RADIUS Configuration
Configure RADIUS servers for authentication, authorization, and accounting (AAA).
Overview
The radius section configures how AthenaBNG connects to your external RADIUS server for:
- Authentication — Verify subscriber credentials (PPPoE username/password, DHCP MAC)
- Authorization — Assign IP addresses, rates, session timeouts
- Accounting — Track session usage for billing
- Change of Authorization (CoA) — Modify session rates on-the-fly
AthenaBNG is a RADIUS client only. You need to provide your own RADIUS server
(e.g., FreeRADIUS, Cisco ISE, Radiator). Example FreeRADIUS configurations are
available in docs/examples/radius/.
Configuration Options
servers
List of RADIUS servers (required when PPPoE or DHCP is enabled).
radius:
servers:
- host: "10.255.0.10"
port: 1812
secret: "your-secret"
Server Options
host
RADIUS server IP address or hostname (required).
servers:
- host: "10.255.0.10"
Type: IPv4 address or hostname
Required: Yes
Constraints: Valid IP or resolvable hostname
port
RADIUS server port (optional).
servers:
- port: 1812
Type: Integer
Required: No
Default: 1812
Constraints: Valid port number (1-65535)
secret
RADIUS shared secret (required).
servers:
- secret: "your-secret"
Type: String
Required: Yes
Constraints: Non-empty string (change from default!)
Security: Store in secure configuration management system.
nas_identifier
NAS (Network Access Server) identifier (required).
radius:
nas_identifier: "AthenaBNG"
Type: String
Required: Yes
Constraints: 1-64 characters
Purpose: Identifies this BNG to RADIUS servers.
CLI:
abng# set radius nas_identifier "AthenaBNG"
nas_ip_address
NAS IP address for RADIUS (optional).
radius:
nas_ip_address: "10.255.0.1"
Type: IPv4 address
Required: No
Default: None
Constraints: Valid IPv4 address
Purpose: IP address reported to RADIUS server (for callbacks, etc.).
CLI:
abng# set radius nas_ip_address "10.255.0.1"
coa_enabled
Enable Change of Authorization (optional).
radius:
coa_enabled: true
Type: Boolean
Required: No
Default: false
Valid values: true, false
Purpose: Listen for RADIUS CoA packets to modify session rates.
CLI:
abng# set radius coa_enabled true
coa_port
CoA listen port (optional).
radius:
coa_port: 3799
Type: Integer
Required: No
Default: 3799
Constraints: Valid port number (1-65535)
Purpose: UDP port for receiving CoA packets from RADIUS server.
CLI:
abng# set radius coa_port 3799
Example Configurations
Single RADIUS Server
radius:
servers:
- host: "10.255.0.10"
secret: "my-secret"
nas_identifier: "AthenaBNG"
nas_ip_address: "10.255.0.1"
coa_enabled: true
coa_port: 3799
Multiple RADIUS Servers (Redundancy)
radius:
servers:
- host: "10.255.0.10"
secret: "my-secret"
- host: "10.255.0.11"
secret: "my-secret"
nas_identifier: "AthenaBNG"
nas_ip_address: "10.255.0.1"
coa_enabled: true
coa_port: 3799
RADIUS with Custom Ports
radius:
servers:
- host: "10.255.0.10"
port: 1812
secret: "my-secret"
- host: "10.255.0.11"
port: 1813
secret: "my-secret"
nas_identifier: "AthenaBNG"
nas_ip_address: "10.255.0.1"
Configuration via CLI
Add RADIUS Server
abng> configure
abng# set radius servers[0] host "10.255.0.10"
abng# set radius servers[0] secret "my-secret"
abng# commit
Set NAS Identifier
abng# set radius nas_identifier "AthenaBNG"
abng# commit
Enable CoA
abng# set radius coa_enabled true
abng# set radius coa_port 3799
abng# commit
Verification
View RADIUS Configuration
abng> show configuration | match "^radius:"
radius:
servers:
- host: 10.255.0.10
port: 1812
secret: my-secret
nas_identifier: AthenaBNG
nas_ip_address: 10.255.0.1
coa_enabled: true
coa_port: 3799
Test RADIUS Authentication
Use radclient or radtest from the BNG to verify your RADIUS server:
radtest testuser testpass 10.255.0.10 1812 my-secret
Expected output for a successful authentication:
Received Access-Accept Id 42 from 10.255.0.10:1812
Framed-IP-Address = 203.0.113.100
Framed-IP-Netmask = 255.255.255.255
Athena-Rate-Down = "100mbit"
Athena-Rate-Up = "40mbit"
Check RADIUS Logs
sudo journalctl -u abngd -f | grep -i radius
RADIUS Attributes
Authentication (Access-Request)
| Attribute | Value | Purpose |
|---|---|---|
| User-Name | username or MAC | Subscriber identifier |
| User-Password | password | Subscriber password (PAP) |
| NAS-Identifier | nas_identifier | BNG identifier |
| NAS-IP-Address | nas_ip_address | BNG IP address |
| NAS-Port-Id | interface name | Circuit ID |
| Calling-Station-Id | MAC address | Subscriber MAC |
Authorization (Access-Accept)
| Attribute | Value | Purpose |
|---|---|---|
| Framed-IP-Address | IP address | Assigned IP |
| Framed-IP-Netmask | netmask | Subnet mask |
| Session-Timeout | seconds | Session timeout |
| Athena-Rate-Down | bandwidth | Download rate (Athena VSA) |
| Athena-Rate-Up | bandwidth | Upload rate (Athena VSA) |
Accounting (Accounting-Request)
| Attribute | Value | Purpose |
|---|---|---|
| Acct-Session-Id | session ID | Unique session ID |
| Acct-Status-Type | Start/Stop/Interim | Session event |
| Acct-Input-Octets | bytes | Bytes received |
| Acct-Output-Octets | bytes | Bytes sent |
| Acct-Session-Time | seconds | Session duration |
Change of Authorization (CoA-Request)
| Attribute | Value | Purpose |
|---|---|---|
| Acct-Session-Id | session ID | Session to modify |
| Athena-Rate-Down | bandwidth | New download rate |
| Athena-Rate-Up | bandwidth | New upload rate |
Validation Rules
| Field | Validation |
|---|---|
servers[].host | Valid IPv4 address or hostname |
servers[].port | Integer 1-65535 |
servers[].secret | Non-empty string |
nas_identifier | 1-64 characters |
nas_ip_address | Valid IPv4 address |
coa_enabled | Boolean |
coa_port | Integer 1-65535 |
Best Practices
- Shared Secret — Use strong, unique secrets for each server
- Multiple Servers — Configure redundant RADIUS servers
- NAS Identifier — Use descriptive identifier (e.g., "BNG-Brisbane-01")
- NAS IP — Use a stable IP (management interface or loopback)
- CoA — Enable for dynamic rate changes
- Timeouts — Configure appropriate timeouts in RADIUS server
- Accounting — Enable accounting for billing and auditing
- Security — Protect RADIUS shared secrets in configuration management
Troubleshooting
RADIUS Authentication Fails
Error: RADIUS authentication failed for user1
Solutions:
- Check RADIUS server is running:
ping 10.255.0.10 - Test with RADIUS client:
radtest testuser testpass 10.255.0.10 1812 my-secret - Check shared secret matches
- Check RADIUS logs on server
- Check firewall allows UDP 1812
CoA Not Working
Error: CoA request rejected
Solutions:
- Check CoA is enabled:
show configuration | match coa_enabled - Check CoA port is correct:
show configuration | match coa_port - Check RADIUS server sends CoA to correct port
- Check firewall allows UDP 3799
- Check abngd logs:
journalctl -u abngd -f
Sessions Not Getting RADIUS Attributes
- Check RADIUS returns attributes:
radtest testuser testpass 10.255.0.10 1812 my-secret - Check attribute names match (case-sensitive)
- Check Athena VSAs are installed on RADIUS server
- Check abngd logs:
journalctl -u abngd -f
Next Steps
- QoS Configuration — CAKE traffic shaping
- PPPoE Configuration — PPPoE server settings
- DHCP Configuration — DHCP/IPoE server settings
- Configuration Overview — All configuration sections