Manual:PPP AAA: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 6: | Line 6: | ||
The MikroTik RouterOS provides scalable Authentication, | The MikroTik RouterOS provides scalable Authentication, Authorization and Accounting (AAA) functionality. | ||
Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using respective user record from the User Database, associated item from the Profile Database and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have lowest priority while the user access record settings from the User Database have highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on. | Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using the respective user record from the User Database, associated item from the Profile Database, and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have the lowest priority while the user access record settings from the User Database have the highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on. | ||
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a [[M:RADIUS_Client | RADIUS client]] which can authenticate for PPP, [[M:Interface/PPPoE | PPPoE]], [[M:Interface/PPTP | PPTP]], [[M:Interface/L2TP | L2TP]] and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile. | Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a [[M:RADIUS_Client | RADIUS client]] which can authenticate for PPP, [[M:Interface/PPPoE | PPPoE]], [[M:Interface/PPTP | PPTP]], [[M:Interface/L2TP | L2TP]] and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile. | ||
| Line 62: | Line 62: | ||
|arg=bridge-path-cost | |arg=bridge-path-cost | ||
|type=integer 0..429496729 | |type=integer 0..429496729 | ||
|default= | |default= | ||
|desc=Used path cost for the dynamically created bridge port, used by STP/RSTP to determine the best path, used by MSTP to determine the best path between regions. This property has no effect when a bridge <var>protocol-mode</var> is set to <var>none</var>. | |desc=Used path cost for the dynamically created bridge port, used by STP/RSTP to determine the best path, used by MSTP to determine the best path between regions. This property has no effect when a bridge <var>protocol-mode</var> is set to <var>none</var>. | ||
}} | }} | ||
| Line 69: | Line 69: | ||
|arg=bridge-port-priority | |arg=bridge-port-priority | ||
|type=integer 0..240 | |type=integer 0..240 | ||
|default= | |default= | ||
|desc=Used priority for the dynamically created bridge port, used by STP/RSTP to determine the root port, used by MSTP to determine root port between regions. This property has no effect when a bridge <var>protocol-mode</var> is set to <var>none</var>. | |desc=Used priority for the dynamically created bridge port, used by STP/RSTP to determine the root port, used by MSTP to determine root port between regions. This property has no effect when a bridge <var>protocol-mode</var> is set to <var>none</var>. | ||
}} | }} | ||
| Line 147: | Line 147: | ||
|type=string | |type=string | ||
|default= | |default= | ||
|desc=Firewall chain name for outgoing packets. | |desc=Firewall chain name for outgoing packets. The specified chain gets control for each packet going to the client. The PPP chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section. | ||
}} | }} | ||
Latest revision as of 10:44, 17 May 2021
Applies to RouterOS: 2.9, v3, v4, v5
Summary
Sub-menu: /ppp
The MikroTik RouterOS provides scalable Authentication, Authorization and Accounting (AAA) functionality.
Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using the respective user record from the User Database, associated item from the Profile Database, and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have the lowest priority while the user access record settings from the User Database have the highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on.
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.
User Profiles
Sub-menu: /ppp profile
PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.
Properties
| Property | Description |
|---|---|
| address-list (string; Default: ) | Address list name to which ppp assigned address will be added. |
| bridge (string; Default: ) | Name of the bridge interface to which ppp interface will be added as a slave port. Both tunnel endpoints (server and client) must be in bridge in order to make this work, see more details on the BCP bridging manual. |
| bridge-horizon (integer 0..429496729; Default: ) | Used split-horizon value for the dynamically created bridge port. Can be used to prevent bridging loops and isolate traffic. Set the same value for a group of ports, to prevent them from sending data to ports with the same horizon value. |
| bridge-learning (default | no | yes; Default: default) | Changes MAC learning behavior on the dynamically created bridge port:
|
| bridge-path-cost (integer 0..429496729; Default: ) | Used path cost for the dynamically created bridge port, used by STP/RSTP to determine the best path, used by MSTP to determine the best path between regions. This property has no effect when a bridge protocol-mode is set to none. |
| bridge-port-priority (integer 0..240; Default: ) | Used priority for the dynamically created bridge port, used by STP/RSTP to determine the root port, used by MSTP to determine root port between regions. This property has no effect when a bridge protocol-mode is set to none. |
| change-tcp-mss (yes | no | default; Default: default) | Modifies connection MSS settings (applies only for IPv4):
|
| comment (string; Default: ) | |
| dhcpv6-pd-pool (string; Default: ) | Name of the IPv6 pool which will be used by dynamically created DHCPv6-PD server when client connects. Read more >> |
| dns-server (IP; Default: ) | IP address of the DNS server that is supplied to ppp clients |
| idle-timeout (time; Default: ) | Specifies the amount of time after which the link will be terminated if there are no activity present. Timeout is not set by default |
| incoming-filter (string; Default: ) | Firewall chain name for incoming packets. Specified chain gets control for each packet coming from the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the examples section |
| local-address (IP address | pool; Default: ) | Tunnel address or name of the pool from which address is assigned to ppp interface locally. |
| name (string; Default: ) | PPP profile name |
| only-one (yes | no | default; Default: default) | Defines whether a user is allowed to have more than one ppp session at a time
|
| outgoing-filter (string; Default: ) | Firewall chain name for outgoing packets. The specified chain gets control for each packet going to the client. The PPP chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section. |
| rate-limit (string; Default: ) | Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates are measured in bits per second, unless followed by optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per second). If tx-rate is not specified, rx-rate serves as tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values. |
| remote-address (IP; Default: ) | Tunnel address or name of the pool from which address is assigned to remote ppp interface. |
| remote-ipv6-prefix-pool (string | none; Default: none) | Assign prefix from IPv6 pool to the client and install corresponding IPv6 route. |
| session-timeout (time; Default: ) | Maximum time the connection can stay up. By default no time limit is set. |
| use-compression (yes | no | default; Default: default) | Specifies whether to use data compression or not.
|
| use-encryption (yes | no | default | require; Default: default) | Specifies whether to use data encryption or not.
|
| use-ipv6 (yes | no | default | require; Default: default) | Specifies whether to allow IPv6. By default is enabled if IPv6 package is installed.
|
| use-mpls (yes | no | default | require; Default: default) | Specifies whether to allow MPLS over PPP.
|
| use-vj-compression (yes | no | default; Default: default) | Specifies whether to use Van Jacobson header compression algorithm.
|
| on-up (script; Default: ) | Execute script on user login-event. These are available variables that are accessible for the event script:
|
| on-down (script; Default: ) | Execute script on user logging off. See on-up for more details |
| wins-server (IP address; Default: ) | IP address of the WINS server to supply to Windows clients |
Notes
There are two default profiles that cannot be removed:
[admin@rb13] ppp profile> print
Flags: * - default
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no
change-tcp-mss=yes
1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default
[admin@rb13] ppp profile>
Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels.
incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the jump-target argument will be equal to incoming-filter or outgoing-filter argument in /ppp profile. Therefore, chain ppp should be manually added before changing these arguments.
only-one parameter is ignored if RADIUS authentication is used.
If there are more that 10 simultaneous PPP connections planned, it is recommended to turn the change-mss property off, and use one general MSS changing rule in mangle table instead, to reduce CPU utilization.
User Database
Sub-menu: /ppp secret
PPP User Database stores PPP user access records with PPP user profile assigned to each user.
Properties
| Property | Description |
|---|---|
| caller-id (string; Default: ) | For PPTP and L2TP it is the IP address a client must connect from. For PPPoE it is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it is the caller's number (that may or may not be provided by the operator) the client may dial-in from |
| comment (string; Default: ) | Short description of the user. |
| disabled (yes | no; Default: no) | Whether secret will be used. |
| limit-bytes-in (integer; Default: 0) | Maximal amount of bytes for a session that client can upload. |
| limit-bytes-out (integer; Default: 0) | Maximal amount of bytes for a session that client can download. |
| local-address (IP address; Default: ) | IP address that will be set locally on ppp interface. |
| name (string; Default: ) | Name used for authentication |
| password (string; Default: ) | Password used for authentication |
| profile (string; Default: default) | Which user profile to use. |
| remote-address (IP; Default: ) | IP address that will be assigned to remote ppp interface. |
| remote-ipv6-prefix (IPv6 prefix; Default: ) | IPv6 prefix assigned to ppp client. Prefix is added to ND prefix list enabling stateless address auto-configuration on ppp interface.Available starting from v5.0. |
| routes (string; Default: ) | Routes that appear on the server when the client is connected. The route format is: dst-address gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Other syntax is not acceptable since it can be represented in incorrect way. Several routes may be specified separated with commas. This parameter will be ignored for OpenVPN. |
| service (any | async | isdn | l2tp | pppoe | pptp | ovpn | sstp; Default: any) | Specifies the services that particular user will be able to use. |
Active Users
Sub-menu: /ppp active
This submenu allows to monitor active (connected) users.
/ppp active print command will show all currently connected users.
/ppp active print stats command will show received/sent bytes and packets
Properties
| Property | Description |
|---|---|
| address (IP address) | IP address the client got from the server |
| bytes (integer) | Amount of bytes transfered through tis connection. First figure represents amount of transmitted traffic from the router's point of view, while the second one shows amount of received traffic. |
| caller-id (string) | For PPTP and L2TP it is the IP address the client connected from. For PPPoE it is the MAC address the client connected from. |
| encoding (string) | Shows encryption and encoding (separated with '/' if asymmetric) being used in this connection |
| limit-bytes-in (integer) | Maximal amount of bytes the user is allowed to send to the router. |
| limit-bytes-out (integer) | Maximal amount of bytes the user is allowed to send to the client. |
| name (string) | User name supplied at authentication stage |
| packets (integer/integer) | Amount of packets transfered through tis connection. First figure represents amount of transmitted traffic from the router's point of view, while the second one shows amount of received traffic |
| service (async | isdn | l2tp | pppoe | pptp | ovpn | sstp) | Type of service the user is using. |
| session-id (string) | Shows unique client identifier. |
| uptime (time) | User's uptime |
Remote AAA
Sub-menu: /ppp aaa
Settings in this submenu allows to set RADIUS accounting and authentication. Note that RADIUS user database is consulted only if the required username is not found in local user database.
Properties
| Property | Description |
|---|---|
| accounting (yes | no; Default: yes) | Enable RADIUS accounting |
| interim-update (time; Default: 0s) | Interim-Update time interval |
| use-radius (yes | no; Default: no) | Enable user authentication via RADIUS. If entry in local secret database is not found, then client will be authenticated via RADIUS. |
Examples
Add new profile
To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients, filtering traffic coming from clients through mypppclients chain:
[admin@rb13] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex incoming-filter=mypppclients
[admin@rb13] ppp profile> print
Flags: * - default
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no
change-tcp-mss=yes
1 name="ex" local-address=10.0.0.1 remote-address=ex use-compression=default
use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default
incoming-filter=mypppclients
2 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default
[admin@rb13] ppp profile>
Add new user
To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the following command:
[admin@rb13] ppp secret> add name=ex password=lkjrht service=pptp profile=ex [admin@rb13] ppp secret> print Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS 0 ex pptp lkjrht ex 0.0.0.0 [admin@rb13] ppp secret>