1. Home
  2. Networking
  3. Authentication of customers
  4. Mikrotik: DHCP with Radius

Mikrotik: DHCP with Radius

Step 1 - Configure RADIUS server on a router

First of all we need to configure the RADIUS server on the router to communicate with Splynx.

radius_server

In this case 10.250.32.1 is the Splynx server IP and 10.250.32.2 is the router IP. The RADIUS secret should be specified in the Secret field - we will use this in Splynx in the router settings and then enable the DHCP service.

Lastly we need to enable RADIUS incoming:

incoming

Step 2 - Configure DHCP server on a router

We can setup the DHCP server manually or using the setup wizard.

dhcp_server

The main options here are: Address pool=static-only (it means that Splynx (Radius server) will assign the IP) and use RADIUS=yes. Specify the name, correct interface, lease time and save the settings.

Step 3 - add new router in Splynx

Now we need to add a new router in Splynx under Networking -> Routers -> Add :

router

The main parameters here are:

  1. IP / Host - IP of the router;

  2. Authorization / Accounting - PPP/DHCP (Radius) / Radius acounting;

  3. Radius secret - the same as the RADIUS secret on the router;

  4. NAS IP - IP of the router.

Step 4 - create IP network in Splynx

IP assignment - static IPs (recommended)

In case you will use static IPs in Splynx you need to navigate to Networking / IPv4 Networks / Add and add a network with Type of usage = static:

ip_network

IP assignment - assign IP from pool

In this case we need to create IPv4 network with Type of usage = Pool:

pool

Step 5 - add the internet service for a client

Static IP (recommended)

Under Customers -> List select the customer, open the Services tab and add a new internet service with following networking parameters:

client_service_mac_static

Select IPv4 assignment method = Permanent IP(from static IPs), select the IP address and specify the MAC address of the interface on the CPE that will be receiving the IP.

Once this done the client should be connected:

lease_mac1

On the router under the Leases tab we can see the DHCP lease with the IP that we specified in Splynx.

In Splynx we can see that customer is online.

online

We can add more MAC addresses to the service field MAC(s) separated by a comma:

client_service_mac2_

So a customer connection with the second MAC address can be authenticated:

Blocking of static IP customers will be performed using their own static IP in the address list. More information about customer blocking here - Blocking of customers in Splynx

IP from pool

Under Customers -> List select the customer, open the Services tab and add a new internet service with following networking parameters:

ip_from_pool_

and this connection will receive an IP from the specified pool:

Some advanced parameters for RADIUS can be configured under Config/Networking/Radius and Config/Networking/Radius Extended.

Blocking of customers will be performed with using of reject IP pools in the address list. More information about customer blocking here - Blocking of customers in Splynx

Please note!

For DHCP to report accounting correctly queues have to be applied dynamically via radius. API queues will not report the accounting stats to Splynx.

Troubleshooting

Additional network issue for services with static IPs

If you set additional network(s) in Splynx internet services, network routes will be sent to the router (NAS) during authorization. The router will then send all traffic with destination=additional network to the customer device. It is possible that these routes will also appear on the customer's device. To fix this issue, set use-framed-as-classless to disabled in the DHCP server settings:

use-framed

Incoming RADIUS

CoA (change of authorization) and (Packet of Disconnect) is not supported by Mikrotik. The alternative is to use a short lease time which caters for any CoA related changes and "Disabled customers to address list" from API to block the customer's internet access.