From Opendium Documentation
Jump to navigation Jump to search

Opendium systems provide RADIUS authentication and accounting services. With the help of network access controllers, such as your wifi controller, a single sign-on service can be provided for single user devices. For example, people bringing their own smartphones and tablets will only need to enter their credentials once in order to join the wifi network, rather than having to log onto the wifi network and then separately log onto the web proxy.

We recommend that networks which utilise RADIUS have a layer 2 connection to the Opendium system, rather than being routed by a layer 3 switch. If the network is routed via a layer 3 switch, the network access controller '''must''' include Framed-IP-Address / Framed-IPv6-Address attributes in the accounting data. See the Network Topology knowledgebase article for more information.

Linking a network access controller to the Opendium system

The Clients page, which can be accessed by clicking the Clients tab within RADIUS, shows the network access controllers which are currently linked to the Opendium system, and allows new controllers to be added.

Use the Create Client button and either enter the IP address of a single network access controller, or a network in CIDR notation. The RADIUS traffic will be protected with a shared secret and you can either use the shared secret that has been automatically generated, or replace it with your own. Note that for some wifi systems, only a single wifi controller needs to be configured as a RADIUS client, whereas for other wifi systems all of the access points are RADIUS clients. In the latter case, it is best to enter a single network that covers all of the access points, rather than creating a separate client for each access point.

You can either configure the network access controller / wifi system to use the Opendium system's RADIUS authentication service, or a third party service such as Microsoft NPS. However, the network access controller / wifi system must be configured to send accounting data to the Opendium system's RADIUS accounting service, even if an alternate authentication service is used.

Ensure that your network access controller is configured to send interim accounting updates. For Ubiquiti UniFi systems this is done by logging onto the controller, going to Settings -> Profiles -> Select Accounting Server, clicking Edit and ticking "Enable interim updates".

Remember to set appropriate User Identification profiles for your networks.

RADIUS authentication attributes

If the Opendium system is being used as a RADIUS authentication service, some dynamic attributes can be configured, which are applied based on the user that is connecting to the network. Note that these settings are chosen based on only the user name, as the user's IP address is not known at the time that they are being applied.

These are heritable settings (see Group Inheritance). If you are not sure which settings would be applied to a user, look at the Policy Modelling report.


If supported by your network access controller / wifi system, you can dynamically set which VLAN devices are connected to, based on the user name that they are authenticating as.

Select the appropriate user group from the group tree, and on the VLAN row of the table ensure that "Inherit" isn't ticked and "Enabled" is ticked. Enter the VLAN ID (1-4094) into the text box and click Save Configuration.

When a connection is authenticated, the VLAN is resolved from the group tree (see Group Inheritance) and an appropriate "Tunnel-Private-Group-Id" attribute is added to the RADIUS authentication response. The following RADIUS attributes are also added:

Tunnel-Type: VLAN
Tunnel-Medium-Type: IEEE-802

Ruckus user groups

For Ruckus networks, you can indicate the user groups to the access point using the "Ruckus-User-Groups" vendor specific RADIUS attribute., which corresponds to Roles in Ruckus ZoneDirector.

Select the appropriate user group from the group tree, and on the Ruckus user groups row of the table ensure that "Inherit" isn't ticked and "Enabled" is ticked. Enter the appropriate configuration into the text box and click Save Configuration.

Machine authentication

Devices which are part of a Windows domain can be configured to authenticate themselves with the network as a machine, rather than a specific user.

The RADIUS authentication attributes, such as dynamic VLAN assignments, will come from the Anonymous group. However, we recommend setting them on the Everyone group and allowing them to be inherited by Anonymous.

A device which is authenticated as a machine will be expected to behave as a workstation and authenticate with the web proxy using Kerberos single sign-on authentication.


There are no logs for RADIUS service itself, but the RADIUS accounting data can be found in the Accounting: Reports.