RADIUS Auth Flow
ProxPanel speaks RADIUS over UDP 1812 (auth) and 1813 (accounting). The auth flow is straightforward but has several decision points worth knowing.
End-to-end flow
Section titled “End-to-end flow”1. Customer router dials PPPoE ↓2. BNG/NAS sends RADIUS Access-Request to ProxPanel:1812 Attributes: User-Name, MS-CHAP2-Response (or PAP password), NAS-IP, NAS-Port, etc. ↓3. ProxPanel validates: a. NAS-IP must match a row in `nas_devices` (shared secret matches) b. Username exists in `subscribers` table AND is_active = true c. expiry_date >= today d. Password matches (MS-CHAPv2 NT-Response or PAP plaintext compare) ↓4. If valid → build Access-Accept: - Mikrotik-Rate-Limit (or Filter-Id if backend_kind=generic) - Framed-IP-Address (if static_ip set) OR Framed-Pool (otherwise) - Session-Timeout - Acct-Interim-Interval (60 seconds — request interim updates) ↓5. NAS creates queue, brings interface up, IP assigned ↓6. NAS sends Accounting-Start to :1813 — row created in radacctAuthentication methods supported
Section titled “Authentication methods supported”- MS-CHAPv2 (preferred) — challenge/response, no plaintext password on wire.
- PAP — plaintext password (only safe over TLS / VPN tunnels).
- CHAP — supported but rarely used by modern PPPoE clients.
Speed format normalization
Section titled “Speed format normalization”The DB stores speeds in kb (download_speed = 2000 = 2 Mbps). Before sending to MikroTik, ProxPanel normalizes to the format MikroTik expects:
| Input | Sent to MikroTik |
|---|---|
2000 | 2000k |
2M | 2000k |
1.5M | 1500k |
2000k | 2000k (unchanged) |
This conversion happens in internal/radius/server.go:normalizeRateLimitString. The format is always upload/download — e.g., 1200k/2000k.
Static IP vs. dynamic pool
Section titled “Static IP vs. dynamic pool”- If
subscriber.static_ipis set → Access-Accept returnsFramed-IP-Address = <that_IP>. - Otherwise → returns
Framed-Pool = <service.pool_name>and MikroTik allocates from that pool.
ProxPanel’s IP-pool-management feature can also reserve IPs ahead of time (v1.0.226+) — see IP Pool Management.
Auth failures — what to check
Section titled “Auth failures — what to check”| Error in RADIUS log | Cause |
|---|---|
unknown NAS: x.x.x.x | NAS not in nas_devices, or wrong IP on row. |
bad password | Username found, password mismatch. |
account inactive | is_active = false or is_active=true on reseller is false. |
account expired | expiry_date < today. |
account suspended (overlimit) | Subscriber count over license limit. |
See PPPoE Auth Troubleshooting for diagnosis steps.
Generic RADIUS (non-MikroTik)
Section titled “Generic RADIUS (non-MikroTik)”If you’re running Cisco, Juniper, or Huawei BNG, set backend_kind = generic on the NAS. ProxPanel will:
- Send
Filter-Id(RFC-2865 standard) instead ofMikrotik-Rate-Limit. - Use Filter-Id values like
POLICY_FUP_TIER_1,POLICY_FUP_TIER_2— your BNG must have these policies pre-configured. - CoA uses Filter-Id changes instead of Mikrotik-Rate-Limit updates.
- Disconnect uses RFC-3576 standard (works on all RADIUS-speaking BNGs).
See Generic RADIUS.