Manual:PPP AAA: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 238: Line 238:
</pre>
</pre>
</p>
</p>
 
<h3>Add new user</h3>
<p>
To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the following command:
<pre>
[admin@rb13] ppp secret> add name=ex password=lkjrht service=pptp profile=ex
[admin@rb13] ppp secret> print
Flags: X - disabled
#  NAME                SERVICE CALLER-ID        PASSWORD          PROFILE            REMOTE-ADDRESS
0  ex                  pptp                      lkjrht            ex                0.0.0.0
[admin@rb13] ppp secret>
</pre>
</p>


</div>
</div>


[[Category:Manual]]
[[Category:Manual]]

Revision as of 16:09, 27 October 2009

Applies to RouterOS: 2.9, v3, v4

Summary

Sub-menu: /ppp


The MikroTik RouterOS provides scalable Authentication, Athorization and Accounting (AAA) functionality.

Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using respective user record from the User Database, associated item from the Profile Database and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have lowest priority while the user access record settings from the User Database have highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on.

Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.


User Profiles

Sub-menu: /ppp profile

PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.


Properties

Property Description
change-tcp-mss (yes | no | default; Default: default) Modifies connection MSS settings
  • yes - adjust connection MSS value
  • no - do not atjust connection MSS value
  • default - derive this value from the interface default profile; same as no if this is the interface default profile
dns-server (IP; Default: ) IP address of the DNS server to supply to clients
idle-timeout (time; Default: ) Specifies the amount of time after which the link will be terminated if there was no activity present. There is no timeout set by default
incoming-filter (string; Default: ) Firewall chain name for incoming packets. Specified chain gets control for each packet coming from the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section
local-address (IP; Default: ) IP address or IP address pool name for PPP server
name (string; Default: ) PPP profile name
only-one (yes | no | default; Default: default) Defines whether a user is allowed to have more than one connection at a time
  • yes - a user is not allowed to have more than one connection at a time
  • no - the user is allowed to have more than one connection at a time
  • default - derive this value from the interface default profile; same as no if this is the interface default profile
outgoing-filter (string; Default: ) Firewall chain name for outgoing packets. Specified chain gets control for each packet going to the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section
rate-limit (string; Default: ) Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates are measured in bits per second, unless followed by optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per second). If tx-rate is not specified, rx-rate serves as tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.
remote-address (IP; Default: ) IP address or IP address pool name for PPP clients
session-timeout (time; Default: ) Maximum time the connection can stay up. By default no time limit is set.
use-compression (yes | no | default; Default: default) Specifies whether to use data compression or not.
  • yes - enable data compression
  • no - disable data compression
  • default - derive this value from the interface default profile; same as no if this is the interface default profile
use-encryption (yes | no | default; Default: default) Specifies whether to use data encryption or not.
  • yes - enable data encryption
  • no - disable data encryption
  • default - derive this value from the interface default profile; same as no if this is the interface default profile
use-vj-compression (yes | no | default; Default: default) Specifies whether to use Van Jacobson header compression algorithm.
  • yes - enable Van Jacobson header compression
  • no - disable Van Jacobson header compression
  • default - derive this value from the interface default profile; same as no if this is the interface default profile
wins-server (IP; Default: ) IP address of the WINS server to supply to Windows clients

Notes

There are two default profiles that cannot be removed:

[admin@rb13] ppp profile> print
Flags: * - default
 0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no
     change-tcp-mss=yes
 1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes
     only-one=default change-tcp-mss=default
[admin@rb13] ppp profile>

Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels.

incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the jump-target argument will be equal to incoming-filter or outgoing-filter argument in /ppp profile. Therefore, chain ppp should be manually added before changing these arguments.

only-one parameter is ignored if RADIUS authentication is used.

If there are more that 10 simultaneous PPP connections planned, it is recommended to turn the change-mss property off, and use one general MSS changing rule in mangle table instead, to reduce CPU utilization.


User Database

Sub-menu: /ppp secret

PPP User Database stores PPP user access records with PPP user profile assigned to each user.


Properties

Property Description
a (IP; Default: )


Active Users

Sub-menu: /ppp active

This submenu allows to monitor active (connected) users.


Properties

Property Description
a (IP; Default: )

Remote AAA

Sub-menu: /ppp aaa

Settings in this submenu allows to set RADIUS accounting and authentication. Note that RADIUS user database is consulted only if the required username is not found in local user database.


Properties

Property Description
accounting (yes | no; Default: yes) Enable RADIUS accounting
interim-update (time; Default: 0s) Interim-Update time interval
use-radius (yes | no; Default: no) Enable user authentication via RADIUS


Examples

Add new profile

To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients, filtering traffic coming from clients through mypppclients chain:

[admin@rb13] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex incoming-filter=mypppclients
[admin@rb13] ppp profile> print
Flags: * - default
 0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no
     change-tcp-mss=yes
 1   name="ex" local-address=10.0.0.1 remote-address=ex use-compression=default
     use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default
     incoming-filter=mypppclients
 2 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes
     only-one=default change-tcp-mss=default
[admin@rb13] ppp profile>

Add new user

To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the following command:

[admin@rb13] ppp secret> add name=ex password=lkjrht service=pptp profile=ex
[admin@rb13] ppp secret> print
Flags: X - disabled
 #   NAME                SERVICE CALLER-ID         PASSWORD          PROFILE            REMOTE-ADDRESS
 0   ex                  pptp                      lkjrht            ex                 0.0.0.0
[admin@rb13] ppp secret>