DALORADIUS - Documentation: Difference between revisions

From IT-Arts.net
Created page with "Category:Wiki == System Architecture and Data Flow == daloradius operates as a management abstraction layer above FreeRADIUS, relying entirely on SQL-backed authorization and accounting. === Request Lifecycle === # NAS sends Access-Request # FreeRADIUS preprocesses packet # SQL authorization module queries radcheck and radreply # Group resolution via radusergroup # radgroupcheck and radgroupreply merged by priority # Reply attributes returned to NAS # Accounting p..."
 
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "
 
Line 1: Line 1:
[[Category:Wiki]]
[[Category:Wiki]]
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


== System Architecture and Data Flow ==
== System Architecture and Data Flow ==

Latest revision as of 07:09, 17 January 2026


Return to Wiki Index


System Architecture and Data Flow

daloradius operates as a management abstraction layer above FreeRADIUS, relying entirely on SQL-backed authorization and accounting.

Request Lifecycle

  1. NAS sends Access-Request
  2. FreeRADIUS preprocesses packet
  3. SQL authorization module queries radcheck and radreply
  4. Group resolution via radusergroup
  5. radgroupcheck and radgroupreply merged by priority
  6. Reply attributes returned to NAS
  7. Accounting packets written to radacct

Accounting Lifecycle

  • Start packet creates radacct row
  • Interim-Update updates counters
  • Stop packet closes session

Database Design and Integrity

Attribute Evaluation Order

  1. radcheck
  2. radgroupcheck (ascending priority)
  3. radreply
  4. radgroupreply

Incorrect priority configuration is a common cause of unexpected behavior.

Mandatory Indexes

Large installations must ensure indexes exist: 

CREATE INDEX idx_radacct_user ON radacct (username);
CREATE INDEX idx_radacct_stop ON radacct (acctstoptime);
CREATE INDEX idx_radcheck_user ON radcheck (username);

Orphaned Sessions Detection

SELECT radacctid, username
FROM radacct
WHERE acctstoptime IS NULL
AND acctstarttime < NOW() - INTERVAL 1 DAY;

Advanced User Policy Modeling

Layered Policy Strategy

  • User-level: credentials only
  • Group-level: bandwidth, access rules
  • NAS-level: vendor attributes
  • Time-based: expiration and session limits

Simultaneous-Use Enforcement

INSERT INTO radcheck (username, attribute, op, value)
VALUES ('user1', 'Simultaneous-Use', ':=', '1');

Session Timeout Control

INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('standard_users', 'Session-Timeout', ':=', '3600');

Vendor-Specific Attribute Management

MikroTik Rate Limits

INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('gold', 'Mikrotik-Rate-Limit', ':=', '10M/10M');

Cisco AVPairs

INSERT INTO radreply (username, attribute, op, value)
VALUES ('user1', 'Cisco-AVPair', ':=', 'ip:addr-pool=POOL1');

Dictionary Handling

Vendor dictionaries must be loaded in FreeRADIUS, not daloradius.

Authentication Security Models

Password Storage

  • Cleartext-Password: maximum compatibility
  • NT-Password: MS-CHAPv2
  • Avoid User-Password storage

Enforcing Encrypted Authentication

Disable PAP where possible in FreeRADIUS configuration.

Replay Protection

  • Enable Message-Authenticator
  • Reject malformed packets
  • Use unique shared secrets per NAS

Web Interface Security and Role Separation

Operator Roles

  • Super Administrator
  • Administrator
  • Operator
  • Read-only

Never use the same operator account for automation and humans.

Session Security

  • Enforce HTTPS
  • Disable PHP error display
  • Secure cookies

File Permissions

chown -R www-data:www-data daloradius/
chmod -R 750 daloradius/

Database Security and Access Control

SQL User Separation

  • radius_rw: operational access
  • radius_ro: reporting
  • radius_backup: dump only

Credential Rotation

Automate credential rotation every 90 days.

Performance Optimization and Scaling

High-Load Patterns

  • Accounting-heavy workloads
  • PPPoE reconnect storms
  • Interim-Update flooding
  • Increase SQL connection pool
  • Enable query caching
  • Partition radacct table

radacct Partitioning Example

PARTITION BY RANGE (YEAR(acctstarttime));

Automation and External Integration

API-less Automation

daloradius relies on direct SQL manipulation.

Example: Bulk User Creation

INSERT INTO radcheck (username, attribute, op, value)
SELECT username, 'Cleartext-Password', ':=', password
FROM import_users;

Monitoring Integration

Monitor:

  • radacct growth
  • authentication failures
  • response latency

Backup, Recovery, and Data Consistency

Consistent Backup

mysqldump --single-transaction -u radius -p radius > radius.sql

Restore Validation

Verify radcheck, radreply, radusergroup integrity post-restore.

Troubleshooting

Authentication Rejected

  • Shared secret mismatch
  • Missing Cleartext-Password
  • Group priority override
freeradius -X

Accounting Sessions Stuck

  • NAS reboot without Stop packet
  • Interim-Update disabled
  • Clock drift between NAS and server

daloradius UI Errors

  • PHP version mismatch
  • Missing SQL privileges
  • Incorrect config.inc.php

Performance Degradation

  • radacct table too large
  • No indexes
  • Excessive logging
  • daloradius GitHub
 https://github.com/lirantal/daloradius
  • daloradius Wiki
 https://github.com/lirantal/daloradius/wiki
  • FreeRADIUS Official Documentation
 https://wiki.freeradius.org
  • FreeRADIUS SQL Module
 https://wiki.freeradius.org/guide/SQL-HOWTO
  • RFC 2865 – RADIUS
 https://datatracker.ietf.org/doc/html/rfc2865
  • RFC 2866 – RADIUS Accounting
 https://datatracker.ietf.org/doc/html/rfc2866
Retrieved from "https://it-arts.net/index.php?title=DALORADIUS_-_Documentation&oldid=918"