RouterOs MySql Freeradius

From MikroTik Wiki
Revision as of 14:14, 12 May 2006 by Tristram (talk | contribs)
Jump to: navigation, search

Mikrotik and Freeradius 1.0.4+ with MySql For PPP Authentication

This guide assumes you have a working Linux system (for the purpose of this guide Ubuntu 5.10 is used), The Linux system can communicate with the RouterOs system and you have a basic understanding of Linux and MySql commands. The purpose of this document is to walk you through the steps needed to configure freeradius, get freeradius talking to MySql and finally getting your RouterOs system to authenticate and assign IP's for PPP* connections.

  • All of the commands in the following guide assumes you are logged into *NIX systems as root or RouterOs systems as Admin

Setting Up Freeradius

Once you have installed freeradius with the MySql module on your Linux system its time to tidy up the base configuration. This guide assumes that the freeradius server will ONLY be serving RouterOs systems. In order for Mikrotik & freeradius to work nicely together a lot of unnecessary options/features in freeradius must be removed or turned off, we start this by trimming radiusd.conf

  • An example of a trimmed radiusd.conf can be found Here - This is in production use on a Ubuntu 5.10 server processing requests for PPPoE, We will now run through the file and i will explain what options do what
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius

log_file = ${logdir}/radius.log

libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid

user = freerad
group = freerad

The above options are specific to your installation of freeradius and may be different from these, do not overwrite your local setting with the above settings, you may find your freeradius server not long funcations correctly - it is gernally better to leave these settings alone 

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *

port = 0

hostname_lookups = no
allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log_stripped_names = yes
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no

The above section is really just to stop your log files clogging up, for debugging you could turn the above options to 'Yes' but there are better ways to debug railf radius requests which i will show you later in the guide 

usercollide = no

lower_user = before
lower_pass = before

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
       max_attributes = 200
       reject_delay = 1
       status_server = no
}

proxy_requests  = no

$INCLUDE  ${confdir}/clients.conf

snmp    = no

thread pool {
       start_servers = 5
       max_servers = 32
       min_spare_servers = 3
       max_spare_servers = 10
       max_requests_per_server = 0
}

modules {
       pap {
               encryption_scheme = crypt
       }
       chap {
               authtype = CHAP
       }
       mschap {
               authtype = MS-CHAP
               use_mppe = no
       }
       checkval {
               item-name = Calling-Station-Id
               check-name = Calling-Station-Id
               data-type = string
       }
       preprocess {
               huntgroups = ${confdir}/huntgroups
       }

       detail {
               detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
               detailperm = 0600
       }
       acct_unique {
               key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
       }
       $INCLUDE  ${confdir}/sql.conf

       radutmp {
               filename = ${logdir}/radutmp
               username = %{User-Name}
               case_sensitive = yes
               check_with_nas = yes
               perm = 0600

               callerid = "yes"
       }
       radutmp sradutmp {
               filename = ${logdir}/sradutmp
               perm = 0644
               callerid = "no"
       }
       attr_filter {
               attrsfile = ${confdir}/attrs
       }
       counter daily {
               filename = ${raddbdir}/db.daily
               key = User-Name
               count-attribute = Acct-Session-Time
               reset = daily
               counter-name = Daily-Session-Time
               check-name = Max-Daily-Session
               allowed-servicetype = Framed-User
               cache-size = 5000
       }
       always fail {
               rcode = fail
       }
       always reject {
               rcode = reject
       }
       always ok {
               rcode = ok
               simulcount = 0
               mpp = no
       }
       expr {
       }
       digest {
       }
       exec {
               wait = yes
               input_pairs = request
       }
       exec echo {
               wait = yes
               program = "/bin/echo %{User-Name}"
               input_pairs = request
               output_pairs = reply
        }

}

instantiate {
       exec
       expr
}

authorize {
       preprocess
       chap
       mschap
       sql
}



authenticate {
       Auth-Type PAP {
               pap
       }
       Auth-Type CHAP {
               chap
       }
       Auth-Type MS-CHAP {
               mschap
       }
}

preacct {
       preprocess
       acct_unique 
}

accounting {
       detail
       radutmp
       sql
}



session {
       sql
}
post-auth {
       sql
}
Retrieved from "https://wiki.mikrotik.com/index.php?title=RouterOs_MySql_Freeradius&oldid=2394"