RouterOs MySql Freeradius
Mikrotik and Freeradius 1.0.4+ with MySql For PPP Authentication
This guide assumes you have a working Linux system (for the purpose of this guide Ubuntu 5.10 is used), The Linux system can communicate with the RouterOs system and you have a basic understanding of Linux and MySql commands. The purpose of this document is to walk you through the steps needed to configure freeradius, get freeradius talking to MySql and finally getting your RouterOs system to authenticate and assign IP's for PPP* connections.
- All of the commands in the following guide assumes you are logged into *NIX systems as root or RouterOs systems as Admin
Setting Up Freeradius
Once you have installed freeradius with the MySql module on your Linux system its time to tidy up the base configuration. This guide assumes that the freeradius server will ONLY be serving RouterOs systems. In order for Mikrotik & freeradius to work nicely together a lot of unnecessary options/features in freeradius must be removed or turned off, we start this by trimming radiusd.conf
- An example of a trimmed radiusd.conf can be found Here - This is in production use on a Ubuntu 5.10 server processing requests for PPPoE, We will now run through the file and i will explain what options do what
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
The above options are specific to your installation of freeradius and may be different from these, do not overwrite your local setting with the above settings, you may find your freeradius server not long funcations correctly - it is gernally better to leave these settings alone
max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes
log_stripped_names = yes log_auth = no log_auth_badpass = no log_auth_goodpass = no
The above section is really just to stop your log files clogging up, for debugging you could turn the above options to 'Yes' but there are better ways to debug railf radius requests which i will show you later in the guide
usercollide = no
lower_user = before lower_pass = before
nospace_user = no nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
mschap {
authtype = MS-CHAP
use_mppe = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
sql
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
radutmp
sql
}
session {
sql
}
post-auth {
sql
}