Onezeroart LLC

Appearance

Package Policy (RADIUS Attributes)

Overview

Policy in Zal Ultra controls subscriber services through FreeRADIUS attributes. Policies define bandwidth limits, IP assignment, simultaneous sessions, connection pools, and other network parameters sent to your router (Mikrotik, Cisco, Juniper, etc.) via RADIUS protocol.

WHAT IS POLICY?

Policy is a RADIUS attribute configuration system that:

  • Controls bandwidth - Upload/download speed limits
  • Assigns IP addresses - Static IP or pool assignment
  • Manages sessions - Simultaneous-Use, session timeout
  • Router-specific - Mikrotik, Cisco, Juniper, NetElastic, vBNG support
  • Group-based - One policy group = multiple RADIUS attributes
  • Assigned to packages - Policies linked to packages

Perfect for bandwidth management, IP allocation, and service control!

📋 Table of Contents

  1. How Policy Works
  2. RADIUS Basics
  3. Policy Structure
  4. FreeRADIUS Attributes (20-30 Common)
  5. Router-Specific Configurations
  6. Installing Router Dictionaries
  7. Step-by-Step Guide
  8. Common Policy Examples
  9. Troubleshooting

How Policy Works

The RADIUS Flow

Zal Ultra uses FreeRADIUS to control subscriber services:

1. Subscriber connects to router (PPPoE/Hotspot)

2. Router sends RADIUS authentication request

3. Zal Ultra (FreeRADIUS) authenticates subscriber

4. FreeRADIUS sends RADIUS Reply with attributes (Policy)

5. Router applies bandwidth, IP, session limits

6. Subscriber gets internet with configured limits

What Policy Controls

Bandwidth Management:

  • Upload speed limit
  • Download speed limit
  • Burst speed (temporary speed boost)
  • Priority/Queue management

IP Address Assignment:

  • Static IP address
  • IP pool selection
  • Framed-IP-Address
  • Framed-IP-Netmask

Session Control:

  • Simultaneous-Use (max concurrent sessions)
  • Session-Timeout (auto-disconnect after X seconds)
  • Idle-Timeout (disconnect if idle)
  • Acct-Interim-Interval (accounting updates)

Router-Specific:

  • Mikrotik-Rate-Limit
  • Cisco-AVPair
  • Juniper-Local-User-Name
  • Custom vendor attributes

RADIUS Basics

Two Attribute Types

1. Check Attributes (radgroupcheck)

  • Purpose: Authentication and authorization checks
  • When: Sent during authentication
  • Examples: Simultaneous-Use, Auth-Type
  • Use: Control access and session limits

2. Reply Attributes (radgroupreply)

  • Purpose: Service configuration
  • When: Sent in Access-Accept response
  • Examples: Mikrotik-Rate-Limit, Framed-IP-Address
  • Use: Configure bandwidth, IP, routing

Attribute Operators

Common Operators:

:=  (Set)           - Force this value
=   (Equal)         - Check if equal
==  (Equal)         - Strict equality check
+=  (Add)           - Add to existing
!=  (Not Equal)     - Check if not equal
>=  (Greater/Equal) - Check if greater or equal
<=  (Less/Equal)    - Check if less or equal

Most Common:

  • := (Set) - Used for Reply attributes (bandwidth, IP)
  • == (Equal) - Used for Check attributes (Simultaneous-Use)

Policy Structure

Group-Based System

Policy uses group-based structure:

Policy Group: "10mbps-policy"
  ├─ Mikrotik-Rate-Limit := "10M/10M" (Reply)
  ├─ Framed-Pool := "main-pool" (Reply)
  ├─ Simultaneous-Use := 1 (Check)
  └─ Session-Timeout := 86400 (Reply)

Components

Group Name:

  • Identifies the policy group
  • Example: "10mbps-policy", "corporate-policy"
  • Auto-formatted (lowercase, no spaces)

Attributes (Multiple per group):

  • Each attribute has: Name, Type, Operator, Value
  • Type: Check or Reply
  • Operator: :=, ==, +=, etc.
  • Value: Depends on attribute

Example Policy Structure

Group: "residential-10mbps"

Attribute              | Type  | OP | Value
-----------------------|-------|----|-----------------
Mikrotik-Rate-Limit    | Reply | := | 10M/10M
Framed-Pool            | Reply | := | residential-pool
Simultaneous-Use       | Check | == | 1
Session-Timeout        | Reply | := | 86400
Acct-Interim-Interval  | Reply | := | 300

FreeRADIUS Attributes

20-30 Common RADIUS Attributes

1. Bandwidth Control

Mikrotik-Rate-Limit (Reply, :=)

  • Purpose: Bandwidth limit for Mikrotik routers
  • Format: upload/download or upload/download burst-upload/burst-download time priority
  • Example: 10M/10M (10 Mbps up/down)
  • Example: 10M/10M 20M/20M 5/5 8 (with burst)
  • Use: Primary bandwidth control for Mikrotik

Cisco-AVPair (Reply, :=)

  • Purpose: Bandwidth limit for Cisco routers
  • Format: ip:sub-qos-policy-in=<policy> or custom
  • Example: ip:sub-qos-policy-in=10M
  • Use: Cisco QoS policy assignment

Juniper-Local-User-Name (Reply, :=)

  • Purpose: User profile for Juniper routers
  • Example: 10mbps-profile
  • Use: Juniper service profile assignment

2. IP Address Assignment

Framed-IP-Address (Reply, :=)

  • Purpose: Assign static IP to subscriber
  • Format: IP address (e.g., 192.168.1.100)
  • Example: 192.168.1.100
  • Use: Static IP assignment

Framed-IP-Netmask (Reply, :=)

  • Purpose: Subnet mask for assigned IP
  • Format: Netmask (e.g., 255.255.255.0)
  • Example: 255.255.255.0
  • Use: Define subnet for static IP

Framed-Pool (Reply, :=)

  • Purpose: IP pool name for dynamic IP assignment
  • Format: Pool name (string)
  • Example: main-pool, residential-pool
  • Use: Dynamic IP from pool

Framed-Route (Reply, :=)

  • Purpose: Static route for subscriber
  • Format: network/prefix gateway metric
  • Example: 192.168.100.0/24 192.168.1.1 1
  • Use: Custom routing for subscriber

3. Session Control

Simultaneous-Use (Check, ==)

  • Purpose: Maximum concurrent sessions
  • Format: Integer (1, 2, 3...)
  • Example: 1 (only 1 session allowed)
  • Use: Prevent account sharing

Session-Timeout (Reply, :=)

  • Purpose: Auto-disconnect after X seconds
  • Format: Seconds (integer)
  • Example: 86400 (24 hours)
  • Use: Force reconnection daily

Idle-Timeout (Reply, :=)

  • Purpose: Disconnect if idle for X seconds
  • Format: Seconds (integer)
  • Example: 600 (10 minutes)
  • Use: Free up inactive sessions

Acct-Interim-Interval (Reply, :=)

  • Purpose: Accounting update interval
  • Format: Seconds (integer)
  • Example: 300 (5 minutes)
  • Use: Real-time usage tracking

4. Authentication

Auth-Type (Check, :=)

  • Purpose: Authentication method
  • Format: PAP, CHAP, MSCHAP, etc.
  • Example: PAP
  • Use: Force specific auth method

Cleartext-Password (Check, ==)

  • Purpose: Password for PAP authentication
  • Format: Plain text password
  • Example: subscriber123
  • Use: PAP authentication (not recommended)

User-Password (Check, ==)

  • Purpose: Encrypted password
  • Format: Encrypted password
  • Use: Secure authentication

5. Service Type

Service-Type (Reply, :=)

  • Purpose: Type of service
  • Format: Framed-User, Login-User, etc.
  • Example: Framed-User
  • Use: Define connection type

Framed-Protocol (Reply, :=)

  • Purpose: Framing protocol
  • Format: PPP, SLIP, etc.
  • Example: PPP
  • Use: PPPoE connections

Framed-Compression (Reply, :=)

  • Purpose: Compression method
  • Format: None, Van-Jacobson-TCP-IP, etc.
  • Example: Van-Jacobson-TCP-IP
  • Use: Enable compression

6. Port and NAS

NAS-Port-Type (Check, ==)

  • Purpose: Connection type
  • Format: Ethernet, Wireless, Virtual, etc.
  • Example: Ethernet
  • Use: Filter by connection type

NAS-IP-Address (Check, ==)

  • Purpose: Router IP address
  • Format: IP address
  • Example: 10.0.0.1
  • Use: Identify router

Called-Station-Id (Check, ==)

  • Purpose: Router MAC or identifier
  • Format: MAC address or string
  • Example: 00:11:22:33:44:55
  • Use: Identify access point

Calling-Station-Id (Check, ==)

  • Purpose: Subscriber MAC address
  • Format: MAC address
  • Example: AA:BB:CC:DD:EE:FF
  • Use: MAC-based authentication

7. Accounting

Acct-Status-Type (Check, ==)

  • Purpose: Accounting event type
  • Format: Start, Stop, Interim-Update
  • Example: Start
  • Use: Track session events

Acct-Input-Octets (Reply, :=)

  • Purpose: Bytes uploaded
  • Format: Integer (bytes)
  • Use: Usage tracking

Acct-Output-Octets (Reply, :=)

  • Purpose: Bytes downloaded
  • Format: Integer (bytes)
  • Use: Usage tracking

Acct-Session-Time (Reply, :=)

  • Purpose: Session duration
  • Format: Seconds (integer)
  • Use: Track connection time

8. Quality of Service

Class (Reply, :=)

  • Purpose: Traffic class/priority
  • Format: String or integer
  • Example: premium, standard
  • Use: QoS classification

Filter-Id (Reply, :=)

  • Purpose: Firewall filter or ACL
  • Format: Filter name (string)
  • Example: allow-web-only
  • Use: Apply firewall rules

9. Mikrotik-Specific

Mikrotik-Address-List (Reply, :=)

  • Purpose: Add IP to address list
  • Format: List name
  • Example: premium-users
  • Use: Firewall rules, QoS

Mikrotik-Recv-Limit (Reply, :=)

  • Purpose: Download quota limit
  • Format: Bytes (integer)
  • Example: 10737418240 (10 GB)
  • Use: Data quota

Mikrotik-Xmit-Limit (Reply, :=)

  • Purpose: Upload quota limit
  • Format: Bytes (integer)
  • Example: 5368709120 (5 GB)
  • Use: Data quota

10. Cisco-Specific

Cisco-AVPair (Reply, +=)

  • Purpose: Multiple Cisco attributes
  • Format: attribute=value
  • Example: ip:inacl#1=permit ip any any
  • Use: ACLs, QoS, routing

Cisco-Account-Info (Reply, :=)

  • Purpose: Accounting information
  • Format: String
  • Use: Custom accounting data

11. Advanced Attributes

Port-Limit (Reply, :=)

  • Purpose: Maximum ports/connections
  • Format: Integer
  • Example: 1
  • Use: Limit concurrent connections

Login-IP-Host (Reply, :=)

  • Purpose: Telnet/SSH host
  • Format: IP address
  • Example: 10.0.0.1
  • Use: Remote access

Login-Service (Reply, :=)

  • Purpose: Login service type
  • Format: Telnet, Rlogin, SSH, etc.
  • Example: Telnet
  • Use: Remote access method

Callback-Number (Reply, :=)

  • Purpose: Callback phone number
  • Format: Phone number
  • Use: Dial-back connections

Router-Specific Configurations

Mikrotik Configuration

Overview: Mikrotik routers use FreeRADIUS for PPPoE and Hotspot authentication with bandwidth control via Mikrotik-Rate-Limit attribute.

Key Attributes:

1. Mikrotik-Rate-Limit (Most Important)

Attribute: Mikrotik-Rate-Limit
Type: Reply
Operator: :=
Value: upload/download [burst-upload/burst-download time priority]

Examples:
10M/10M                    → 10 Mbps up/down
20M/50M                    → 20 Mbps up, 50 Mbps down
10M/10M 20M/20M 5/5 8      → With burst (20M for 5 seconds, priority 8)

2. Mikrotik-Address-List

Attribute: Mikrotik-Address-List
Type: Reply
Operator: :=
Value: list-name

Example: premium-users
Use: Add subscriber IP to address list for firewall/QoS

3. Mikrotik-Recv-Limit / Mikrotik-Xmit-Limit

Attribute: Mikrotik-Recv-Limit (Download quota)
Type: Reply
Operator: :=
Value: bytes

Example: 10737418240 (10 GB)

Mikrotik Policy Example:

Group: mikrotik-10mbps

Mikrotik-Rate-Limit    | Reply | := | 10M/10M
Framed-Pool            | Reply | := | main-pool
Simultaneous-Use       | Check | == | 1
Session-Timeout        | Reply | := | 86400
Mikrotik-Address-List  | Reply | := | active-users

Mikrotik Router Setup:

  1. Go to RADIUS in Mikrotik
  2. Add RADIUS server (Zal Ultra IP)
  3. Set secret key (same as Zal Ultra NAS)
  4. Enable RADIUS for PPPoE/Hotspot
  5. Test authentication

Dictionary Location:

/usr/share/freeradius/dictionary.mikrotik

Cisco Configuration

Overview: Cisco routers use Cisco-AVPair attribute for QoS policies, ACLs, and service configuration.

Key Attributes:

1. Cisco-AVPair (Most Important)

Attribute: Cisco-AVPair
Type: Reply
Operator: :=
Value: attribute=value format

Examples:
ip:sub-qos-policy-in=10M        → QoS policy
ip:inacl#1=permit ip any any    → ACL rule
ip:route#1=192.168.1.0 255.255.255.0 10.0.0.1  → Static route

2. Cisco-Account-Info

Attribute: Cisco-Account-Info
Type: Reply
Operator: :=
Value: custom-info

Use: Custom accounting data

Cisco Policy Example:

Group: cisco-10mbps

Cisco-AVPair           | Reply | := | ip:sub-qos-policy-in=10M
Cisco-AVPair           | Reply | += | ip:sub-qos-policy-out=10M
Framed-IP-Address      | Reply | := | 192.168.1.100
Simultaneous-Use       | Check | == | 1
Session-Timeout        | Reply | := | 86400

Cisco Router Setup:

  1. Configure AAA: aaa new-model
  2. Add RADIUS server: radius-server host <IP> key <secret>
  3. Configure QoS policies matching RADIUS attributes
  4. Enable RADIUS authentication for PPPoE/VPN
  5. Test with test aaa group radius

Dictionary Location:

/usr/share/freeradius/dictionary.cisco

Juniper Configuration

Overview: Juniper routers use service profiles referenced by Juniper-Local-User-Name attribute.

Key Attributes:

1. Juniper-Local-User-Name

Attribute: Juniper-Local-User-Name
Type: Reply
Operator: :=
Value: profile-name

Example: 10mbps-profile
Use: Reference to Juniper service profile

2. Juniper-Allow-Commands

Attribute: Juniper-Allow-Commands
Type: Reply
Operator: :=
Value: command-regex

Example: ^show.*
Use: Restrict CLI commands

Juniper Policy Example:

Group: juniper-10mbps

Juniper-Local-User-Name  | Reply | := | 10mbps-profile
Framed-IP-Address        | Reply | := | 192.168.1.100
Framed-Pool              | Reply | := | subscriber-pool
Simultaneous-Use         | Check | == | 1
Session-Timeout          | Reply | := | 86400

Juniper Router Setup:

  1. Create service profile on Juniper with bandwidth limits
  2. Configure RADIUS: set system radius-server <IP> secret <key>
  3. Configure access profile: set access profile <name>
  4. Link RADIUS authentication
  5. Test authentication

Dictionary Location:

/usr/share/freeradius/dictionary.juniper

NetElastic Configuration

Overview: NetElastic (vBNG) uses standard RADIUS attributes with custom bandwidth control.

Key Attributes:

1. Filter-Id (Bandwidth Control)

Attribute: Filter-Id
Type: Reply
Operator: :=
Value: bandwidth-profile

Example: 10M-profile
Use: Reference to bandwidth profile in NetElastic

2. Framed-Pool

Attribute: Framed-Pool
Type: Reply
Operator: :=
Value: pool-name

Example: subscriber-pool
Use: IP pool assignment

NetElastic Policy Example:

Group: netelastic-10mbps

Filter-Id              | Reply | := | 10M-profile
Framed-Pool            | Reply | := | main-pool
Framed-IP-Address      | Reply | := | dynamic
Simultaneous-Use       | Check | == | 1
Session-Timeout        | Reply | := | 86400
Acct-Interim-Interval  | Reply | := | 300

NetElastic Setup:

  1. Create bandwidth profiles in NetElastic
  2. Configure RADIUS server settings
  3. Map Filter-Id to bandwidth profiles
  4. Enable RADIUS authentication
  5. Test subscriber connection

Dictionary Location:

/usr/share/freeradius/dictionary (standard)

vBNG Configuration

Overview: vBNG (Virtual BNG) uses standard RADIUS attributes with QoS policy mapping.

Key Attributes:

1. Class (QoS Profile)

Attribute: Class
Type: Reply
Operator: :=
Value: qos-class

Example: premium, standard, basic
Use: QoS classification in vBNG

2. Framed-Pool

Attribute: Framed-Pool
Type: Reply
Operator: :=
Value: pool-name

Example: vbng-pool-1
Use: IP pool selection

vBNG Policy Example:

Group: vbng-10mbps

Class                  | Reply | := | premium
Filter-Id              | Reply | := | 10M-policy
Framed-Pool            | Reply | := | vbng-pool
Framed-IP-Netmask      | Reply | := | 255.255.255.0
Simultaneous-Use       | Check | == | 1
Session-Timeout        | Reply | := | 86400

vBNG Setup:

  1. Configure QoS policies in vBNG
  2. Add RADIUS server configuration
  3. Map Class attribute to QoS policies
  4. Configure IP pools
  5. Enable RADIUS authentication
  6. Test PPPoE/IPoE connections

Dictionary Location:

/usr/share/freeradius/dictionary (standard)
Custom dictionary may be needed for vendor-specific attributes

Installing Router Dictionaries

What Are RADIUS Dictionaries?

RADIUS dictionaries define vendor-specific attributes:

  • Dictionary files map attribute names to numbers
  • Each router vendor has custom attributes
  • FreeRADIUS needs dictionaries to understand vendor attributes
  • Located in /usr/share/freeradius/ directory

Check Installed Dictionaries

List all dictionaries:

bash
ls -la /usr/share/freeradius/dictionary.*

Common dictionaries:

dictionary.mikrotik    → Mikrotik attributes
dictionary.cisco       → Cisco attributes
dictionary.juniper     → Juniper attributes
dictionary.freeradius  → Standard RADIUS attributes

Installing Mikrotik Dictionary

1. Check if already installed:

bash
ls /usr/share/freeradius/dictionary.mikrotik

2. If not found, download:

bash
cd /usr/share/freeradius/
sudo wget https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/v3.0.x/share/dictionary.mikrotik

3. Include in main dictionary:

bash
sudo nano /usr/share/freeradius/dictionary

Add this line:

$INCLUDE dictionary.mikrotik

4. Restart FreeRADIUS:

bash
sudo systemctl restart freeradius

5. Test dictionary:

bash
sudo freeradius -X | grep -i mikrotik

Installing Cisco Dictionary

1. Check if already installed:

bash
ls /usr/share/freeradius/dictionary.cisco

2. Usually pre-installed with FreeRADIUS

3. If missing, download:

bash
cd /usr/share/freeradius/
sudo wget https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/v3.0.x/share/dictionary.cisco

4. Include in main dictionary:

bash
sudo nano /usr/share/freeradius/dictionary

Add:

$INCLUDE dictionary.cisco

5. Restart FreeRADIUS:

bash
sudo systemctl restart freeradius

Installing Juniper Dictionary

1. Check if already installed:

bash
ls /usr/share/freeradius/dictionary.juniper

2. Download if missing:

bash
cd /usr/share/freeradius/
sudo wget https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/v3.0.x/share/dictionary.juniper

3. Include in main dictionary:

bash
sudo nano /usr/share/freeradius/dictionary

Add:

$INCLUDE dictionary.juniper

4. Restart FreeRADIUS:

bash
sudo systemctl restart freeradius

Installing Custom Dictionaries (NetElastic/vBNG)

For custom routers without standard dictionaries:

1. Create custom dictionary file:

bash
sudo nano /usr/share/freeradius/dictionary.custom

2. Add vendor definition:

VENDOR    CustomVendor    12345

BEGIN-VENDOR    CustomVendor

ATTRIBUTE    Custom-Rate-Limit    1    string
ATTRIBUTE    Custom-Pool-Name     2    string
ATTRIBUTE    Custom-QoS-Class     3    string

END-VENDOR    CustomVendor

3. Include in main dictionary:

bash
sudo nano /usr/share/freeradius/dictionary

Add:

$INCLUDE dictionary.custom

4. Restart FreeRADIUS:

bash
sudo systemctl restart freeradius

Verify Dictionary Installation

1. Test FreeRADIUS configuration:

bash
sudo freeradius -X

Look for:

Including dictionary file /usr/share/freeradius/dictionary.mikrotik
Including dictionary file /usr/share/freeradius/dictionary.cisco
Including dictionary file /usr/share/freeradius/dictionary.juniper

2. Test specific attribute:

bash
echo "Mikrotik-Rate-Limit := 10M/10M" | radclient -x localhost:1812 auth testing123

3. Check for errors:

bash
sudo journalctl -u freeradius -f

Troubleshooting Dictionary Issues

Issue: "Unknown attribute" error

Solution:
1. Check dictionary file exists
2. Verify $INCLUDE in main dictionary
3. Restart FreeRADIUS
4. Test with freeradius -X

Issue: Dictionary not loading

Solution:
1. Check file permissions (644)
2. Verify syntax in dictionary file
3. Check for typos in $INCLUDE
4. Review FreeRADIUS logs

Step-by-Step Guide

Step 1: Access Policy Page

Navigate to Policy:

  1. Go to Package menu
  2. Click Policy
  3. View all existing policy groups

Permission Required:

  • ✅ Admin can manage policies
  • ✅ Staff can manage policies (if permission granted)
  • ❌ Resellers CANNOT manage policies

Step 2: Create Policy Group

Click "Add Policy" Button

1. Group Name (Required)

Purpose: Identifies the policy group

Rules:

  • Will be auto-formatted (lowercase, no spaces)
  • Use descriptive names
  • Example: "10 Mbps Policy" → "10mbpspolicy"

Good Examples:

✅ "10mbps-residential"
✅ "corporate-policy"
✅ "mikrotik-20mbps"
✅ "premium-service"

Bad Examples:

❌ "Policy1" (not descriptive)
❌ "Test" (not professional)

Step 3: Add Policy Attributes

You can add multiple attributes to one group:

Attribute 1: Bandwidth Limit (Mikrotik)

1. Attribute Name (Required)

Mikrotik-Rate-Limit

2. Attribute Type (Required)

Select: Reply (radgroupreply)

3. Attribute OP (Required)

Select: := (Set)

4. Attribute Value (Required)

10M/10M

Attribute 2: IP Pool

1. Attribute Name (Required)

Framed-Pool

2. Attribute Type (Required)

Select: Reply

3. Attribute OP (Required)

Select: :=

4. Attribute Value (Required)

main-pool

Attribute 3: Simultaneous Sessions

1. Attribute Name (Required)

Simultaneous-Use

2. Attribute Type (Required)

Select: Check (radgroupcheck)

3. Attribute OP (Required)

Select: ==

4. Attribute Value (Required)

1

Attribute 4: Session Timeout

1. Attribute Name (Required)

Session-Timeout

2. Attribute Type (Required)

Select: Reply

3. Attribute OP (Required)

Select: :=

4. Attribute Value (Required)

86400

Step 4: Save Policy Group

Click "Save" or "Submit"

Success:

Successfully Added.
Policy group created with all attributes

Result:

Group: "10mbps-residential" created with 4 attributes:
  1. Mikrotik-Rate-Limit := 10M/10M (Reply)
  2. Framed-Pool := main-pool (Reply)
  3. Simultaneous-Use == 1 (Check)
  4. Session-Timeout := 86400 (Reply)

Step 5: Assign to Package

Go to Package → Add/Edit Package:

  1. Find "Policy Group" field
  2. Select your policy group from dropdown
  3. Example: Select "10mbps-residential"
  4. Save package

Now all subscribers with this package will have these RADIUS attributes!

Step 6: Add More Attributes to Existing Group

To add more attributes to existing group:

  1. Go to Policy page
  2. Find your group in the table
  3. Click "Add New" action for that group
  4. Add new attribute
  5. Save

Example:

Group: "10mbps-residential" (existing)
Add new attribute: Acct-Interim-Interval := 300

Result: Group now has 5 attributes

Step 7: Edit Policy Attribute

To edit existing attribute:

  1. Find the attribute in table (under group)
  2. Click "Edit" action
  3. Modify Name, Type, OP, or Value
  4. Save

⚠️ Important:

Editing policy affects all packages using this group
Changes apply to new connections
Existing sessions may need reconnection

Step 8: Delete Policy Attribute

To delete attribute:

  1. Find the attribute in table
  2. Click "Delete" action
  3. Confirm deletion

⚠️ Warning:

Deleting attribute removes it from group
Affects all packages using this group
Cannot be undone

Step 9: Copy Policy Group

To copy existing policy group:

  1. Find the group in table
  2. Click "Copy" action
  3. Enter new group name
  4. Modify attributes if needed
  5. Save

Use Case:

Copy "10mbps-residential" to "10mbps-corporate"
Then modify specific attributes for corporate use

Step 10: Delete Policy Group

To delete entire policy group:

  1. Find the group in table
  2. Click "Delete" action
  3. Confirm deletion

⚠️ Warning:

Cannot delete if assigned to packages
Remove from packages first
All attributes in group will be deleted
Cannot be undone

Common Policy Examples

Example 1: Basic Mikrotik Policy (10 Mbps)

Group Name: "mikrotik-10mbps"

Attributes:

1. Mikrotik-Rate-Limit
   Type: Reply
   OP: :=
   Value: 10M/10M
   Purpose: 10 Mbps upload/download

2. Framed-Pool
   Type: Reply
   OP: :=
   Value: main-pool
   Purpose: Dynamic IP from pool

3. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 1
   Purpose: Prevent account sharing

4. Session-Timeout
   Type: Reply
   OP: :=
   Value: 86400
   Purpose: 24-hour session (force daily reconnect)

5. Acct-Interim-Interval
   Type: Reply
   OP: :=
   Value: 300
   Purpose: Update usage every 5 minutes

Use Case: Standard residential package with 10 Mbps speed

Example 2: Mikrotik with Burst (20 Mbps)

Group Name: "mikrotik-20mbps-burst"

Attributes:

1. Mikrotik-Rate-Limit
   Type: Reply
   OP: :=
   Value: 20M/20M 40M/40M 10/10 8
   Purpose: 20 Mbps normal, 40 Mbps burst for 10 seconds

2. Framed-Pool
   Type: Reply
   OP: :=
   Value: premium-pool
   Purpose: Premium IP pool

3. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 2
   Purpose: Allow 2 concurrent sessions

4. Mikrotik-Address-List
   Type: Reply
   OP: :=
   Value: premium-users
   Purpose: Add to premium firewall list

Use Case: Premium package with burst speed and multiple sessions

Example 3: Static IP Assignment

Group Name: "static-ip-policy"

Attributes:

1. Mikrotik-Rate-Limit
   Type: Reply
   OP: :=
   Value: 50M/50M
   Purpose: 50 Mbps for corporate

2. Framed-IP-Address
   Type: Reply
   OP: :=
   Value: 192.168.1.100
   Purpose: Static IP for subscriber

3. Framed-IP-Netmask
   Type: Reply
   OP: :=
   Value: 255.255.255.0
   Purpose: Subnet mask

4. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 1
   Purpose: Single session only

Use Case: Corporate package with dedicated static IP

Example 4: Cisco QoS Policy

Group Name: "cisco-corporate-50mbps"

Attributes:

1. Cisco-AVPair
   Type: Reply
   OP: :=
   Value: ip:sub-qos-policy-in=50M
   Purpose: 50 Mbps download QoS

2. Cisco-AVPair
   Type: Reply
   OP: +=
   Value: ip:sub-qos-policy-out=50M
   Purpose: 50 Mbps upload QoS

3. Framed-IP-Address
   Type: Reply
   OP: :=
   Value: 10.10.10.100
   Purpose: Static IP

4. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 1
   Purpose: Single session

Use Case: Cisco router with corporate QoS policy

Example 5: Juniper Service Profile

Group Name: "juniper-premium"

Attributes:

1. Juniper-Local-User-Name
   Type: Reply
   OP: :=
   Value: premium-100mbps-profile
   Purpose: Reference to Juniper service profile

2. Framed-Pool
   Type: Reply
   OP: :=
   Value: juniper-pool
   Purpose: IP pool for Juniper

3. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 3
   Purpose: Allow 3 concurrent sessions

4. Session-Timeout
   Type: Reply
   OP: :=
   Value: 86400
   Purpose: 24-hour session

Use Case: Juniper router with service profile reference

Example 6: Hotspot with Idle Timeout

Group Name: "hotspot-1hour"

Attributes:

1. Mikrotik-Rate-Limit
   Type: Reply
   OP: :=
   Value: 5M/5M
   Purpose: 5 Mbps for hotspot

2. Session-Timeout
   Type: Reply
   OP: :=
   Value: 3600
   Purpose: 1-hour session limit

3. Idle-Timeout
   Type: Reply
   OP: :=
   Value: 600
   Purpose: Disconnect if idle for 10 minutes

4. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 1
   Purpose: Single session only

Use Case: Public hotspot with time limits

Example 7: Data Quota Policy

Group Name: "quota-10gb"

Attributes:

1. Mikrotik-Rate-Limit
   Type: Reply
   OP: :=
   Value: 10M/10M
   Purpose: 10 Mbps speed

2. Mikrotik-Recv-Limit
   Type: Reply
   OP: :=
   Value: 10737418240
   Purpose: 10 GB download quota

3. Mikrotik-Xmit-Limit
   Type: Reply
   OP: :=
   Value: 5368709120
   Purpose: 5 GB upload quota

4. Framed-Pool
   Type: Reply
   OP: :=
   Value: main-pool
   Purpose: Dynamic IP

Use Case: Package with data quota limits

Example 8: Multi-Router Policy (Universal)

Group Name: "universal-20mbps"

Attributes:

1. Mikrotik-Rate-Limit
   Type: Reply
   OP: :=
   Value: 20M/20M
   Purpose: For Mikrotik routers

2. Cisco-AVPair
   Type: Reply
   OP: :=
   Value: ip:sub-qos-policy-in=20M
   Purpose: For Cisco routers

3. Filter-Id
   Type: Reply
   OP: :=
   Value: 20M-profile
   Purpose: For other routers (NetElastic, vBNG)

4. Framed-Pool
   Type: Reply
   OP: :=
   Value: main-pool
   Purpose: Universal IP pool

5. Simultaneous-Use
   Type: Check
   OP: ==
   Value: 1
   Purpose: Single session

Use Case: Mixed network with multiple router brands

Troubleshooting

Issue 1: Bandwidth Not Applied

Problem:

Policy created but bandwidth not working on subscriber

Causes & Solutions:

Cause 1: Policy Not Assigned to Package

Solution:
1. Go to Package → Edit Package
2. Check "Policy Group" field
3. Select your policy group
4. Save package

Cause 2: Wrong Attribute for Router

Solution:
- Mikrotik: Use Mikrotik-Rate-Limit
- Cisco: Use Cisco-AVPair
- Juniper: Use Juniper-Local-User-Name
- Check router type and use correct attribute

Cause 3: Dictionary Not Installed

Solution:
1. Check dictionary: ls /usr/share/freeradius/dictionary.mikrotik
2. Install if missing (see Installing Dictionaries section)
3. Restart FreeRADIUS
4. Test with freeradius -X

Cause 4: Subscriber Needs Reconnection

Solution:
Policy changes apply to NEW connections
Disconnect and reconnect subscriber
Or wait for Session-Timeout

Issue 2: "Unknown Attribute" Error

Problem:

FreeRADIUS logs show "Unknown attribute" error

Cause:

Dictionary not installed or not included

Solution:

1. Check dictionary file exists:
   ls /usr/share/freeradius/dictionary.mikrotik

2. Check main dictionary includes it:
   grep "dictionary.mikrotik" /usr/share/freeradius/dictionary

3. Add if missing:
   echo '$INCLUDE dictionary.mikrotik' | sudo tee -a /usr/share/freeradius/dictionary

4. Restart FreeRADIUS:
   sudo systemctl restart freeradius

5. Test:
   sudo freeradius -X | grep -i mikrotik

Issue 3: Simultaneous-Use Not Working

Problem:

Subscriber can connect multiple times despite Simultaneous-Use := 1

Causes & Solutions:

Cause 1: Wrong Operator

Problem: Using := instead of ==
Solution: Simultaneous-Use must use == operator
Correct: Simultaneous-Use == 1 (Check attribute)

Cause 2: Wrong Attribute Type

Problem: Using Reply instead of Check
Solution: Simultaneous-Use must be Check attribute
Correct: Type = Check (radgroupcheck)

Cause 3: Accounting Not Working

Solution:
1. Check NAS sends accounting (Start/Stop)
2. Verify radacct table has entries
3. Check FreeRADIUS accounting logs
4. Enable accounting on router

Issue 4: Static IP Not Assigned

Problem:

Framed-IP-Address set but subscriber gets different IP

Causes & Solutions:

Cause 1: Router Pool Override

Solution:
Router may ignore Framed-IP-Address if pool configured
Remove pool from router or use Framed-Pool attribute

Cause 2: IP Already in Use

Solution:
Check if IP is already assigned to another subscriber
Use different IP or release existing assignment

Cause 3: Wrong Netmask

Solution:
Add Framed-IP-Netmask attribute
Example: Framed-IP-Netmask := 255.255.255.0

Issue 5: Policy Not Showing in Package

Problem:

Created policy but not showing in package dropdown

Cause:

Policy group name mismatch or not saved properly

Solution:

1. Check policy exists in Policy page
2. Verify group name (lowercase, no spaces)
3. Check radgroupreply/radgroupcheck tables
4. Recreate policy if needed
5. Refresh package page

Issue 6: Session Timeout Not Working

Problem:

Session-Timeout set but subscriber not disconnecting

Causes & Solutions:

Cause 1: Router Doesn't Support

Solution:
Check if router supports Session-Timeout
Some routers ignore this attribute
Use router-specific timeout instead

Cause 2: Wrong Value Format

Solution:
Session-Timeout value must be in seconds
Example: 86400 (24 hours), not "24h"

Cause 3: Subscriber Reconnects Immediately

Solution:
This is normal behavior
Subscriber auto-reconnects after timeout
Use Idle-Timeout to prevent reconnection

Issue 7: Burst Speed Not Working (Mikrotik)

Problem:

Mikrotik-Rate-Limit with burst not working

Cause:

Wrong burst format or values

Solution:

Correct format: rate/rate burst/burst time/time priority

Examples:
✅ 10M/10M 20M/20M 5/5 8
✅ 10M/10M 20M/20M 10/10 7

Wrong:
❌ 10M/10M burst 20M/20M
❌ 10M/10M 20M 5 8

Check Mikrotik documentation for burst parameters

Issue 8: Multiple Cisco-AVPair Not Working

Problem:

Only first Cisco-AVPair applied, others ignored

Cause:

Wrong operator - using := instead of +=

Solution:

First Cisco-AVPair: := (Set)
Additional Cisco-AVPair: += (Add)

Example:
Cisco-AVPair := ip:sub-qos-policy-in=10M
Cisco-AVPair += ip:sub-qos-policy-out=10M
Cisco-AVPair += ip:route#1=192.168.1.0 255.255.255.0 10.0.0.1

Issue 9: FreeRADIUS Not Starting

Problem:

FreeRADIUS fails to start after adding policy

Causes & Solutions:

Cause 1: Dictionary Syntax Error

Solution:
1. Check FreeRADIUS logs: sudo journalctl -u freeradius
2. Look for syntax errors in dictionary
3. Fix errors in dictionary file
4. Test: sudo freeradius -X

Cause 2: Missing Dictionary File

Solution:
1. Check $INCLUDE paths in main dictionary
2. Verify dictionary files exist
3. Remove invalid $INCLUDE lines
4. Restart FreeRADIUS

Summary

Policy is the core of service control in Zal Ultra!

✅ Key Takeaways:

  1. RADIUS-based - Uses FreeRADIUS attributes
  2. Group structure - Multiple attributes per group
  3. Router-specific - Mikrotik, Cisco, Juniper, NetElastic, vBNG
  4. Two types - Check (authentication) and Reply (service)
  5. Bandwidth control - Primary use case
  6. IP assignment - Static or pool-based
  7. Session management - Simultaneous-Use, timeouts
  8. Dictionary required - Install vendor dictionaries

✅ Common Use Cases:

✅ Bandwidth limits (10M, 20M, 50M, 100M)
✅ Static IP assignment
✅ IP pool selection
✅ Prevent account sharing (Simultaneous-Use)
✅ Session timeouts (hourly, daily)
✅ Data quotas (GB limits)
✅ Burst speed (temporary boost)
✅ QoS classification

✅ Best Practices:

✅ Use descriptive group names
✅ Install correct router dictionaries
✅ Test policies before production
✅ Use correct attribute types (Check vs Reply)
✅ Use correct operators (:= vs ==)
✅ Document your policies
✅ Monitor FreeRADIUS logs

✅ Configuration Checklist:

✅ Install router dictionaries
✅ Create policy group with descriptive name
✅ Add bandwidth attribute (router-specific)
✅ Add IP assignment (pool or static)
✅ Add Simultaneous-Use (prevent sharing)
✅ Add Session-Timeout (optional)
✅ Add Acct-Interim-Interval (usage tracking)
✅ Assign policy to package
✅ Test with subscriber connection
✅ Verify bandwidth applied
✅ Monitor RADIUS logs

Perfect for ISPs needing complete control over subscriber services via RADIUS! 🚀

www.onezeroart.com

© 2025 Onezeroart LLC. All Rights Reserved.