RADIUS MANAGER VERSION 2.5.

TABLE OF CONTENTS
TABLE OF CONTENTS .......................................................................................................................... 1
RADIUS MANAGER 2.5.1....................................................................................................................... 2
PREREQUISITS .................................................................................................................................. 2
INSTALLATION OF ZEND OPTIMIZER.............................................................................................. 3
INSTALLATION OF RADIUS MANAGER ........................................................................................... 4
Follow these installation steps. Execute every action as a superuser (root user): .......................... 4
CONFIGURING MIKROTIK ROUTER................................................................................................. 9
Setting up Radius authentication and accounting................................................................................ 9
Setting up Radius MAC authentication .............................................................................................. 11
CONFIGURING RADIUS MANAGER ............................................................................................... 12
UPGRADING INSTRUCTIONS ......................................................................................................... 13
Upgrading from 1.1.5 to 2.0.0 ........................................................................................................ 13
Upgrading from 2.0.0 to 2.0.1 ........................................................................................................ 13
Upgrading from 2.0.1 to 2.0.2 ........................................................................................................ 13
Upgrading from 2.5.0 to 2.5.1 ........................................................................................................ 13
LEGAL NOTE..................................................................................................................................... 14

© DMA Softlab, 2004 - 2007 Page: 1/14

RADIUS MANAGER VERSION 2.5.1

RADIUS MANAGER 2.5.1

This document describes the installation and configuration procedure of Radius Manager with
FreeRadius RADIUS server on a Linux machine. It will work without any modifications on Redhat 8, 9,
Fedora Core 1 – 6. On other Linuxes You have to modify some things, because the paths may vary.

PREREQUISITS

To successfully install Radius Manager, You need the following components installed on your
Linux host:

Required components:

1. MySql database server

2. mysql-devel package
3. php-mysql extension
4. GCC compiler
5. Perl interpreter
6. Zend Optimizer

Optional components:

1. Webmin (http://www.webmin.com)
2. phpMyAdmin (http://www.dmasoftlab.com/downloads)

© DMA Softlab, 2004 - 2007 Page: 2/14

RADIUS MANAGER VERSION 2.5.1

INSTALLATION OF ZEND OPTIMIZER

Zend Optimizer is used to run Radius Manager PHP components. The system is compiled
with Zend to achieve the fastest speed and best performance. You can download Zend Optimizer for
your Linux system at the following URL’s:

http://www.zend.com
http://www.dmasoftlab.com/downloads

Try to use the newest version for your architecture. On some Linuxes, the newest version
won’t work. In this case try the older versions.

After the installation is done, check its functionality from shell:

[root@localhost ~]# php -v

PHP 5.1.2 (cli) (built: Feb 28 2006 06:21:15)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies
with Zend Extension Manager v1.0.10, Copyright (c) 2003-2006, by Zend Technologies
with Zend Optimizer v3.0.1, Copyright (c) 1998-2006, by Zend Technologies

Configure the license file path in /etc/php.ini file:

...

[Zend]
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.0.1
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.0.1
zend_optimizer.version=3.0.1
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so
zend_optimizer.license_path=/usr/local/Zend/licenses

In the license directory You will put the license file. To get the license file, issue the zendid
command:

[root@localhost bin]# /usr/local/Zend/bin/zendid

M:5AKEW-GFZWC-BLSE6-29G2A

Send us the output and we will create a personal license file for You.

When the license file arrives, copy it into the license directory, and restart httpd.

© DMA Softlab, 2004 - 2007 Page: 3/14

RADIUS MANAGER VERSION 2.5.1

INSTALLATION OF RADIUS MANAGER

Follow these installation steps. Execute every action as a superuser (root user):

1. Download FreeRadius server and phpMyAdmin from the following URL:

http://www.dmasoftlab.com/downloads

2. Build FreeRadius server from sources. Do it in the following way.

Ungzip and untar the FreeRadius archive:

[root@localhost ~]# gzip -d freeradius-1.1.3.tar.gz

[root@localhost ~]# tar xvf freeradius-1.1.3.tar

Create the makefile:

[root@localhost ~]# cd freeradius-1.1.3

[root@localhost ~]# ./configure

Build the system:

[root@localhost ~]# make

[root@localhost ~]# make install

Be sure You have mysql-devel package is installed. In default, FreeRadius will be installed in
/usr/local directory.

3. After installing FreeRadius, You can test it in non-daemon mode:

[root@localhost ~]# radiusd –x

...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

It must answer with Ready to process requests. If not, consult your FreeRadius manual.

4. Add the NAS client(s) to the /usr/local/etc/raddb/clients.conf file:

client 192.168.0.0/16 {
secret = testing123
shortname = private-network
}

Every NAS needs a separate record.

© DMA Softlab, 2004 - 2007 Page: 4/14

RADIUS MANAGER VERSION 2.5.1

5. Edit file /usr/local/etc/raddb/sql.conf file:

# Connect info
server = "localhost"
login = "radius"
password = "radius123"

# Database table configuration

radius_db = "radius"

6. Uncomment the following line in /usr/local/etc/raddb/sql.conf file:

# Uncomment simul_count_query to enable simultaneous use checking

simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-
User-Name}' AND AcctStopTime = 0"

7. Uncomment the following lines in /usr/local/etc/raddb/radiusd.conf file:

# See "Authorization Queries" in sql.conf

sql

# See "Accounting queries" in sql.conf

sql

#
# See "Simultaneous Use Checking Querie" in sql.conf
sql

8. Comment out the following line in /usr/local/etc/raddb/radiusd.conf file:

# Session database, used for checking Simultaneous-Use. Either the radutmp

# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp

Uncommenting these lines You enable the use of the MySql database server for accounting
and authorization requests.

9. Insert the following lines into file /usr/local/etc/raddb/users file:

DEFAULT Auth-Type=Local
Exec-Program-Wait="/usr/local/bin/mtauth.pl %{User-Name} %{Calling-Station-Id}"

Be sure that these lines are the first DEFAULT lines (around line 70 in the users file). The first
character MUST BE A TAB character before „Exec-Program-Wait” tag!

© DMA Softlab, 2004 - 2007 Page: 5/14

RADIUS MANAGER VERSION 2.5.1

10. Insert the following lines into file /usr/local/etc/raddb/acct_users file:

DEFAULT Acct-Status-Type == Interim-Update

Exec-Program = "/usr/local/bin/mtacnt.pl %{Acct-Session-Id}"

DEFAULT Acct-Status-Type == Start

Exec-Program = "/usr/local/bin/mtacnt.pl %{Acct-Session-Id}"

DEFAULT Acct-Status-Type == Stop

Exec-Program = "/usr/local/bin/mtacnt.pl %{Acct-Session-Id}"

The first characters in „Exec-Program” lines HAVE TO BE A TAB characters.

11. Create the database for FreeRadius. Use some MySql manipulation tool. Webmin is
preferred; it’s easy to use and has graphical interface. Create a database named RADIUS.

12. Create MySql user for FreeRadius. You can do it with mysql command or with WebMin.
Webmin is preferred; it’s simplier to use than a command line client. For testing purposes use
password radius123 for radius account.

© DMA Softlab, 2004 - 2007 Page: 6/14

RADIUS MANAGER VERSION 2.5.1

13. Also, don’t forget to define the host permissions. Select all permissions.

14. Create the accounting tables for FreeRadius and tables for Radius Manager. Execute the
following sql script from your familiar MySql administration tool:

radius-2.5.1.sql

It will create the necessary tables for Radius server and for Radius Manager (mt_datas).
For manipulating the sql tables, use PHPMyAdmin web interface.

15. Build rootexec executable:

[root@localhost work]# make

gcc -Wall -o rootexec rootexec.c
chmod 4755 rootexec

Copy the final rootexec it into

/usr/local/sbin

16. Copy rootexec.rc into /etc.

17. This is the password file for rootexec. Edit the password to fit your needs. This password
have to be the same which is used in definitions.php:

define(rootexec_psw, "test123");

Only one password line is accepted for rootexec.rc. Protect rootexec.rc to only superuser can
view/edit it:

[root@localhost work]# chmod 600 /etc/rootexec.rc

Rootexec is used to manipulate with unix accounts from php scripts. For security purposes it
uses a password, so it can’t be executed by anyone who has php scripts on the accounting server.

18. Copy mtauth.pl and mtacnt.pl to

/usr/local/bin

directory. Use command cp or Midnight Commander.

Change the permissions:

© DMA Softlab, 2004 - 2007 Page: 7/14

RADIUS MANAGER VERSION 2.5.1

[root@localhost work]# chmod 755 /usr/local/bin/mtauth.pl

[root@localhost work]# chmod 755 /usr/local/bin/mtacnt.pl

Edit the dastabase host, database name, database username and database password in
mtauth.pl and mtacnt.pl scripts. These scripts are using Perl-MySql extension to communicate
with MySql, so install Perl DBI if it is not installed yet.

19. Copy the whole radiusmanager directory into your http root directory.

20. Customize definitions.php:

// database

define("db_host", "localhost"); // database host

define("db_base", "radius"); // database name
define("db_user", "radius"); // database user
define("db_psw", "radius123"); // database password

// system definitions

define("currency", "USD"); // currency

define("unix_account", true); // create unix accounts synchronously
define("disk_quotas", true); // create disk quotas for users
define("template_user", "template"); // disk quota template user name
define("admin_user", "admin"); // name of superuser
define("rootexec_psw", "test123"); // rootexec password
define("rootexec", "/usr/local/sbin/rootexec"); // rootexec with full path
define("nas_secret", "testing123"); // global secret for the Radius client
define("nas_port", "1700"); // global NAS port address
define("radclient", "/usr/local/bin/radclient");// radclient with full path
define("radclient_count", "10"); // disconnect n simultaneous users
define("no_limit_date", "2020-12-31"); // use this date for non-limited unix accounts

21. Protect definitons.php to be readable only for root and Apache:

[root@localhost work]# chown apache.users definitions.php

[root@localhost work]# chmod 600 definitions.php

22. Go into webbrowser, and check the functionality of the administrative interface:

http://yourhost/radiusmanager

Use the following username/password combination:

admin/1234

Log in and try to create new users and managers. The default manager is admin. The default
profile is default.

Test the user’s area, too:

http://yourhost/radiusmanager/userinfo.php

If You have problems logging in, close all browser windows and reopen a new one. Type the
correct username and password combination.

© DMA Softlab, 2004 - 2007 Page: 8/14

RADIUS MANAGER VERSION 2.5.1

CONFIGURING MIKROTIK ROUTER

Setting up Radius authentication and accounting

To send authentication and accounting requests to Radius server, You have to configure the
following things in the Mikrotik system. Use Winbox to view and edit the configuration. Follow these
steps:

1. Connect to your Mikrotik router Winbox.

2. Select Radius from the main menu.
3. Click on the + to create a new radius server description:

Where the fields are:

• Service:
o Hotspot: enable hotpsot authentication (username, password, mac)
o Wireless: enable wireless connection authentication from Radius (turn off Default
authenticate for Hotspot wireless interface, and turn on Radius MAC
authentication for that interface)
o PPP: for PPP connection authentication
o Login: Winbox (telnet, ssh) authentication from Radius
o Telephony: telephony authentication from Radius
• Adress is your Radius servers address (Linux/Unix host)
• Secret is from /usr/local/etc/raddb/clients.conf
• Authentication and Accounting ports are the standard Radius ports
• Timeout definies how much time may elapse while Radius answer arrives from the
Radius server; if You use wireless or slower connection to Radius server or the
accounting tables are large, set this timeout higher (2000 ms).

© DMA Softlab, 2004 - 2007 Page: 9/14

RADIUS MANAGER VERSION 2.5.1

4. Set the AAA options for PPPoE and/or VPN server:

Turn on Radius authentication (Use Radius) and Radius accounting (Accounting).

Interim update means the time interval when Radius client (Mikrotik or other NAS) sends the
accounting information for the Radius server.

5. Set the AAA options and authentication method for Hotspot:

6. Enable incoming Radius requests. It is needed to logoff users directly from Radius Manager
web interface:

Don’t forget to open the UDP port 1700 in firewall on Mikrotik and Linux servers!

© DMA Softlab, 2004 - 2007 Page: 10/14

RADIUS MANAGER VERSION 2.5.1

Setting up Radius MAC authentication

By default, all client cards can connect to the Mikrotik AP. If You need to filter them, and allow
only for the registered cards to connect to the SSID, You have to set up Radius MAC authentication in
Mikrotik AP.

1. Create a security profile using Winbox:

Check the checkbox for RADIUS MAC Authentication.

2. Assign the security profile to the wireless interface:

In this case when a clients tries to connect to the SSID, Mikrotik verifies the clients MAC
address against the stored one in the user profile in Radius Manager. If the MAC can be found there,
Mikrotik allows the connections.

© DMA Softlab, 2004 - 2007 Page: 11/14

RADIUS MANAGER VERSION 2.5.1

CONFIGURING RADIUS MANAGER

Here are the main configuration entries in definitions.php file:

// database

define("db_host", "localhost"); // database host

define("db_base", "radius"); // database name
define("db_user", "radius"); // database user
define("db_psw", "radius123"); // database password

// system definitions

define("currency", "USD"); // currency

define("unix_account", true);
define("disk_quotas", true);
define("template_user", "template");
define("admin_user", "admin");
define("rootexec_psw", "test123");
define("rootexec", "/usr/local/sbin/rootexec");
define("nas_secret", "testing123");
define("nas_port", "1700");
define("radclient", "/usr/local/bin/radclient");
define("radclient_count", "10");
define("no_limit_date", "2020-12-31");
// create unix accounts synchronously
// create disk quotas for users
// disk quota template user name
// name of superuser
// rootexec password
// rootexec with full path
// global secret for the Radius client on NAS'es
// global NAS port address
// radclient with full path
// disconnect n simultaneous users
// use this date for non-limited unix accounts

• db_host – MySql database hostname or IP address.

• db_base – MySql database name.
• db_user – MySql database username.
• db_psw – MySql database password.
• currency – The currency shown on various webpages in Radius Manager.
• unix_account – If it is set to true, Radius Manager will handle Radius users synchronously with
Unix accounts. When You create a new Radius users, it will create a local unix account on the
host where Radius Manager is installed. So, You can set up users mailbox, home directory,
webspace and radius account in a one step. If You don’t need this feature, simply use false
statement for unix_account definition.
• disk_quotas – Set yes to copy the template user’s disk quota to the newly created users.
• template_user – The name of the template disk quota user.
• admin_user – The name of the Radius Manager superuser.
• rootexec_psw – Defines the password for rootexec program. It has to be equivalent with
/etc/rootexec.rc
• rootexec – The full path for rootexec file.
• nas_secret – Secret file which is defined in Mikrotik Radius client.
• nas_port – Mikrotik Radius client UDP port address.
• radclient – Full path to radclient utility.
• radclient_count – How many simultaneous connections to be logged out at a same time.
• no_limit_date – Use this date for unlimited Unix account expirity.

© DMA Softlab, 2004 - 2007 Page: 12/14

RADIUS MANAGER VERSION 2.5.1

UPGRADING INSTRUCTIONS

Reinstall all the new components. Follow steps 1 – 10. and 15 – 21. from this Radius
Manager installation guide.

Upgrade SQL tables on the following way:

Upgrading from 1.1.5 to 2.0.0

Upgrade the tables using the update-1.1.5_2.0.sql file. Execute it from PhpMyAdmin or from
any other MySql client.

When it is done, check your userbase. Create profiles and assign them to users. Enjoy!

Upgrading from 2.0.0 to 2.0.1

No SQL modifications needed.

Upgrading from 2.0.1 to 2.0.2

Upgrade the tables using the update-2.0.1_2.0.2.sql file. Execute it from PhpMyAdmin or from
any other MySql client.

Upgrading from 2.5.0 to 2.5.1

Upgrade the tables using the update-2.5.0_2.5.1.sql file. Execute it from phpMyAdmin or from
any other MySql client.

WARNING!

To upgrade from older version to the newest, You have to execute all the sql update scripts
in the correct sequence. For example if You upgrade Radius Manager from 1.1.5 to 2.5.0, You have to
execute the scripts in the following order:

1. update-1.1.5_2.0.0.sql
2. update-2.0.1_2.0.2.sql
3. update-2.0.2_2.5.0.sql
4. update-2.5.0_2.5.1.sql

Check and update the old profile settings after the system upgrade.

© DMA Softlab, 2004 - 2007 Page: 13/14

RADIUS MANAGER VERSION 2.5.1

LEGAL NOTE

Radius Manager is a registered trademark of DMA Softlab.

MikroTik is a registered trademark of MikroTikls corporation.
FreeRadius is released under the GNU General Public License (GPL), which means that it is free to
download and install.
MySql is released under the GNU General Public License (GPL).

© DMA Softlab, 2004 - 2007 Page: 14/14