Authorization/Accounting

irfan.ismail · September 25, 2018, 10:28am

Hello,

When choosing Authorization/Accounting options for a router what is the difference between
FIREWALL IP-MAC FILTER / API ACCOUNTING and PPP (RADIUS) / RADIUS ACCOUNTING.

What are the recommended options and Pro / Cons using API vs RADIUS accounting.

peter · September 26, 2018, 10:04am

In general:

Authorization.
FIREWALL IP-MAC FILTER / API ACCOUNTING - is used for Static IP addresses. When customer sets his/her IP address on the equipment manually.
If Splynx server is not reachable for router - this is not a problem. Splynx only updates router’s configuration from time to time.

PPP (RADIUS) / RADIUS ACCOUNTING - is used with PPPoE technology. Customer creates PPPoE connection on the PC with PPPoE login and password. Then he/she connects to PPPoE server, for example - Mikrotik router. PPPoE server sends RADIUS-request with customer’s credentials to RADIUS server (Splynx server) and RADIUS server answers to router with RADIUS-Accept (allow customer connection) or RADIUS-Reject (prohibit customer connection).
If Splynx server is not reachable - this is serious problem. Splynx server should be always online. Otherwise customers can’t establish PPPoE connection.

PPP (SECRETS) / API ACCOUNTING - is used with PPPoE technology too. Splynx server is not used for Authorization (directly). Splynx server copies PPPoE credentials (logins/passwords) to the router from time to time.
It is not required that Splynx server should be always reachable for the router.

Accounting.
API ACCOUNTING - Splynx server from time to time (every x minutes) enters to Mikrotik device (via Mikrotik API) and gets statistic.
RADIUS ACCOUNTING - Router (Mikrotik device) sends accounting statistic every x seconds to Splynx server using RADIUS accounting packets.

dunn.martin · September 26, 2018, 12:40pm

What if the router is also the CPE?
We connect our clients with Mikrotik LTE units that also serve DHCP etc to their connected devices. I want to account everything that passes a router to a single client. How do you do that in Splynx?

telstarone · September 26, 2018, 5:29pm

I have seen an option in splynx to add the CPE credentials to a customer’s account.

Try it out and try add some QoS rules and see how it works. I am however yet to test this myself.

dunn.martin · September 26, 2018, 5:59pm

Thanks, but I want accounting, not QoS. It seems that in order to do this I need to authenticate the user against a router. There must be a way round this, especially as I am using Mikrotik kit, but I’m not familiar enough with Splynx to work it out.

telstarone · September 26, 2018, 6:29pm

This should authenticate the splynx server to access the CPE(customer end mikrotik router - using a user and password that you have defined) and apply some QoS from the splynx end and it will login and configure the CPE. This should provide some accounting as well.

Ensure API is enabled on the customer mikrotik under IP>Services and confirm that the ports match.

If this does not work out, let me know there are alternatives that we can work out - on a private consultancy basis.

telstarone · September 26, 2018, 6:41pm

I just remembered that you can add multiple routers to splynx as well. You can then run accounting per user IP/MAC.

dunn.martin · September 26, 2018, 8:21pm

Finally cracked it;

IP-MAC/API… Set up as router and use the IP and MAC of the ethernet port in the LTE router for authorisation. Everything that passes through the LTE gets allocated to the client.

dunn.martin · September 26, 2018, 9:03pm

…ish.

Customer is online, but the statistics aren’t correct. Need to check how Splynx counts bandwidth.

dunn.martin · September 27, 2018, 10:10am

Moved rules up queue… All is good.