RouterOs MySql Freeradius

From MikroTik Wiki
Revision as of 15:03, 12 May 2006 by Tristram (talk | contribs)
Jump to: navigation, search

Mikrotik and Freeradius 1.0.4+ with MySql For PPP Authentication

This guide assumes you have a working Linux system (for the purpose of this guide Ubuntu 5.10 is used), The Linux system can communicate with the RouterOs system and you have a basic understanding of Linux and MySql commands. The purpose of this document is to walk you through the steps needed to configure freeradius, get freeradius talking to MySql and finally getting your RouterOs system to authenticate and assign IP's for PPP* connections.

  • All of the commands in the following guide assumes you are logged into *NIX systems as root or RouterOs systems as Admin

Setting Up Freeradius

Once you have installed freeradius with the MySql module on your Linux system its time to tidy up the base configuration. This guide assumes that the freeradius server will ONLY be serving RouterOs systems. In order for Mikrotik & freeradius to work nicely together a lot of unnecessary options/features in freeradius must be removed or turned off, we start this by trimming radiusd.conf

  • An example of a trimmed radiusd.conf can be found Here - This is in production use on a Ubuntu 5.10 server processing requests for PPPoE, We will now run through the file and i will explain what options do what
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius

log_file = ${logdir}/radius.log

libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid

user = freerad
group = freerad

The above options are specific to your installation of freeradius and may be different from these, do not overwrite your local setting with the above settings, you may find your freeradius server not long functions correctly - it is generally better to leave these settings alone 

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *

These settings control your server, what you should change here is the max_requests setting and the bind address, max_requests should be set to 256 * Number of routers using this radius server, it is better to set this number too high than it is to set it too low, if this number is too low the server will stop responding to radius requests when under load. For this example I have said that 4 RouterOs devices will use this radius server so 1024 is an ideal number. Alter the ‘bind_address’ if you have multiple network interfaces or ip’s on the *NIX box, otherwise it's safe to leave it how it is 

port = 0

hostname_lookups = no
allow_core_dumps = no

Leave these off, its better for everyone 

regular_expressions     = yes
extended_expressions    = yes

Depending on how your freeradius server was compiled you can use RegEx, if it was turned on when freeradius was compiled then you are able to turn it either on or off, if it was not turned on at compile time then you are unable to turn it on, doing so will cause freeradius to error at startup 

log_stripped_names = yes
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no

The above section is really just to stop your log files clogging up, for debugging you could turn the above options to 'Yes' but there are better ways to debug failed radius requests which I will show you later in the guide 

usercollide = no

Turning this on may rip a hole in the fabric of space-time, actually the doc's just say ‘’’may result in the server behaving strangely 

lower_user = before
lower_pass = before

This will change all the usernames and passwords on incoming radius requests to lower case, i prefer this in my network as we only allow lower case usernames when users sign up, however if you add users to freeradius with mixed case or upper case this will cause freeradius to reject the request 

nospace_user = before
nospace_pass = before

This is the same again, only this time it will remove and spaced in the username and password 

checkrad = ${sbindir}/checkrad

We leave this alone - it just does checks on freeradius 

security {
       max_attributes = 200
       reject_delay = 1
       status_server = no
}

This sets the maximum number of radius attributes in a incoming or outgoing radius packet, I prefer to leave it at its default of 200 however those more paranoid about security may choose a number closer to the number of attributes they plan to use. Reject delay slows down brute force cracking attempts, however it slows down debugging and testing so during testing we set this to 1. In a production server this should be set around 3-5 Status server is turned off because its useless, its only included for legacy support to from devices that use radius - Mikrotik is not one of these devices 

proxy_requests  = no

We won’t be running a radius proxy so we can turn this off 

$INCLUDE  ${confdir}/clients.conf

After we have cleaned this file up we will setup clients.conf, this is NOT where you setup users but where you setup the devices that are allowed to use the radius server 

snmp    = no

I don’t use SNMP on my network to monitor the freeradius server 

thread pool {
       start_servers = 5
       max_servers = 32
       min_spare_servers = 3
       max_spare_servers = 10
       max_requests_per_server = 0
}

This controls how many 'process' are spawned by freeradius, you can tweak these settings for fine turning the server's performance but for now its best to leave them along 

modules {
       pap {
               encryption_scheme = crypt
       }
       chap {
               authtype = CHAP
       }
       mschap {
               authtype = MS-CHAP
               use_mppe = no
       }

This defines the authentication methods used by freeradius, in this case we will use pap,chap and mschap 

       acct_unique {
               key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
       }

This creates a unique account ID for accounting updates, sometimes devices can reuse the same accounting ID which causes problems. Mikrotik doesn’t do this as far as I am aware but its better safe than sorry 

       $INCLUDE  ${confdir}/sql.conf

This includes the MySql configuration for the server, we will be altering this file soon 

       counter daily {
               filename = ${raddbdir}/db.daily
               key = User-Name
               count-attribute = Acct-Session-Time
               reset = daily
               counter-name = Daily-Session-Time
               check-name = Max-Daily-Session
               allowed-servicetype = Framed-User
               cache-size = 5000
       }

Since our users may be connected for more than 24 hours at a time we keep this in here, it will reset some attributes daily so that the accounting packets work correctly 

       always fail {
               rcode = fail
       }
       always reject {
               rcode = reject
       }
       always ok {
               rcode = ok
               simulcount = 0
               mpp = no
       }
}

These are here for debugging purposes, so we leave them alone 

instantiate {
}
authorize {
       chap
       mschap
       sql
}
authenticate {
       Auth-Type PAP {
               pap
       }
       Auth-Type CHAP {
               chap
       }
       Auth-Type MS-CHAP {
               mschap
       }
}
preacct {
       acct_unique 
}
accounting {
       sql
}
session {
       sql
}
post-auth {
       sql
}

These are all setup to point to the MySql database for their purpose

Retrieved from "https://wiki.mikrotik.com/index.php?title=RouterOs_MySql_Freeradius&oldid=2395"