https://it-arts.net/index.php?action=history&feed=atom&title=DALORADIUS_-_Documentation
DALORADIUS - Documentation - Revision history
2026-05-02T18:41:21Z
Revision history for this page on the wiki
MediaWiki 1.44.2
https://it-arts.net/index.php?title=DALORADIUS_-_Documentation&diff=918&oldid=prev
Admin: Text replacement - "Category:Wiki" to "Category:Wiki
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''
"
2026-01-17T07:09:54Z
<p>Text replacement - "<a href="/index.php/Category:Wiki" title="Category:Wiki">Category:Wiki</a>" to "<a href="/index.php/Category:Wiki" title="Category:Wiki">Category:Wiki</a> '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:09, 17 January 2026</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Category:Wiki]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Category:Wiki]]</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== System Architecture and Data Flow ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== System Architecture and Data Flow ==</div></td></tr>
</table>
Admin
https://it-arts.net/index.php?title=DALORADIUS_-_Documentation&diff=721&oldid=prev
Admin: Created page with "Category:Wiki == System Architecture and Data Flow == daloradius operates as a management abstraction layer above FreeRADIUS, relying entirely on SQL-backed authorization and accounting. === Request Lifecycle === # NAS sends Access-Request # FreeRADIUS preprocesses packet # SQL authorization module queries radcheck and radreply # Group resolution via radusergroup # radgroupcheck and radgroupreply merged by priority # Reply attributes returned to NAS # Accounting p..."
2025-12-20T16:54:05Z
<p>Created page with "<a href="/index.php/Category:Wiki" title="Category:Wiki">Category:Wiki</a> == System Architecture and Data Flow == daloradius operates as a management abstraction layer above FreeRADIUS, relying entirely on SQL-backed authorization and accounting. === Request Lifecycle === # NAS sends Access-Request # FreeRADIUS preprocesses packet # SQL authorization module queries radcheck and radreply # Group resolution via radusergroup # radgroupcheck and radgroupreply merged by priority # Reply attributes returned to NAS # Accounting p..."</p>
<p><b>New page</b></p><div>[[Category:Wiki]]<br />
<br />
== System Architecture and Data Flow ==<br />
<br />
daloradius operates as a management abstraction layer above FreeRADIUS, relying entirely on SQL-backed authorization and accounting.<br />
<br />
=== Request Lifecycle ===<br />
# NAS sends Access-Request<br />
# FreeRADIUS preprocesses packet<br />
# SQL authorization module queries radcheck and radreply<br />
# Group resolution via radusergroup<br />
# radgroupcheck and radgroupreply merged by priority<br />
# Reply attributes returned to NAS<br />
# Accounting packets written to radacct<br />
<br />
=== Accounting Lifecycle ===<br />
* Start packet creates radacct row<br />
* Interim-Update updates counters<br />
* Stop packet closes session<br />
<br />
== Database Design and Integrity ==<br />
<br />
=== Attribute Evaluation Order ===<br />
# radcheck<br />
# radgroupcheck (ascending priority)<br />
# radreply<br />
# radgroupreply<br />
<br />
Incorrect priority configuration is a common cause of unexpected behavior.<br />
<br />
=== Mandatory Indexes ===<br />
Large installations must ensure indexes exist:<br />
<br />
<pre><br />
CREATE INDEX idx_radacct_user ON radacct (username);<br />
CREATE INDEX idx_radacct_stop ON radacct (acctstoptime);<br />
CREATE INDEX idx_radcheck_user ON radcheck (username);<br />
</pre><br />
<br />
=== Orphaned Sessions Detection ===<br />
<pre><br />
SELECT radacctid, username<br />
FROM radacct<br />
WHERE acctstoptime IS NULL<br />
AND acctstarttime < NOW() - INTERVAL 1 DAY;<br />
</pre><br />
<br />
== Advanced User Policy Modeling ==<br />
<br />
=== Layered Policy Strategy ===<br />
* User-level: credentials only<br />
* Group-level: bandwidth, access rules<br />
* NAS-level: vendor attributes<br />
* Time-based: expiration and session limits<br />
<br />
=== Simultaneous-Use Enforcement ===<br />
<pre><br />
INSERT INTO radcheck (username, attribute, op, value)<br />
VALUES ('user1', 'Simultaneous-Use', ':=', '1');<br />
</pre><br />
<br />
=== Session Timeout Control ===<br />
<pre><br />
INSERT INTO radgroupreply (groupname, attribute, op, value)<br />
VALUES ('standard_users', 'Session-Timeout', ':=', '3600');<br />
</pre><br />
<br />
== Vendor-Specific Attribute Management ==<br />
<br />
=== MikroTik Rate Limits ===<br />
<pre><br />
INSERT INTO radgroupreply (groupname, attribute, op, value)<br />
VALUES ('gold', 'Mikrotik-Rate-Limit', ':=', '10M/10M');<br />
</pre><br />
<br />
=== Cisco AVPairs ===<br />
<pre><br />
INSERT INTO radreply (username, attribute, op, value)<br />
VALUES ('user1', 'Cisco-AVPair', ':=', 'ip:addr-pool=POOL1');<br />
</pre><br />
<br />
=== Dictionary Handling ===<br />
Vendor dictionaries must be loaded in FreeRADIUS, not daloradius.<br />
<br />
== Authentication Security Models ==<br />
<br />
=== Password Storage ===<br />
* Cleartext-Password: maximum compatibility<br />
* NT-Password: MS-CHAPv2<br />
* Avoid User-Password storage<br />
<br />
=== Enforcing Encrypted Authentication ===<br />
Disable PAP where possible in FreeRADIUS configuration.<br />
<br />
=== Replay Protection ===<br />
* Enable Message-Authenticator<br />
* Reject malformed packets<br />
* Use unique shared secrets per NAS<br />
<br />
== Web Interface Security and Role Separation ==<br />
<br />
=== Operator Roles ===<br />
* Super Administrator<br />
* Administrator<br />
* Operator<br />
* Read-only<br />
<br />
Never use the same operator account for automation and humans.<br />
<br />
=== Session Security ===<br />
* Enforce HTTPS<br />
* Disable PHP error display<br />
* Secure cookies<br />
<br />
=== File Permissions ===<br />
<nowiki><br />
chown -R www-data:www-data daloradius/<br />
chmod -R 750 daloradius/</nowiki><br />
<br />
== Database Security and Access Control ==<br />
<br />
=== SQL User Separation ===<br />
* radius_rw: operational access<br />
* radius_ro: reporting<br />
* radius_backup: dump only<br />
<br />
=== Credential Rotation ===<br />
Automate credential rotation every 90 days.<br />
<br />
== Performance Optimization and Scaling ==<br />
<br />
=== High-Load Patterns ===<br />
* Accounting-heavy workloads<br />
* PPPoE reconnect storms<br />
* Interim-Update flooding<br />
<br />
=== Recommended Mitigations ===<br />
* Increase SQL connection pool<br />
* Enable query caching<br />
* Partition radacct table<br />
<br />
=== radacct Partitioning Example ===<br />
<pre><br />
PARTITION BY RANGE (YEAR(acctstarttime));<br />
</pre><br />
<br />
== Automation and External Integration ==<br />
<br />
=== API-less Automation ===<br />
daloradius relies on direct SQL manipulation.<br />
<br />
=== Example: Bulk User Creation ===<br />
<pre><br />
INSERT INTO radcheck (username, attribute, op, value)<br />
SELECT username, 'Cleartext-Password', ':=', password<br />
FROM import_users;<br />
</pre><br />
<br />
=== Monitoring Integration ===<br />
Monitor:<br />
* radacct growth<br />
* authentication failures<br />
* response latency<br />
<br />
== Backup, Recovery, and Data Consistency ==<br />
<br />
=== Consistent Backup ===<br />
<nowiki><br />
mysqldump --single-transaction -u radius -p radius > radius.sql</nowiki><br />
<br />
=== Restore Validation ===<br />
Verify radcheck, radreply, radusergroup integrity post-restore.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Authentication Rejected ===<br />
* Shared secret mismatch<br />
* Missing Cleartext-Password<br />
* Group priority override<br />
<br />
<nowiki><br />
freeradius -X</nowiki><br />
<br />
=== Accounting Sessions Stuck ===<br />
* NAS reboot without Stop packet<br />
* Interim-Update disabled<br />
* Clock drift between NAS and server<br />
<br />
=== daloradius UI Errors ===<br />
* PHP version mismatch<br />
* Missing SQL privileges<br />
* Incorrect config.inc.php<br />
<br />
=== Performance Degradation ===<br />
* radacct table too large<br />
* No indexes<br />
* Excessive logging<br />
<br />
== Useful Links ==<br />
<br />
* daloradius GitHub <br />
https://github.com/lirantal/daloradius<br />
<br />
* daloradius Wiki <br />
https://github.com/lirantal/daloradius/wiki<br />
<br />
* FreeRADIUS Official Documentation <br />
https://wiki.freeradius.org<br />
<br />
* FreeRADIUS SQL Module <br />
https://wiki.freeradius.org/guide/SQL-HOWTO<br />
<br />
* RFC 2865 – RADIUS <br />
https://datatracker.ietf.org/doc/html/rfc2865<br />
<br />
* RFC 2866 – RADIUS Accounting <br />
https://datatracker.ietf.org/doc/html/rfc2866</div>
Admin