpass = yes
#61:1a:87[tab]… Auth-Type := Local, User-Password ==
authorize { buywavc
tn068F 5
10. … #[tab]… WaveRider-Grade-of-Service = gold,
#files #[tab]… WaveRider-Max-Customers = 3
sql
…
} sql.conf
accounting { sql {
… …
detail server = “localhost”
#sql_log login = “admin”
sql password = “admin123”
… …
} radius_db = “radius”
…
}
Table 3: MySQL method FreeRADIUS configuration
‘Server’, ‘login’, ‘password’ values in sql.conf may vary. To ensure functionality, verify the Linux user account used to
access the MySQL DB has the appropriate permissions to access and write to the associated tables. The ‘radius_db’
value can be any name, as defined during the creation of the MySQL DB (see below).
The table structure in the following example groups EUMs by the GOS attribute value. The method the network or
systems administrator will use to group the RADIUS profiles, attributes and users in the SQL tables will depend
entirely on the topology of the LMS and management systems in use as well as business and customer service
requirements. Refer to section 5.4 of the ‘Managing the Network’ user guide (lms052_ap_01) for available
WaveRider attributes and their definitions.
The following commands create the ‘radius’ SQL database, assigns all privileges to the ‘admin’ Linux user
account, imports the FreeRADIUS schema, and populates the tables with appropriate data.
i. Extract the freeradius.tar.gz installation package to the admin user’s home directory:
admin@ubuntu-server:~# tar –zxvf freeradius_[version].tar.gz –C
/home/admin
ii. Login to the MySQL client:
admin@ubuntu-server:~# mysql
iii. Create the database:
mysql> create database radius;
iv. Switch focus to the new ‘radius’ database:
mysql> use radius
v. Grant all permissions to the database for the ‘admin’ Linux user account and exit the MySQL client:
mysql> grant all on radius to admin@ubuntu-server;
mysql> quit
vi. Import the table structure (from the schema template file extracted in step i.) that FreeRADIUS will use to
authenticate and authorize WaveRider EUMs:
tn068F 6
11. admin@ubuntu-server:~# mysql –uadmin –padmin123 radius <
/home/admin/freeradius-[version]/[path]/mysql.sql
vii. Log into the MySQL client and the ‘radius’ database as the admin Linux user:
admin@ubuntu-server:~# mysql –uadmin –padmin123 radius
viii. Verify the tables have been successfully created in the database:
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| usergroup |
+------------------+
8 rows in set (0.00 sec)
ix. Due to a number of the WaveRider vendor-specific attributes (VSA) being longer than the ‘radreply’ and
‘radgroupreply’ tables’ attribute fields’ default 32 characters in length, modify each to allow 50 characters:
mysql> alter table radreply modify attribute varchar(50);
Query OK, 0 rows affected (0.05 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> alter table radgroupreply modify attribute varchar(50);
Query OK, 0 rows affected (0.05 sec)
Records: 0 Duplicates: 0 Warnings: 0
x. Create the valid package type (ie. GOS) groups:
mysql> insert into radgroupcheck values (‘’,’home_lite’,’Auth-
Type’,’:=’,’Local’);
Query OK, 1 row affected
mysql> insert into radgroupcheck values
(‘’,’home_lite’,’Password’,’==’,’buywavc’);
Query OK, 1 row affected
mysql> insert into radgroupcheck values (‘’,’home_standard’,’Auth-
Type’,’:=’,’Local’);
Query OK, 1 row affected
mysql> insert into radgroupcheck values
(‘’,’home_standard’,’Password’,’:=’,’buywavc’);
Query OK, 1 row affected
xi. Create the ‘denied’ group:
mysql> insert into radgroupcheck values (‘’,’denied’,’Auth-
Type’,’:=’,’denied’);
Query OK, 1 row affected
tn068F 7
12. xii. Populate the ‘radgroupreply’ table with the applicable WaveRider VSAs, grouping by package type (note
second column is the ‘groupname’ field – value is operator’s choice and should be descriptive):
mysql> insert into radgroupreply values (‘’,’home_lite’,’WaveRider-Grade-of-
Service’,’:=’,’silver’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_lite’,’WaveRider-Current-
Password’,’:=’,’[EUM_password]’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_lite’,’WaveRider-Max-
Customers’,’:=’,’5’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_lite’,’WaveRider-Priority-
Enabled’,’:=’,’enabled’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_standard’,’WaveRider-Grade-
of-Service’,’:=’,’gold’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_lite’,’WaveRider-Current-
Password’,’:=’,’[EUM_password]’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_standard’,’WaveRider-Max-
Customers’,’:=’,’5’);
Query OK, 1 row affected
mysql> insert into radgroupreply values (‘’,’home_standard’,’WaveRider-
Priority-Enabled’,’:=’,’enabled’);
Query OK, 1 row affected
The ‘WaveRider-Current-Password’ and correct value must be included when changing WaveRider VSA values such as
‘WaveRider-SNMP-Contact’. It is therefore recommended that all EUMs in each group share the same password.
xiii. Assign users (EUM IDs) to the groups created in step x and xi by populating the ‘usergroup’ table:
mysql> insert into usergroup values (’61:1c:1e’,’home_lite’);
Query OK, 1 row affected
mysql> insert into usergroup values (’61:1a:87’,’home_standard’);
Query OK, 1 row affected
mysql> insert into usergroup values (’64:be:66’,’denied’);
Query OK, 1 row affected
...
tn068F 8
13. 4 Implementation
Follow the steps below to initiate RADIUS operation (examples shown for FreeRADIUS configured with
MySQL).
i. Start the FreeRADIUS server daemon in “single server” (-s), foreground process (-f) and debug mode (-x)
(visible transactions):
admin@ubuntu-server:~# freeradius –sfx
The FreeRadius daemon program will execute and configure itself using the values configured within the files
edited in Table 1 or Table 2. If no errors occur, the CLI output should end with ‘Ready to process requests’,
similar to the following:
admin@ubuntu-testlab:~# freeradius -sfx
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to admin@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
tn068F 9
14. rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
ii. Power on the EUM corresponding to the username (ie. EUM ID) entered into the usergroup table of the radius
database, or force a deregistration of the EUM using the CCU command ‘air fdereg [eum_id]’ if it is already
registered with the CCU.
Check the CCU’s authorization table to verify the EUM’s authentication type (‘radius’). If ‘static’ is displayed, a static
entry exists on the CCU. If desired, use the CCU command <auth del [eumid]> to delete the static entry and allow
the EUM to register via RADIUS.
iii. The CCU will immediately send an access-request to the RADIUS server on behalf of the EUM, which in turn
will display the authorization request details in the Linux terminal window or CLI process. For example:
rad_recv: Access-Request packet from host 192.168.1.254:1025, id=23, length=60
User-Name = "61:1c:1e"
NAS-IP-Address = 192.168.1.254
NAS-Port = 1
User-Password = "buywavc"
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): User 61:1c:1e not found in radcheck
rlm_sql (sql): Released sql socket id: 0
Login OK: [61:1c:1e/buywavc] (from client CCU1 port 1)
Sending Access-Accept of id 23 to 192.168.1.254 port 1025
WaveRider-Grade-of-Service := silver
WaveRider-Max-Customers := 30
WaveRider-Priority-Enabled := disabled
WaveRider-SNMP-Location := "Toronto"
WaveRider-Downlink-Min-Modulation := CCK2
WaveRider-Downlink-Max-Modulation := 64Q2
WaveRider-Uplink-Min-Modulation := CCK2
WaveRider-Uplink-Max-Modulation := 64Q2
Pay particular attention to the ‘Access-Accept’ and/or ‘Access-Reject’ messages in the Linux CLI. If an EUM is
incorrectly rejected, the EUM ID may have been erroneously entered into the ‘usergroup’ table of the ‘radius’
database.
tn068F 10
15. Accounting stop/start or update messages will also appear (if accounting is configured on the CCU):
rad_recv: Accounting-Request packet from host 192.168.1.254:1025, id=180,
length=82
User-Name = "61:1c:1e"
NAS-IP-Address = 192.168.1.254
NAS-Port = 1
Acct-Status-Type = Stop
Acct-Session-Id = "f4f40004"
Acct-Input-Octets = 1653
Acct-Input-Packets = 24
Acct-Output-Octets = 1722
Acct-Output-Packets = 26
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
Sending Accounting-Response of id 180 to 192.168.1.254 port 1025
rad_recv: Accounting-Request packet from host 192.168.1.254:1025, id=179,
length=58
User-Name = "61:1c:1e"
NAS-IP-Address = 192.168.1.254
NAS-Port = 1
Acct-Status-Type = Start
Acct-Session-Id = "f4f40004"
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
Sending Accounting-Response of id 179 to 192.168.1.254 port 1025
rad_recv: Accounting-Request packet from host 192.168.1.254:1025, id=174,
length=82
User-Name = "61:1c:1e"
NAS-IP-Address = 192.168.1.254
NAS-Port = 1
Acct-Status-Type = Interim-Update
Acct-Session-Id = "f4f40001"
Acct-Input-Octets = 352176697
Acct-Input-Packets = 6658474
Acct-Output-Octets = 1827342061
Acct-Output-Packets = 2615193
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
Sending Accounting-Response of id 174 to 192.168.1.254 port 1025
iv. Verify that accounting messages are being stored in the MySQL database. A number of records should
appear containing the username (EUM ID), RADIUS client IP address and date/time stamps for both
accounting stop and start messages:
admin@ubuntu-server:~# mysql –uadmin –padmin123 radius
mysql> select username, nasipaddress, acctstarttime, acctstoptime from radacct;
+----------+---------------+---------------------+---------------------+
| username | nasipaddress | acctstarttime | acctstoptime |
+----------+---------------+---------------------+---------------------+
| 61:1c:1e | 192.168.1.254 | 2008-05-16 11:13:10 | 2008-05-16 11:19:48 |
| 61:1c:1e | 192.168.1.254 | 2008-05-16 11:19:48 | 2008-05-16 11:26:25 |
| 61:1a:87 | 192.168.1.254 | 2008-05-16 11:26:25 | 2008-05-16 11:33:02 |
+----------+---------------+---------------------+---------------------+
3 rows in set (0.00 sec)
tn068F 11
16. 5 Administration
How the network or systems administrator chooses to monitor and operate his or her RADIUS is a matter of
preference of the available tools and whether or not the Linux server was installed with a graphical user interface
(GUI). Both FreeRADIUS and MySQL applications may be administrated using CLI commands or with the graphic
client tools (ie. MySQL Query Browser) provided by the FreeRADIUS and MySQL software. The following
examples use the CLI method of administration.
The following are examples of SQL queries used to perform various administrative tasks such as adding new
subscriber units to the RADIUS system, changing a user’s group membership, removing a user, troubleshooting,
etc. The examples serve as a starting point; it is beneficial that the administrator possess a fundamental
understanding of database structure and SQL syntax to be able extract detailed information using more complex
queries.
Attribute value changes, or additions or deletions of EUM records in RADIUS will not take effect until the CCU’s
RADIUS client’s update period has cycled OR the <air flush>, <air fdereg [EUM_ID]> is performed on the CCU, OR
the EUM is reset or power cycled.
5.1 MySQL
Use the following commands to perform routine administration including adding a new user, editing an existing user,
changing a customer’s service level (ie. bronze to gold), etc.
Add a new EUM (ie. 61:1c:1e) by assigning it to a group (ie. ‘home_standard):
mysql> insert into usergroup values (’61:1c:1e’,’home_standard’);
Disable EUM communication by assigning it to the ‘denied’ group:
mysql> insert into usergroup values (’61:1c:1e’,’denied’);
Change an EUM’s group membership (ie. to ‘home_standard’):
mysql> update usergroup set groupname=’home_standard’ where
username=’61:1c:1e’;
Remove an existing EUM:
mysql> delete from usergroup where username=’61:1c:1e’;
View all EUMs by name or group:
mysql> select * from usergroup order by [username|groupname];
Add attributes to a particular group. This example adds the SNMP location ‘Toronto’ to the
‘home_standard’ group:
mysql> insert into radgroupreply set values
(‘’,’home_standard’,’WaveRider-SNMP-Contact]’,’:=’,‘Toronto’);
tn068F 12
17. Edit existing attribute values in a particular group (ie. ‘home_standard’ group, max custs):
mysql> update radgroupreply set value=‘10’ where groupname=’home_standard’
and attribute=’WaveRider-Max-Customers’;
Remove entire group (ie. ‘home_standard’):
mysql> delete from radgroupreply where groupname=’home_standard’;
5.2 Monitoring
5.2.1 FreeRADIUS log files (static files method)
Authorization: FreeRADIUS will log authorization attempts as long as the ‘log_auth = yes’ entry is included in the
‘radiusd.conf’ file. The operator will become accustomed to checking the ‘radius.log’ log file on a regular basis to
ensure RADIUS authorization is occurring as expected. The default location of this file upon installation is
‘/var/log/freeradius’. The file contents are plain-text searchable.
Accounting: The accounting logs are located by default in the ‘/var/log/freeradius/radacct’ directory.
FreeRADIUS automatically creates subdirectories grouped by RADIUS client IP address and date. Update
(interim-update), stop and start RADIUS accounting messages are appended to each file, rolling over to a new file
in tandem with the system clock. Each paragraph-formatted entry is time-stamped (e.g. weekday month day
hh:mm:ss yyyy) with useful tracking and troubleshooting information. The file contents are plain-text searchable.
5.2.2 MySQL
View accounting stop or start records by EUM (ie. 61:1c:1e):
mysql> select acctstarttime|acctstoptime from radacct where
username=’61:1c:1e’;
View accounting stop or start records by RADIUS client (CCU IP, ie. 192.168.1.254):
mysql> select acctstarttime|acctstoptime, username from radacct where
nasipaddress=’192.168.1.254’;
View accounting stop or start records by time period (ie. May 26 to May 28, 2007):
mysql> select acctstarttime|acctstoptime, username from radacct where
acctstarttime|acctstoptime >= ’2007-05-26’ and
acctstarttime|acctstoptime <= ‘2007-05-28’;
To prevent the ‘radacct’ table from becoming unmanageably large, and thus having an adverse effect on system
performance, a cron job should be scheduled to automatically delete old records.
The following example creates and schedules a crontab file that deletes all records with an accounting stop time
(‘acctstoptime’) older than one month from the ‘radius’ SQL database. The process is executed daily (‘@daily’) at
midnight. Also, the default cron job’s user email notification is disabled (‘>/dev/null 2>&1’):
Open the crontab editor (Nano):
admin@ubuntu-server:~# crontab –e
tn068F 13
18. In Nano, type the following cron instructions (one line entry):
@daily mysql radius –e “delete from radacct where acctstoptime <
date_sub(curdate(), interval 30 day)” >/dev/null 2>&1
Exit and save the crontab file:
Ctrl-x
Save modified buffer (ANSWERING “No” WILL DESTROY CHANGES) ? y
File Name to Write: /tmp/crontab.~/crontab [enter]
crontab: installing new crontab
tn068F 14
19. 6 Resources
WaveRider by Vecima Support: http://www.wr.vecimasupport.com
FreeRADIUS web site: http://www.freeradius.org/
FreeRADIUS man pages: http://www.penguin-soft.com/penguin/man/8/freeradius.html
FreeRADIUS Configuration example: http://www.frontios.com/freeradius.html
MySQL web site: http://www.mysql.com/
MySQL tutorial: http://dev.mysql.com/doc/refman/5.0/en/tutorial.html
MySQL statement syntax: http://dev.mysql.com/doc/refman/5.0/en/sql-syntax.html
Ubuntu cron help: https://help.ubuntu.com/community/CronHowto
Crontab how-to: http://crunchbang.org/archives/2007/10/26/howto-setup-a-crontab-file/
tn068F 15