Manual:RADIUS Client

From MikroTik Wiki
Revision as of 11:52, 28 October 2009 by Marisb (talk | contribs)
Jump to navigation Jump to search

Applies to RouterOS: 2.9, v3, v4

Summary

Sub-menu: /radius

Standards: ARP RFC 2865


RADIUS, short for Remote Authentication Dial-In User Service, is a remote server that provides authentication and accounting facilities to various network apliances. RADIUS authentication and accounting gives the ISP or network administrator ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.

The RADIUS server database is consulted only if no matching user acces record is found in router's local database.

Traffic is accounted locally with MikroTik Traffic Flow and Cisco IP pairs and snapshot image can be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.


Radius Client

Properties

Property Description
accounting-backup (yes | no; Default: no) This entry is a backup RADIUS accounting server
accounting-port (integer; Default: 1813) RADIUS server port used for accounting
address (IP; Default: 0.0.0.0) IP address of the RADIUS server
authentication-port (integer; Default: 1812) RADIUS server port used for authentication
called-id (string; Default: ) Value depends on Point-to-Point protocol: PPPoE - service name, PPTP - server's IP address, L2TP - server's IP address
domain (string; Default: ) Microsoft Windows domain of client passed to RADIUS servers that require domain validation
realm (string; Default: ) Explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name
secret (string; Default: ) Shared secret used to access the RADIUS server
service (hotspot | login | ppp | telephony | wireless | dhcp; Default: ) Router services that will use this RADIUS server
  • hotspot - HotSpot authentication service
  • login - router's local user authentication
  • ppp - Point-to-Point clients authentication
  • telephony - IP telephony accounting
  • wireless - wireless client authentication (client's MAC address is sent as User-Name)
  • dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)
timeout (time; Default: 100ms) Timeout after which the request should be resend

Notes

The order of the items in this list is significant.

Microsoft Windows clients send their usernames in form domain\username

When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using shared secret, secret is used only in authentication reply, and router is verifying it. So if you have wrong shared secret, RADIUS server will accept request, but router won't accept reply. You can see that with /radius monitor command, "bad-replies" number should increase whenever somebody tries to connect.

Example

To set a RADIUS server for HotSpot and PPP services that has 10.0.0.3 IP address and ex shared secret, you need to do the following:

[admin@MikroTik] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex
[admin@MikroTik] radius> print
Flags: X - disabled
  #   SERVICE         CALLED-ID     DOMAIN        ADDRESS         SECRET
  0   ppp,hotspot                                 10.0.0.3        ex
[admin@MikroTik] radius>
AAA for the respective services should be enabled too:
[admin@MikroTik] radius> /ppp aaa set use-radius=yes
[admin@MikroTik] radius> /ip hotspot profile set default use-radius=yes
To view some statistics for a client:
[admin@MikroTik] radius> monitor 0
             pending: 0
            requests: 10
             accepts: 4
             rejects: 1
             resends: 15
            timeouts: 5
         bad-replies: 0
    last-request-rtt: 0s
[admin@MikroTik] radius>


Connection Terminating from RADIUS

Sub-menu: /radius incoming

This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend RADIUS protocol commands, that allow to terminate a session which has already been connected from RADIUS server. For this purpose DM (Disconnect-Messages) are used. Disconnect messages cause a user session to be terminated immediately.

Note that RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet that performs a similar function as Disconnect Messages

Properties

Property Description
accept (yes | no; Default: no) Whether to accept the unsolicited messages
port (integer; Default: 1700) The port number to listen for the requests on

Supported RADIUS Attributes

Here you can download MikroTik reference dictionary, which incorporates all the needed RADIUS attributes. This dictionary is the minimal dictionary, which is enough to support all features of MikroTik RouterOS. It is designed for FreeRADIUS, but may also be used with many other UNIX RADIUS servers (eg. XTRadius).

Note that it may conflict with the default configuration files of RADIUS server, which have references to the Attributes, absent in this dictionary. Please correct the configuration files, not the dictionary, as no other Attributes are supported by MikroTik RouterOS.

There is also dictionary.mikrotik that can be included in an existing dictionary to support MikroTik vendor-specific Attributes.

Definitions

  • PPPs - PPP, PPTP, PPPoE and ISDN
  • default configuration - settings in default profile (for PPPs) or HotSpot server settings (for HotSpot)


Access-Request

  • Service-Type - always is "Framed" (only for PPPs)
  • Framed-Protocol - always is "PPP" (only for PPPs)
  • NAS-Identifier - router identity
  • NAS-IP-Address - IP address of the router itself
  • NAS-Port - unique session ID
  • Acct-Session-Id - unique session ID
  • NAS-Port-Type - async PPP - "Async"; PPTP and L2TP - "Virtual"; PPPoE - "Ethernet"; ISDN - "ISDN Sync"; HotSpot - "Ethernet | Cable | Wireless-802.11" (according to the value of nas-port-type parameter in /ip hotspot p
  • Calling-Station-Id - PPPoE and HotSpot- client MAC address in capital letters; PPTP and L2TP - client public IP address; ISDN - client MSN
  • Called-Station-Id - PPPoE - service name; PPTP and L2TP - server IP address; ISDN - interface MSN; HotSpot - name of the HotSpot server
  • NAS-Port-Id - async PPP - serial port name; PPPoE - ethernet interface name on which server is running; HotSpot - name of the physical HotSpot interface (if bridged, the bridge port name is showed here); not present for ISDN, PPTP and L2TP
  • Framed-IP-Address - IP address of HotSpot client after Universal Client translation
  • Mikrotik-Host-IP - IP address of HotSpot client before Universal Client translation (the original IP address of the client)
  • User-Name - client login name
  • MS-CHAP-Domain - User domain, if present
  • Mikrotik-Realm - If it is set in /radius menu, it is included in every RADIUS request as Mikrotik-Realm attribute. If it is not set, the same value is sent as in MS-CHAP-Domain attribute (if MS-CHAP-Domain is missing, Realm is not included neither)
  • WISPr-Location-ID - text string specified in radius-location-id property of the HotSpot server
  • WISPr-Location-Name - text string specified in radius-location-name property of the HotSpot server
  • WISPr-Logoff-URL - full link to the login page (for example, http://10.48.0.1/lv/logout)

Depending on authentication methods (NOTE: HotSpot uses CHAP by default and may use also PAP if unencrypted passwords are enabled, it can not use MSCHAP):

  • User-Password - encrypted password (used with PAP authentication)
  • CHAP-Password, CHAP-Challenge - encrypted password and challenge (used with CHAP authentication)
  • MS-CHAP-Response, MS-CHAP-Challenge - encrypted password and challenge (used with MS-CHAPv1 authentication)
  • MS-CHAP2-Response, MS-CHAP-Challenge - encrypted password and challenge (used with MS-CHAPv2 authentication)


Access-Accept

Accounting-Request

Stop and Interim-Update Accounting-Request

Stop Accounting-Request

Change of Authorization

Attribute Numeric Values

Troubleshooting

My radius server accepts authentication request from the client with "Auth: Login OK:...", but the user cannot log on. The bad replies counter is incrementing under radius monitor.
This situation can occur, if the radius client and server have high delay link between them. Try to increase the radius client's timeout to 600ms or more instead of the default 300ms! Also, double check, if the secrets match on client and server!