Generic RADIUS (Cisco / Juniper / Huawei)

ProxPanel was originally built around MikroTik, but the RADIUS server itself is vendor-neutral. To target a Cisco IOS-XR BNG, a Juniper MX in subscriber-management mode, a Huawei ME60, or a FreeRADIUS-fronted lab box, set the NAS’s backend_kind = "generic" and ProxPanel switches to standard-attribute behavior.

This page is for operators integrating ProxPanel with a BNG that does not speak the MikroTik VSA dictionary.

What changes in generic mode

Behavior	MikroTik mode	Generic mode
Rate-limit attribute	Mikrotik-Rate-Limit (VSA 14988.8), e.g. "1200k/2000k"	Filter-Id (RFC-2865 attr 11), e.g. "POLICY_FUP_TIER_1"
IP allocation	Pool import via RouterOS API, ProxPanel allocates and sends Framed-IP-Address	BNG-managed pools; ProxPanel sends Framed-IP-Address only for explicit static IPs
Mid-session speed change	CoA with new Mikrotik-Rate-Limit	CoA with new Filter-Id — BNG must already have that policy defined
Bytes / quota source	MikroTik API (/ppp/active/print)	radacct deltas from Acct-Interim-Update packets
Disconnect	CoA Disconnect-Request (RFC-3576)	Same — CoA Disconnect-Request
Auto-create policies	N/A (queues are dynamic)	No — operator must define each policy name on the BNG beforehand

The shift to Filter-Id is the big one: instead of “here is the speed in kb/s,” the panel says “switch this user to policy POLICY_FUP_TIER_1,” and the BNG looks up its own pre-defined policy-map for that name. The QoS configuration lives on the BNG, not in ProxPanel.

How to flip a NAS into generic mode

1. In NAS / Routers, open (or create) the BNG.
2. Set Backend to Generic RADIUS (the underlying column is backend_kind — values: mikrotik / generic).
3. Save. The radius server reloads NAS settings on the next reload tick (or docker restart proxpanel-radius to apply immediately).

That’s the only flag. After this:

• All sessions from this NAS get Filter-Id instead of Mikrotik-Rate-Limit.
• MikroTik API calls are skipped (the BNG has no RouterOS API).
• Quota deltas are read from radacct by GenericRadiusQuotaSyncService (internal/services/generic_radius_quota_sync.go) every 30 s instead of by QuotaSyncService.

Filter-Id naming convention

ProxPanel builds the Filter-Id value from the service’s filter_id_normal, filter_id_fup1, filter_id_fup2, filter_id_fup3 columns. The naming is yours to define — but it must match a policy that already exists on the BNG.

Suggested naming pattern:

POLICY_<plan>_<state>

Examples:

Service	Normal	FUP-1	FUP-2	FUP-3
10 Mbps Home	POLICY_HOME10_OK	POLICY_HOME10_FUP1	POLICY_HOME10_FUP2	POLICY_HOME10_FUP3
100 Mbps Pro	POLICY_PRO100_OK	POLICY_PRO100_FUP1	POLICY_PRO100_FUP2	POLICY_PRO100_FUP3

The BNG’s job is to map each Filter-Id to a policy-map / service-template / qos-profile (vendor terminology varies).

Caution

If you send a Filter-Id that doesn’t exist on the BNG, the BNG behavior is vendor-specific. Cisco IOS-XR will Access-Accept then immediately tear the session. Juniper MX returns Access-Reject. Either way the subscriber doesn’t get online. Always pre-create every policy you reference, on every BNG, before assigning it in ProxPanel.

Sample BNG configuration

These are minimal sketches — every production deployment will have more knobs (service-policy attach points, ANCP, subscriber templates, etc.). Adapt to your network.

Cisco IOS-XR

RADIUS server group:

aaa group server radius PROXPANEL_GROUP
 server 10.10.10.5 auth-port 1812 acct-port 1813
 source-interface Loopback0
!
radius-server host 10.10.10.5 auth-port 1812 acct-port 1813
 key 7 <shared-secret>
!
aaa authentication ppp default group PROXPANEL_GROUP
aaa accounting subscriber default group PROXPANEL_GROUP
aaa server radius dynamic-author
 client 10.10.10.5
 server-key <shared-secret>
 port 1700
!

Policy referenced by Filter-Id = POLICY_FUP_TIER_1:

policy-map POLICY_FUP_TIER_1
 class class-default
  police rate 512 kbps
   conform-action transmit
   exceed-action drop
  end-policy-map
!

CoA arrives on UDP 1700 (Cisco-default; align with ProxPanel’s coa_port).

Juniper MX

set system radius-server 10.10.10.5 secret <shared-secret>
set system radius-server 10.10.10.5 dynamic-request-port 3799
set system accounting destination radius server 10.10.10.5

set access profile PROXPANEL authentication-order radius
set access profile PROXPANEL radius authentication-server 10.10.10.5
set access profile PROXPANEL radius accounting-server 10.10.10.5
set access profile PROXPANEL radius options interim-update-interval 5

set dynamic-profiles PPP-PROFILE protocols pppoe
set dynamic-profiles PPP-PROFILE class-of-service classifiers ...

The Filter-Id is mapped via unified-edge access or dynamic-profile variables depending on the OS release. ProxPanel doesn’t care which mechanism — it just sends the attribute.

CoA arrives on UDP 3799 by default; set coa_port = 3799 in the NAS row.

Huawei ME60

radius-server template PROXPANEL
 radius-server authentication 10.10.10.5 1812
 radius-server accounting 10.10.10.5 1813
 radius-server shared-key cipher <shared-secret>
 radius-server retransmit 3
 undo radius-server user-name domain-included
#
radius-server authorization 10.10.10.5 shared-key cipher <shared-secret> server-group PROXPANEL
#
aaa
 authentication-scheme PROXPANEL_AUTH
  authentication-mode radius
 accounting-scheme PROXPANEL_ACCT
  accounting-mode radius
  accounting realtime 5
 domain isp.example.com
  authentication-scheme PROXPANEL_AUTH
  accounting-scheme PROXPANEL_ACCT
  radius-server PROXPANEL
#

Map Filter-Id to a user-group via user-group <name> traffic profile bindings.

CoA port 3799 by default — Huawei calls this “RADIUS authorization.”

Quota tracking in generic mode

Because there is no MikroTik API to call, ProxPanel reads bytes from the accounting table:

1. The BNG sends Acct-Interim-Update every N seconds (configure to match radius_interim_update_seconds, default 30 s).
2. ProxPanel’s GenericRadiusQuotaSyncService polls radacct every 30 s.
3. For each open session, it computes the delta against the subscriber’s last_session_* baseline.
4. The delta is added to daily_quota_used / monthly_quota_used.

The same 1 GB-per-cycle sanity cap that protects the MikroTik path is applied here — any delta over 1 GB is treated as a counter wrap (re-baseline, don’t ingest).

Note

FUP enforcement in generic mode is not currently driven by ProxPanel CoA by default. The recommended deployment is BNG-side quota-aware AAA: configure the BNG to track its own quota counters against the subscriber’s plan and let it switch policies natively. ProxPanel still tracks usage and bills, but the BNG owns QoS state. This avoids the policy-flip race conditions you get when two systems both think they own the policy. If you do want ProxPanel-driven enforcement, the UpdateFilterID CoA function in coa.go is wired up and ready — flip the service’s enforce_via_radius flag.

CoA in generic mode

The wire format is the same as for MikroTik (RFC-3576 / 5176 Disconnect-Request and CoA-Request packets); only the attribute changes.

• Speed change: ProxPanel calls COAClient.UpdateFilterID(username, sessionID, "POLICY_FUP_TIER_1") instead of UpdateRateLimit.
• Disconnect: identical DisconnectUser(username, sessionID) — the BNG terminates the session.

Session IDs from generic BNGs are usually uppercase hex; ProxPanel normalizes to lowercase before sending (same code path as MikroTik). See CoA & Disconnect for the Session-Id rule.

If the BNG returns CoA-NAK with Filter-Id rejected (check that '<name>' exists on the BNG), you’ve referenced a policy that doesn’t exist — fix the NAS configuration.

What ProxPanel does NOT do in generic mode

To keep the integration robust across vendors, ProxPanel deliberately stays hands-off in generic mode:

• No automatic policy creation. ProxPanel never pushes config to the BNG. You configure policies once, ProxPanel just names them.
• No IP pool import. The BNG manages its own pools. To assign a static IP, use the Static IP Assignment flow and ProxPanel sends Framed-IP-Address in the RADIUS reply.
• No torch. Cisco / Juniper / Huawei don’t speak the RouterOS-style live-traffic API. The Sessions page shows the radacct counters; live-traffic widgets show “Not supported on generic NAS.”
• No queue tuning from the panel. All QoS is BNG-native.

Troubleshooting

”Subscriber authenticates but immediately disconnects”

The BNG accepted the RADIUS reply but rejected the Filter-Id because the policy doesn’t exist locally.

1. On the BNG, search for the policy name returned by ProxPanel. On Cisco: show running-config | include POLICY_. On Juniper: show configuration | match POLICY_.
2. If missing, define it (see sample BNG configuration).
3. If present, look at the BNG’s logs for the exact rejection reason.

”Speed change does nothing”

The CoA packet arrived but the BNG silently ignored it. See CoA & Disconnect → silent NAKs.

”Bytes don’t tick on the panel”

radacct.acctupdatetime must advance — that’s what GenericRadiusQuotaSyncService reads. Confirm the BNG is sending Acct-Interim-Update at the configured interval. Cisco: aaa accounting subscriber default broadcast group ...; Juniper: interim-update-interval; Huawei: accounting realtime.

Related pages

• RADIUS Server Setup — the panel side, port layout, NAS registration.
• MikroTik Integration — the other backend kind.
• CoA & Disconnect — wire format for mid-session changes.
• Static IP Assignment — Framed-IP-Address works in generic mode too.
• Stale Session Cleanup — radacct-driven, equally relevant here.