RADIUS Integration with Sonar

Jennifer Trower Updated by Jennifer Trower

Building the RADIUS Server

To build the RADIUS server, please see instructions on the GitHub repository FreeRADIUS 3 Genie. The instructions below pick up where those leave off.

Note that you will need to add Sonar's egress IP address to your Genie NAS configuration, specifying the CoA secret that you will use in step 2 below.

Linking your FreeRADIUS server to Sonar

Once this configuration is done, we need to add the RADIUS server into Sonar.

  1. Inside your Sonar instance, navigate to Settings > Networking > RADIUS Servers and click the blue "Create" button in the top right.
  2. Fill in the Create RADIUS Server settings, using the FreeRADIUS MySQL database credentials generated by the FreeRADIUS Genie setup.
    RADIUS Server creation field details

    1. The Enabled checkbox will determine if this RADIUS Server will be used by Sonar for network and connection management. If the server is not enabled, Sonar won't send any request to it.

    2. The Name field allows you to add an identifiable name to the server within your Sonar instance.

    3. The IP Address field is required in order for your Sonar instance to know where to send requests.

    4. Collect Bandwidth should be enabled if you want accounting data from sessions to be reported into Sonar as data usage. The usage from RADIUS will be forwarded to the account where that RADIUS username is stored.

    5. The FreeRADIUS MySQL database username field is where the username provided in step 10 will be entered.

    6. The FreeRADIUS MySQL database password field is where the password provided in step 10 will be entered.

    7. The FreeRADIUS MySQL database name field is where you provide the defined database name to Sonar. In this example, the database name is "radius".

    8. The FreeRADIUS MySQL database port is the configured network port that allows remote access to your MySQL database. In this example, the database port is "3306".

    9. The FreeRADIUS CoA port is the configured network port that allows communication with the RADIUS server when Change of Authorization changes occur.

    10. The "Send change auth on delinquency" toggle will enable or disable sending a request to your CoA proxy when an account enters a delinquent state.

    11. The "Send change auth on service change" toggle will enable or disable sending a request to your CoA proxy when an account experiences a change of service.

    12. The "Send change auth on status change" toggle will enable or disable sending a request to your CoA proxy when an account changes status.

    13. The COA secret allows Sonar to connect to your CoA Proxy to effect auth changes.
Basic PPPoE configuration

Once this is done, you'll have a basic setup in place to enable PPPoE. Here's a quick tutorial on setting up a simple PPPoE configuration on a MikroTik router.

First, we need to set up our IP pools. These should correspond to IP pools you have created in your Sonar IPAM - refer to IPAM: Setup, Policy, & Best Practices for details on this! To configure pools, navigate to IP > Pool in your MikroTik. You can create as many IP pools here as you need, and chain them together so that if one pool is full, the next one is used. You can statically assign IPs to users from within Sonar by associating an IP with their RADIUS account. If you don't do this, then an IP will be selected from an available pool when the client connects, and Sonar will dynamically learn that IP and enter it as a soft assignment inside Sonar.

The pool configuration is pretty simple - a start IP, an end IP, and the next pool to use if this one is full.

Once you've configured your pools, click PPP in the menu on the left and then click the Profiles tab. Click the + button to create a new profile.

We're going to configure a very basic profile. Enter a name, select a local address to use for the profile (in this example, I used the first IP in the subnet for my pool - note that this IP is not included in my pool range!) and for remote address, select your first pool. Enter some DNS servers to assign to users, and under the Limits tab, set a session timeout. This will disconnect users after a certain period of time and they will have to reconnect. If you want to allow infinite sessions, don't set a timeout. Something like 24 hours is a reasonable setting if you want to have a timeout value.

Once your profile is configured, click the Secrets tab, and click the PPP Authentication&Accounting button.

Make sure Use Radius is checked, and that Accounting is checked. Make sure Interim Update is set to a reasonable value in minutes, as this is how frequently this MikroTik will send accounting data to your RADIUS server.

How Interim Updates work with Sonar
Until the first interval of the interim update is triggered, the assigned IP address won't be displayed in the session table Accounts -> Network & Inventory -> RADIUS Accounts -> Session History.

While the connection will be established and service will be delivered to the customer, you won't be able to hit the Disconnect button until the first interim update. If a disconnect is attempted on a session that hasn't completed an Interim Interval, the following error will occur:

If you make this too short and you have a lot of clients, your server may become overloaded, while setting it too high will result in data being sent infrequently. The shorter the time, the more often accounting data will be sent to the RADIUS server, and the more frequently you'll see updates as to users' data usage in Sonar. If you have a very small network (a few hundred users) you can probably set this to a low value (1-5 minutes) without much impact. For larger networks, set this to at least 15 minutes - you may need to increase it even more for very large networks!

If you're doing initial setup testing, creating an "Acct-Interim-Interval" attribute with a value of "60" in RADIUS Groups setup can help troubleshoot by lowering the interim update interval to the minimum interval of 60 seconds.

Now click the PPPoE Servers tab, and click the + button to create a server.

Enter a name for the server, select the interface that your clients will be connecting on, and select the profile we created earlier. If you only want to allow one PPPoE session per host (which you probably do!) check One Session Per Host. Make sure all the authentication options at the bottom are checked.

You now have a very basic, functioning PPPoE server. Login to your Sonar instance, navigate to a user account, and access the Network tab, and then the RADIUS tab. Create a new RADIUS account and note the username and password.

Now, back in the MikroTik, Click the Active Connections tab and try connecting using a PPPoE client, authenticating using the credentials you just created in Sonar. You should be assigned an IP from the pool, and the connection will show up in the list! To assign a static IP, navigate back into Sonar, go to the Network tab on an account, and then IP Assignments. Assign an IP to the RADIUS account, and then disconnect and reconnect your PPPoE client. You will be assigned the static IP you selected.

How did we do?

Contact