BQN Documentation
BQN Documentation


Radius Introduction

The BQN subscriber rate policies and the assignment of subscribers to subscriber rate policies can be performed via a RADIUS interface. To do this, of course, the BQN must have visibility of the subscriber IP addresses, i.e., there cannot be a NAT between the subscribers and the BQN because the rate limits will be applied per subscriber IP address. It is also important that the wires are connected in the right way (access ports connected on the side of the subscribers).

Currently, only IPv4 subscribers can be provisioned via RADIUS.

The integration is between the RADIUS clients or NAS (Network Access Servers, e.g., PPPoE servers) and the BQN management interface. The BQN acts as RADIUS server for RADIUS Accounting (but not for RADIUS Authentication and Authorization, which must keep going to the RADIUS server in charge of Authentication and Authorization). Ideally, the BQN should receive just a copy of the RADIUS Accounting messages, which carry all the necessary information, while the rest of the RADIUS interactions with the original RADIUS server should remain unchanged. The BQN uses the management IP address (same as GUI) to receive RADIUS messages in the standard Radius Accounting port (1813).

The RADIUS Accounting Start and Interim messages link a subscriber IP address with a subscriber rate policy. The subscriber IP address is received in the Framed-IP-Address field. There are two ways in which RADIUS can specify the subscriber rate policy:

  • Specifying the subscriber rate policy parameters (like the rate limit), where the RADIUS attribute provides the policy definition and the BQN creates a policy based on that information.
  • Specifying the subscriber rate policy name, where the RADIUS attribute contains the name of the policy to choose from the policies that are part of the BQN configuration.

The following parameters are supported. We list them in order of priority (parameters evaluated first will take precedence):

Priority Name Vendor ID Description Example
1 Mikrotik Rate-Limit 14988 8 Contains the policy rate limits, including optional burst parameters:
rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]
“15M/20M 30M/40M 15M/20M 5/5”
2 Ascend Data-Rate 529 197 The first instance defines the downlink rate limit in Mbps.
The second instance defines the uplink rate limit in Mbps.
If there is only one instance, it specifies the downlink limit, unless Ascend-Xmit-Rate is present, in which case it will specify the uplink limit.
3 Ascend Xmit-Rate 529 255 The downlink rate limit in Mbps. 100
4 Mikrotik Address-List 14988 19 Defines the policy parameters if meets the following format:
[rate-limit][K or M] Uplink-[rate-limit][K or M] Downlink
“50M Uplink-50M Downlink”
5 CISCO sub-qos-policy 9 1 Defines the rate limits with the following format:
sub-qos-policy-out=[Prefix]_[rate-limit]Mbps_Downlink sub-qos-policy-in=[Prefix]_[rate-limit]Mbps_Uplink
6 CISCO rate limits 9 37, 38 Defines the rate limits with the following format:

ID=37 (downlink rate limit):
[rate-limit][K or M] Downlink.
ID=38 (uplink rate limit):
[rate-limit][K or M] Uplink.
ID 37: “10M Downlink”
ID 38: “5M Uplink”

Resulting policy name:
“5M Uplink-10M Downlink”
7 Mikrotik Address-List 14988 19 If Mikrotik Address-List format does not match the format described in priority 4, its content will be interpreted as a policy name configured in the BQN. “Gold_Users”
8 CISCO rate limits 9 37, 38 If CISCO rate limits format does not match the format described in priority 6, its content will be interpreted as a policy name configured in the BQN. "Basic_Plan"
9 Class n/a 25 Generic RADIUS parameter.
A dynamic policy is created if Class contains the substring:
Policy=[rate-limit][K|M|G] Uplink-[rate-limit][K|M|G] Downlink
Dynamic policy:
“Policy=5M Uplink-10M Downlink, other-param=foo”
Resulting policy name: “5M_Uplink-10M_Downlink”
10 Class n/a 25 If Class content does not match the previous pattern, a reference to a configured policy is created with the substring following the = up to a comma:
Otherwise, the parameter is ignored.
“policy=mypolicy, other-param=foo”
Resulting policy name (configured in BQN): “mypolicy”
Resulting policy name (configured in BQN): “anotherpolicy”

When more than one parameter is present, the policy will be managed according to the priority order. For example, if both Mikrotik-Rate-Limit and Ascend-Data-Rate are present, Mikrotik-Rate-Limit will take precedence. Also, if both Ascend-Data-Rate and Mikrotik-Address-List are in the Radius message, Mikrotik-Address-List will be ignored. In any case, it is possible to use any of those information elements, since the BQN can be configured to ignore the ones with more precedence, as can be seen in the following section.

If a RADIUS message contains none of the supported attributes, the subscriber rate policy previously assigned to the subscriber IP address in this RADIUS message, if any, will be removed and a new one will be chosen based on BQN configured subscriber rate policy rules.

To integrate the BQN to the RADIUS, the steps are:

  1. Configure RADIUS in the BQN
  2. Configure the RADIUS clients
  3. Specific steps (whether RADIUS provides policy parameters or policy names).
  4. Check the state of policies and subscribers.

Configuration of RADIUS in the BQN

  1. To activate the RADIUS interface in the BQN, go to Configuration->RADIUS/REST/Billing-> RADIUS and set the RADIUS switch to On.
  2. Add the IP addresses of each RADIUS client, along with its secret. In the BQN GUI, go to Configuration->RADIUS/REST/Billing->RADIUS and click on Add Client…

An optional description for each RADIUS client can be added (the description cannot contain spaces).

Configuration of the RADIUS clients

The goal is to configure the RADIUS client to send copies of RADIUS accounting messages to the BQN, as if the BQN server is a RADIUS server only for accounting. The following instructions are related to a Mikrotik PPPoE server, but similar steps can be followed for other vendors:

1. First, the existing RADIUS configuration should not be changed.

2. A new RADIUS server will be configured with the BQN as an Accounting backup server. To create a new RADIUS server, go to the RADIUS section and click on “Add New”. The following screen will be shown:

As it can be observed:

  • The service of the router/switch should be enabled (usually ppp).
  • In “Address” the IP address will be the BQN management IP address (you can see which one it is in BQN GUI Configuration->Interfaces->Management).
  • The field Accounting Backup must be selected (otherwise, the BQN would receive RADIUS Authentication and Authorization messages, which it does not support).
  • The accounting port is left in its default value(1813).
  • Optionally, a secret can be specified (if used, it must match the one configured in the BQN RADIUS configuration).
  • Optionally, a Comment can add a description of the RADIUS server (e.g., “BQN RADIUS”).

3.      After creating the RADIUS server, the list should be as follows:

4. Make sure the service has RADIUS Interim Updates enabled and with a reasonable period (1-5 minutes). For example, for PPP, in option PPP->Secrets->PPP Authentication & Accounting.

The process must be repeated in all the nodes whose RADIUS is to be sent to the BQN.

Specific Steps when RADIUS Provides Policy Parameters

This requires basically no specific configuration. Just make sure that in Configuration->RADIUS/REST/Billing->RADIUS, Mikrotik-Rate-Limit, the Ascend data rate parameters, or the CISCO AVP, are enabled (all are enabled by default). Once the BQN starts receiving the RADIUS messages, it will assign each subscriber (for which a RADIUS message is received) a subscriber rate policy with the rate limits defined in the RADIUS message.

The name of the policy created dynamically is composed based on the AVP content, with spaces replacedby underscores ("_"):

  • With Mikrotik-Rate-Limit: the AVP content. Example: “20M/40M_0K/0K_0K/0K_0/0”
  • With Ascend-Data-Rate/Ascend-Xmit-Rate: RADIUS_RX_<uplink-rate in Kbpw>K_TX_<downlink-rate in Kbps>K. Example: “RADIUS_RX_50000K_100000K”.

Optionally, a percentage can be specified to scale the policy limits. One can keep limits in the BQN below those of the PPPoE servers, to enforce the plans in the BQN and have the PPPoE servers as backup and to limit local traffic that does not go through the BQN (for example, direct traffic between subscribers in the same access area).  This parameter can also be set to a higher value (e.g. 200%) to enforce higher rate limits than the current NAS, so that you will get rate policies assigned to subscribers, but the rates will still be controlled by the NAS. Setting a Rate-Limit scaling higher than 100% can be considered when initially testing the RADIUS interface, or if you just want to get the rate information for each subscriber (maybe to use it to select an appropriate flow policy). The scaling percentage is defined in the field Rate-Limit Scaling % in Configuration->External Subscriber Data->Radius (by default,100%, i.e., no scaling).

For example, with a percentage of 80%, a 125 Mbps limit in RADIUS will be converted to a 100Mbps limit in the BQN (125*0.8).

The percentage is applied to all parameters of the subscriber rate policy (rate limit, burst speed and burst threshold).

And that’s all. You can now check policies and subscribers in Status->RADIUS/REST/Billing->Policies and Status->RADIUS/REST/Billing->Subscribers.

Mikrotik-Rate-Limit Field Format

For information purposes, the AVP field Mikrotik-Rate-Limit is described. The Mikrotik RADIUS client will automatically codify this field according to its configuration. The format is as follows:

rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate][rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time][priority] [rx-rate-min[/tx-rate-min]]]]


  • rx-rate: rate limit in uplink.
  • tx-rate: rate limit in downlink.
  • rx-burst-rate: burst rate in uplink.
  • tx-burst-rate: burst rate in downlink.
  • rx-burst-threshold: burst threshold in uplink(average speed not to be exceeded before granting a new burst).
  • tx-burst-threshold: burst threshold in downlink(average speed not to be exceeded before granting a new burst).
  • rx-burst-time: uplink burst duration, in seconds.
  • tx-burst-time downlink burst duration, in seconds.
  • priority: ignored.
  • rx-rate-min: ignored.
  • tx-rate-min: ignored.

Speed can be given in Mbps (M) or Kbps (K). For example, a subscriber rate policy with a downlink limit of de 20Mbps, an uplink limit of 15Mbps, burst of double the limit, thresholds equal to the limit and a burst duration of 5 seconds, would be:

15M/20M 30M/40M15M/20M 5/5

If no burst is required, the values are set to zero:

15M/20M 0K/0K 0K/0K0/0

And if the limits are symmetrical, it is enough to specify one of them (the other will take the same value). For example, a symmetrical 15Mbps (in both downlink and uplink).

15M 0K 0K 0

The BQN creates dynamically a subscriber rate policy, if it does not exist yet, using the parameters in this field. A policy name in the BQN cannot have spaces, so spaces are replaced by an underscore (“_”). For example, the policy from RADIUS “20M/40M 0K/0K 0K/0K 0/0” will be converted to “20M/40M_0K/0K_0K/0K_0/0”in the BQN. The policy name is limited to 63 characters (if the limits is exceeded, the name will be truncated).

Specific Steps when RADIUS Provides Policy Names

The subscriber rate policy are configured in the BQN and the RADIUS interface provides the name of the policy to apply. The policy name can be specified in AVP Mikrotik-Address-List.

To make the BQN take this AVP, disable the AVPs of higher priority (not necessary if the Mikrotik or Ascend Rate-Limit parameters do not exist):

The name of the policy configured in the BQN is based on the AVP content, with spaces replaced by underscores (“_”). Those are the names that should be used when configuring the policies in the BQN:

  • With Mikrotik-Address-List:the AVP content. Example: “GOLD_PLAN”
  • With CISCO sub-qos-policy-out/in: the sub-qos-policy-out value + ‘-‘ + sub-qos-policy-out value. Example: “PPPoE_100Mbps_Downlink-PPPoE_50Mbps_Uplink”

The policies specified by RADIUS for each subscriber may already be configured in the BQN, in which case they will just be assigned. However, certain policy names specified in Radius may not exist in the BQN yet. Status->RADIUS/REST/Billing->Policies lists the names of the policies coming from RADIUS, and if they are not configured yet, they can be configured from here. For example, the next table shows four policies not yet configured (this is indicated by the SOURCE field as undefined), each of them with provisioned subscribers and, so far, no subscriber active (with traffic):

The SUBS-PROVISIONED counter indicates howmany subscribers are assigned to each policy. For example, policy “radius-static-2”has 2 subscribers assigned.

For each of these policies coming from RADIUS, a Subscriber Rate Policy with the same name must be configured The GUI helps in the process:

  1. In Status->RADIUS/REST/Billing->Policies, select the name of the subscriber rate policy. It will go to a form to define the policy parameters, with the right policy name already filled in.
  2. In the form, specify speed limits in each direction and check those limits are according to the intent of the policy.

The process is repeated for each subscriber rate policy pending configuration. In this example, we have created three policies with downlink/uplink limits of 40Mbps/20Mbps, 60Mbps/30Mbps, 80Mbps/40Mbps,100Mbps/50Mbps. Once created, the policies will appear with SOURCE “config” in Status->RADIUS/REST/BiIling->Policies:

Also, as provisioned subscribers start to generate traffic, the SUBS-ACTIVE counter will increase. For example, policy “rate-static-4” has one active subscriber.

Check the State of Policies and Subscribers

Status->RADIUS/REST/Billing->Policies lists all policies received by RADIUS. The “SOURCE” field indicates if a subscriber rate policy is defined in the BQN configuration (config) or if it has been generated from RADIUS information (radius).  The field SUBS-PROVISONED indicates the number of subscribers assigned to that policy via RADIUS (or via REST API) and SUBS-ACTIVE how many subscribers are active (with traffic).

Clicking on the configured policies, you can see and edit its parameters, while clicking on policies created from RADIUS information, you can only see their policy definition:

As RADIUS assignments are received, the SUBS_PROVISIONED counter grows and, as subscriber traffic is received, the “SUBS-ACTIVE” counter will increase.

To go to the list of subscribers associated to a subscriber rate policy via RADIUS, go to Status->RADIUS/REST/Billing->Subscribers. In the following example, there are six subscribers and their policies.

The SOURCE field indicates the origin of the policy assignment (radius in this case).

When the subscriber is active, a click on the IP address will display session information. Active subscribers are listed in Status->Subscribers.