I’m receiving so many questions about FreeRadius and I’m sorry to tell this but I can’t and I won’t give you tech support 4 free. I can and I will answer on one or two questions but do not bother me every single day via email and IM clients when I already wrote on this blog all you need to know.

I understand that RADIUS protocol is marginalized but there are more than enough articles which just laying around and waiting for you. All you need is Google and the right search term.

Before you continue to this read this article, please:
turn on your brain
find out what exactly do you want from your RADIUS server
read the four articles I posted on this blog
be sure that you Mikrotik can reach the Internet (has properly configured IP addresses, DNS, default route, etc)

In this post, I will explain how to set up a Mikrotik router to act as a NAS (but only the part related to RADIUS).

The first step you need to do is to be sure that Mikrotik and RADIUS server “can talk” which means you can ping RADIUS server from Mikrotik and vice verse. Of course, the connection must be reliable and without packet loss.

In the last example, our RADIUS server had an IP address 192.168.0.10 and if you remember we added IP 192.168.0.15 inside the nas table with mysecret as a RADIUS secret. This means that only NAS from IP address 192.168.0.15 would be able to talk with RADIUS server but only if the secret is correct.

So, lets define the RADIUS server inside Mikrotik.

Connect to Mikrotik via Winbox utility. Click on RADIUS and click on the + to add a new RADIUS server.

Enter RADIUS server IP address (in this case 192.168.0.10), enter secret and select ppp.

The next step is to enable Incoming requests so you will be able to disconnect users via PoD (Packet of Disconnect). Click on the Incoming button (RADIUS -> Incoming) and enable Accept checkbox.

Add new PPPoE server (PPP – PPPoE Servers and click Add).

The most important thing here is to choose the right interface. I your LAN interface is connected to the network where are the users, select LAN. My recommendation is to leave only pap and chap inside Auth. section.

The next step is to define a IP pool which will be used for address allocation.

Be sure that pool name is the same like you defined in the database because radius server will return the pool name to Mikrotik and if the pool with that name doesn’t exists, the users won’t get an IP address.

The next step is to properly configure the default profile for PPPoE users.

Enter local IP address (your public IP address), select remote address pool (the IP pool which we defined above) and add DNS servers which will be returned to the users.You can use the same Mikrotik as a DNS server but you need to turn on Allow remote requests inside DNS settings.

The last step is to turn on RADIUS for accounting inside PPP – Secret menu. Interim update is the time and I do not recommend the values less than 5 minutes.

It is a very nice replacement for Visio which is commercial product. It can be used to draw many different kinds of diagrams. It currently has special objects to help draw entity relationship diagrams, UML diagrams, flowcharts, network diagrams, and many other diagrams. It is also possible to add support for new shapes by writing simple XML files, using a subset of SVG to draw the shape.

It can load and save diagrams to a custom XML format (gzipped by default, to save space), can export diagrams to a number of formats, including EPS, SVG, XFIG, WMF and PNG, and can print diagrams (including ones that span multiple pages).

I almost bought LanFlow for 99$ but then I found Dia . The next step is donation to this project

Here is the link http://live.gnome.org/Dia

The FreeRadius database schema contains several tables:

nas

This table contains data about NASes (radius clients) and it is a “replacement” for clients.conf file. It is much easier to maintain the clients in the database than inside config file. If you want to use database for NAS list, skip the step in the last howto (the part about clients.conf). Also, in case you want to keep your NASes in the nas table, you’ll need to uncomment the readclients = yes inside sql.conf.

        # Set to 'yes' to read radius clients from the database ('nas' table)
        # Clients will ONLY be read on server startup.  For performance
        # and security reasons, finding clients via SQL queries CANNOT
        # be done "live" while the server is running.
        #
        readclients = yes

As you can see from the comment, you will need to restart radiusd process to allow/disallow specific NAS.

nas table schema is located inside raddb/sql/mysql/nas.sql

To add IP 192.168.0.15 inside nas table, exec next query:

INSERT INTO  nas VALUES (NULL ,  '192.168.0.15',  'myNAS',  'other', NULL ,  'mysecret', NULL , NULL ,  'RADIUS Client'
);

and you will have

mysql> select * from nas;
+----+--------------+-----------+-------+-------+----------+--------+-----------+---------------+
| id | nasname      | shortname | type  | ports | secret   | server | community | description   |
+----+--------------+-----------+-------+-------+----------+--------+-----------+---------------+
|  1 | 192.168.0.15 | myNAS     | other |  NULL | mysecret | NULL   | NULL      | RADIUS Client |
+----+--------------+-----------+-------+-------+----------+--------+-----------+---------------+
1 row in set (0.00 sec)

radacct

This table is used for accounting data. In case you want to collect traffic stats, you will need to uncomment sql inside accounting {} section in /usr/local/etc/raddb/sites-available/default. The same table can be used for simultaneous use checking which is faster than radutmp. All you need to do is to uncomment sql inside session {} section inside /usr/local/etc/raddb/sites-available/default and uncomment simul_count_query inside /usr/local/etc/raddb/sql/mysql/dialup.conf

radcheck

This table keeps the check attributes for users (User-Password, Cleartext-Password, Expiration, Simultaneous-Use, Auth-Type, …)

radreply

Is used for reply attributes for specific user. For example Framed-IP-Address, upload and download speed, etc…

radgroupcheck

This table keeps the check attributes for groups (which means, all users inside specific group will be checked against this attributes).

radgroupreply

The same like radreply but for groups. (all users in specific group will get the same speed, etc). Also, Framed-Pool attribute goes here.

radpostauth

This table is used for logging failed login attempts. To use this, you’ll need to uncomment sql inside postauth section (/usr/local/etc/raddb/sites-available/default.). Think twice before you enable this option because it can overload your server with constant inserts. Your customers will probably spend their money on wireless or wired routers so the logging attempts will come over and over.

radusergroup

This table keeps relation between username and specific group and group priority. In Freeradius 1.x this table was named “usergroup” so in case you have your own billing which is made for old schema, rename this table to usergroup

        # Table to keep group info
        usergroup_table = "radusergroup"

Examples

We will create a sample service with the next attributes:
- 512kbps download speed
- 128kbps upload speed
- we will use PPPoE – Point to Point Protocol Over Ethernet
- we will assign dynamic IP addresses to our clients from “internet” IP pool

INSERT INTO `radgroupreply` (`id` ,`groupname` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testservice', 'Ascend-Xmit-Rate', ':=', '524288'), 
(NULL , 'testservice', 'Ascend-Data-Rate', ':=', '131072'), 
(NULL , 'testservice', 'Framed-Pool', ':=', 'internet');

As you can see the speed is converted to bps.

After you created the service, lets create a sample user (assigned with created service).

As I noticed above, check attributes should be placed inside radcheck table.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'User-Password', ':=', 'testpassword'), 
(NULL , 'testuser', 'Simultaneous-Use', ':=', '1');

In this sample, the password is in plain text format which is not reccommended. Insted User-Password (which is alternative to Cleartext-Password for Mikrotik) better option is to use MD5-Password but keep in mind that you won’t be able to use CHAP.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'MD5-Password', ':=', MD5( 'testpassword' ) ), 
(NULL , 'testuser', 'Simultaneous-Use', ':=', '1');

Then we need to assign this user with created service (group)

INSERT INTO `radusergroup` (`username` ,`groupname` ,`priority` )
VALUES ('testuser', 'testservice', '1');

After those inserts, lets test

[root@ns2 raddb]# radtest testuser testpassword 127.0.0.1 0 testing123
Sending Access-Request of id 228 to 127.0.0.1 port 1812
        User-Name = "testuser"
        User-Password = "testpassword"
        NAS-IP-Address = 192.168.0.10
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=228, length=54
        Ascend-Xmit-Rate = 524288
        Ascend-Data-Rate = 131072
        Framed-Pool = "internet"
[root@ns2 raddb]#

As you can see, the username/password combination is valid and RADIUS server returned all attributes assigned with user’s group.

To suspend user’s account you can insert Auth-Type := Reject for user.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'Auth-Type', ':=', 'Reject');

and we have

[root@ns2 raddb]# radtest testuser testpassword 127.0.0.1 0 testing123
.....
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=145, length=20

Another option for disabling users is assigning with specific group which has Auth-Type := Reject inside radgroupcheck

INSERT INTO `radgroupcheck` (`id` ,`groupname` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'suspended', 'Auth-Type', ':=', 'Reject');

Assigning with suspended group can be done with

UPDATE `radusergroup` 
SET `groupname` = 'suspended' 
WHERE `username` = 'testuser' 
AND `priority` = 1;

and we have

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=198, length=20

Also, keep in mind that routers will try to connect again and again so you will have a big problems in case you have thousands of users. Another option is to assign users with specific group which doesn’t have Auth-Type attribute. Instead rejecting you can assign internal IPs and redirect them to suspended page.

Many questions on FreeRadius mailing list are about Simultaneus-Use. Solution to this problem is very simple and it is very rude to ask this question again and again…

All you need to do is to insert Simultaneous-Use := 1 for specific user (radcheck table) or inside radgroupcheck if you want to limit all users inside specific group.

INSERT INTO `radgroupcheck` (`id` ,`groupname` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testservice', 'Simultaneous-Use', ':=', '1');

In case you want to set Expiration attribute you can insert the date and the time inside radcheck table.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'Expiration', '==', 'November 30 2011 00:00:00');

then we have

[root@ns2 raddb]# radtest testuser testpassword 127.0.0.1 0 testing123
Sending Access-Request of id 28 to 127.0.0.1 port 1812
        User-Name = "testuser"
        User-Password = "testpassword"
        NAS-IP-Address = 192.168.0.10
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=60
        Ascend-Xmit-Rate = 524288
        Ascend-Data-Rate = 131072
        Framed-Pool = "internet"
        Session-Timeout = 670889

You can note Session-Timeout attribute which contains the time in seconds between this moment and the date inside Expiration field. According to this value, the NAS will auto disconnect user when this time expire (in our case 670889 seconds). In case you set the time which already passed (for example yesterdays date) the user will be rejected.

Please keep in mind that this date format works for Mikrotik. I didn’t have chance to test it with other NASes.

If you want to reconnect users at regular intervals (for example every 24 hours – 86400 seconds) you can insert Session-Timeout inside radreply table (because it isn’t check attribute).
To recconect every user inside specific group, add this attribute inside radgroupreply table.

To assign a static IP for specific user insert Framed-IP-Address attribute inside radreply table where Value will be that IP address. Operator should be :=.

Please keep in mind that all inserts inside those tables are visible to radius server right after insert. Only inserts inside nas table won’t be until the restart (service radiusd restart)

I hope this post will help you to set up your own RADIUS server. Also, keep in mind that this is just an example and all this can done in many other ways.

In case you find a spelling errors please contact me so I can fix them.

Now lets do some tests and lets see the dependance from write cache enabled/disabled option on your disks. Keep in mind that RH based distros will probably disable write cache (I tried Ubuntu on this server and the same thing happen – write cache was disabled after installation).

The first step is to check the disk with

[root@s1 sysbench-0.4.12]# hdparm -i /dev/sda
 
/dev/sda:
 
 Model=GB0250EAFYK                             , FwRev=HPG1    , SerialNo=WCAT1E535427
 Config={ HardSect NotMFM HdSw>15uSec SpinMotCtl Fixed DTR>5Mbs FmtGapReq }
 RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=50
 BuffType=unknown, BuffSize=16384kB, MaxMultSect=16, MultSect=?16?
 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=268435455
 IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
 PIO modes:  pio0 pio3 pio4
 DMA modes:  mdma0 mdma1 mdma2
 UDMA modes: udma0 udma1 udma2
 AdvancedPM=no WriteCache=disabled
 Drive conforms to: unknown:  ATA/ATAPI-1 ATA/ATAPI-2 ATA/ATAPI-3 ATA/ATAPI-4 ATA/ATAPI-5 ATA/ATAPI-6 ATA/ATAPI-7

Note WriteCache=disabled line

I suppose you know how to create a database, assign a user and set password

Read-write test for InnoDB

# sysbench --num-threads=16 --max-requests=10000 --test=oltp --oltp-table-size=500000 --mysql-socket=/var/lib/mysql/mysql.sock --oltp-test-mode=complex --mysql-user=test_database --mysql-password=test_database_password run

gave me the next results

 
No DB drivers specified, using mysql
Running the test with following options:
Number of threads: 16
 
Doing OLTP test.
Running mixed OLTP test
Using Special distribution (12 iterations,  1 pct of values are returned in 75 pct cases)
Using "BEGIN" for starting transactions
Using auto_inc on the id column
Maximum number of requests for OLTP test is limited to 10000
Threads started!
Done.
 
OLTP test statistics:
    queries performed:
        read:                            140000
        write:                           50000
        other:                           20000
        total:                           210000
    transactions:                        10000  (42.63 per sec.)
    deadlocks:                           0      (0.00 per sec.)
    read/write requests:                 190000 (809.95 per sec.)
    other operations:                    20000  (85.26 per sec.)
 
Test execution summary:
    total time:                          234.5821s
    total number of events:              10000
    total time taken by event execution: 3751.1329
    per-request statistics:
         min:                                 17.33ms
         avg:                                375.11ms
         max:                               3850.27ms
         approx.  95 percentile:             766.79ms
 
Threads fairness:
    events (avg/stddev):           625.0000/1.73
    execution time (avg/stddev):   234.4458/0.08

The total time is more than 234 seconds which is terrible result.

Now, delete sbtest table and recreate it again (please see the sysbench howto).

Enable write cache with

# hdparm -W1 /dev/sda

and start test again

The result is

No DB drivers specified, using mysql
Running the test with following options:
Number of threads: 16
 
Doing OLTP test.
Running mixed OLTP test
Using Special distribution (12 iterations,  1 pct of values are returned in 75 pct cases)
Using "BEGIN" for starting transactions
Using auto_inc on the id column
Maximum number of requests for OLTP test is limited to 10000
Threads started!
Done.
 
OLTP test statistics:
    queries performed:
        read:                            140000
        write:                           50000
        other:                           20000
        total:                           210000
    transactions:                        10000  (621.08 per sec.)
    deadlocks:                           0      (0.00 per sec.)
    read/write requests:                 190000 (11800.43 per sec.)
    other operations:                    20000  (1242.15 per sec.)
 
Test execution summary:
    total time:                          16.1011s
    total number of events:              10000
    total time taken by event execution: 255.8624
    per-request statistics:
         min:                                  2.49ms
         avg:                                 25.59ms
         max:                                689.84ms
         approx.  95 percentile:              41.84ms
 
Threads fairness:
    events (avg/stddev):           625.0000/4.68
    execution time (avg/stddev):   15.9914/0.03

Now we have a 16.1011 seconds for a complete test. I repeated the test several time with the same results.

We have a 14.62 times better result.

It is obvious that write cache is very important for MySQL but keep in mind that something can be lost in case of power failure and you should think about battery backups.

Tuning Kernel parameters

It is good idea to tune a few kernel parameters too. For this purpose you can install ktune (yum install ktune). (more info https://fedorahosted.org/ktune/)

With “service ktune start” you will set up scheduler on deadline instead of cfq (which can be up to 20% slower)

[root@s1 bekap]# service ktune start
Applying ktune sysctl settings:
/etc/sysctl.ktune:                                         [  OK  ]
Applying sysctl settings from /etc/sysctl.conf:            [  OK  ]
Applying deadline elevator: sda                            [  OK  ]

After Ktune I have a little faster time (around 15 seconds)

More info about disk elevators can be found here http://www.redhat.com/magazine/008jun05/features/schedulers/

Optimizing the EXT3 file system on CentOS

noatime
This mount option tells the system not to update inode access times. This is a good option for web servers, news servers or other uses with high access file systems.

Open /etc/fstab and add noatime like shown below

/dev/VolGroup00/LogVol00 /                       ext3    defaults,noatime        1 1

ls -t | head -1

Output

bash$ ls -t | head -1
id695.txt

Another option is with the next command

ls -lrth | tail -1

Output

bash$ ls -lrth | tail -1
-rw-r-----   1 user      ugroup         85 Nov 11 15:38 id695.txt

Note:
| is used to send the output of the first command as input to the second one.
tail — outputs the last files
-1 — denotes the number of lines u want to display (in case you don’t set -1, by default you will get the last 10 lines)

This addon will allow you to select rows and columns from a table simply pressing Control key and picking rows/columns with left mouse button. The selection can be copied to clipboard and pasted into datasheet applications but without ugly results.

Pasting in plain text editors is also supported as CSV file.

Here is the LINK for this great tool.

Do not forget to donate