RADIUS AAA
RADIUS authentication, authorization, and accounting integration.
Overview
AthenaBNG integrates with your existing RADIUS server for:
- Authentication — Verify subscriber credentials
- Authorization — Assign IP addresses, rates, session timeouts
- Accounting — Track session usage for billing
- Change of Authorization (CoA) — Modify session rates on-the-fly
info
AthenaBNG is a RADIUS client, not a RADIUS server. You need to bring your own
RADIUS server (e.g., FreeRADIUS, Cisco ISE, Radiator). Example FreeRADIUS
configurations are provided in
docs/examples/radius/.
Authentication
PPPoE Authentication
RADIUS Access-Request:
- User-Name — Subscriber username
- User-Password — Subscriber password (PAP)
- NAS-Identifier — BNG identifier
- NAS-Port-Id — VLAN interface name (Circuit ID)
DHCP/IPoE Authentication
RADIUS Access-Request:
- User-Name — MAC address
- Calling-Station-Id — MAC address
- NAS-Port-Id — Circuit ID (VLAN interface name)
- NAS-Identifier — BNG identifier
Authorization
RADIUS Access-Accept attributes:
- Framed-IP-Address — Assigned IP address
- Framed-IP-Netmask — Subnet mask
- Session-Timeout — Session timeout in seconds
- Athena-Rate-Down — Download rate (Athena VSA)
- Athena-Rate-Up — Upload rate (Athena VSA)
- Athena-CGNAT-Bypass — Bypass CGNAT (Athena VSA)
Accounting
RADIUS Accounting-Request:
- Acct-Session-Id — Session ID
- Acct-Status-Type — Start, Stop, or Interim-Update
- Acct-Input-Octets — Bytes received
- Acct-Output-Octets — Bytes sent
- Acct-Session-Time — Session duration in seconds
Change of Authorization (CoA)
Your RADIUS server can modify session rates dynamically:
Acct-Session-Id = "abng-1709312400-1"
Athena-Rate-Down = "25mbit"
Athena-Rate-Up = "10mbit"
abngd receives CoA and:
- Looks up session by Acct-Session-Id
- Updates session rates
- Applies new rates to CAKE qdisc (no packet loss)
- Sends CoA-ACK to RADIUS server
Configuration
radius:
servers:
- host: "10.255.0.10"
port: 1812
secret: "your-secret"
nas_identifier: "AthenaBNG"
nas_ip_address: "10.255.0.1"
coa_enabled: true
coa_port: 3799
See RADIUS Configuration for all options.
FreeRADIUS Setup
Example configurations for FreeRADIUS are provided in docs/examples/radius/:
| File | Description |
|---|---|
clients.conf | Define the BNG as a RADIUS client |
users | Flat-file subscriber database (testing / small deployments) |
authorize | Default site authorize section |
sql-schema.sql | PostgreSQL schema for SQL-backed deployments |
See the example README for quick-start instructions.
Dictionary Installation
Install the Athena VSA dictionary on your RADIUS server:
sudo cp /opt/athena-bng/config/dictionary.athena /etc/freeradius/3.0/
echo '$INCLUDE dictionary.athena' | sudo tee -a /etc/freeradius/3.0/dictionary
Testing
Test with radclient
echo "User-Name = user1, User-Password = password123" | \
radclient -x 10.255.0.10:1812 auth YourRadiusSecret
Send a CoA
echo "Acct-Session-Id = 'abng-1709312400-42', Athena-Rate-Down = '200mbit', Athena-Rate-Up = '80mbit'" | \
radclient -x 10.255.0.1:3799 coa YourCoaSecret
Monitoring
Check RADIUS Logs
sudo journalctl -u abngd -f | grep -i radius
Troubleshooting
RADIUS Authentication Fails
- Check RADIUS server is running:
ping 10.255.0.10 - Test with RADIUS client:
radtest testuser testpass 10.255.0.10 1812 my-secret - Check shared secret matches in both
clients.confand AthenaBNG config - Check RADIUS logs on server
- Check firewall allows UDP 1812
CoA Not Working
- Check CoA is enabled:
show configuration | match coa_enabled - Check CoA port is correct:
show configuration | match coa_port - Check RADIUS server sends CoA to correct port
- Check firewall allows UDP 3799
- Check abngd logs:
journalctl -u abngd -f
Sessions Not Getting RADIUS Attributes
- Test RADIUS returns attributes:
radtest testuser testpass 10.255.0.10 1812 secret - Check attribute names match (case-sensitive)
- Check Athena VSAs are installed on RADIUS server
- Check abngd logs:
journalctl -u abngd -f
Best Practices
- Shared Secret — Use strong, unique secrets for each server
- Multiple Servers — Configure redundant RADIUS servers
- NAS Identifier — Use descriptive identifier (e.g., "BNG-Brisbane-01")
- NAS IP — Use a stable IP (management interface or loopback)
- CoA — Enable for dynamic rate changes
- Timeouts — Configure appropriate timeouts in RADIUS server
- Accounting — Enable accounting for billing and auditing
- Security — Protect RADIUS shared secrets in configuration management
Next Steps
- RADIUS Attributes Reference — Full attribute reference
- Monitoring — Prometheus and syslog
- Features Overview — All features