Manual:RADIUS Client

From MikroTik Wiki
Revision as of 10:49, 28 October 2009 by Marisb (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Applies to RouterOS: 2.9, v3, v4

Summary

Sub-menu: /radius

Standards: ARP RFC 2865


RADIUS, short for Remote Authentication Dial-In User Service, is a remote server that provides authentication and accounting facilities to various network apliances. RADIUS authentication and accounting gives the ISP or network administrator ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.

The RADIUS server database is consulted only if no matching user acces record is found in router's local database.

Traffic is accounted locally with MikroTik Traffic Flow and Cisco IP pairs and snapshot image can be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.


Radius Client

Properties

Property Description
accounting-backup (yes | no; Default: no) This entry is a backup RADIUS accounting server
accounting-port (integer; Default: 1813) RADIUS server port used for accounting
address (IP; Default: 0.0.0.0) IP address of the RADIUS server
authentication-port (integer; Default: 1812) RADIUS server port used for authentication
called-id (string; Default: ) Value depends on Point-to-Point protocol: PPPoE - service name, PPTP - server's IP address, L2TP - server's IP address
domain (string; Default: ) Microsoft Windows domain of client passed to RADIUS servers that require domain validation
realm (string; Default: ) Explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name
secret (string; Default: ) Shared secret used to access the RADIUS server
service (hotspot | login | ppp | telephony | wireless | dhcp; Default: ) Router services that will use this RADIUS server
  • hotspot - HotSpot authentication service
  • login - router's local user authentication
  • ppp - Point-to-Point clients authentication
  • telephony - IP telephony accounting
  • wireless - wireless client authentication (client's MAC address is sent as User-Name)
  • dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)
timeout (time; Default: 100ms) Timeout after which the request should be resend


Connection Terminating from RADIUS

Sub-menu: /radius incoming

This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend RADIUS protocol commands, that allow to terminate a session which has already been connected from RADIUS server. For this purpose DM (Disconnect-Messages) are used. Disconnect messages cause a user session to be terminated immediately.

Note that RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet that performs a similar function as Disconnect Messages

Properties

Supported RADIUS Attributes