Talk:AAA with Active Directory: Difference between revisions

How to setup Hotspot AAA Microsoft IAS RADIUS for use with MikroTik – By Rodney Yeo

Part A - Setup IAS RADIUS on Active Directory Services

1. Setup IAS on a server acting as Active Directory Services Domain Controller and register it’s services. (Ref: IAS-Setup1.JPG) [[1]]

2. Give a meaningful description and enable logging for authentication status. (Ref: IAS-Setup2.JPG) [[2]]

3. User respective 1812 for Authentication and 1813 for Accounting port only. (Ref: IAS-Setup3.JPG) [[3]]

4. Create a Realms profile, find “User-Name” replace it with “DOMAIN\User-Name” variables into IAS. (Ref: IAS-Setup4.JPG) [[4]]

5. Create a “hotspot.com” client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Vendor to RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box. (Ref: IAS-Setup5.JPG) [[5]]

6. Enable Remote Access Logging check box for all properties. (Ref: IAS-Setup6.JPG) [[6]]

7. Select IAS Format and set Log Time Period to Daily. (Ref: IAS-Setup7.JPG) [[7]]

8. Create Remote Access Policies profile to “hotspot.com”. Add “Windows-Groups” matches “DOMAIN\Username” profile. Enable Grant remote access permission. (Ref: IAS-Setup8.JPG) [[8]]

9. At Authentication tab Enable check box for “MS-CHAP v2, MS-CHAP, CHAP and PAP” method. Note HotSpot only uses PAP method. (Ref: IAS-Setup9.JPG) [[9]]

10. At Encryption tab Enable all the check box allowed by this profile. (Ref: IAS-Setup10.JPG) [[10]]

11. At Advance tab do not add any additional connection attributes. (Ref: IAS-Setup11.JPG) [[11]]

Part B - Setup IAS RADIUS with MikroTik

1. Add a RADIUS server profile and enable service for “hotspot”. Enter IP Address of IAS RADIUS server. Enter the same password created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms. (Ref: IAS-MT-Config1.JPG) [[12]]

2. At “Hotspot Server Profiles” Login By check “HTTP PAP” only. (Ref: IAS-MT-Config2.JPG) [[13]]

3. At “Hotspot Server Profiles” check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or change to 15 (Ethernet) mode. (Ref: IAS-MT-Config3.JPG) [[14]]

Part C – Testing IAS RADIUS with PC

1. Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/

2. Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test.

3. Enter the IAS RADIUS server IP Address and port “1812” for Request Type “Authentication Request” mode followed by the RADIUS Secret Key. (Ref: IAS-Test1.JPG) [[15]]

4. Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply will be “Access-Accepted”.

5. Next change port to “1813” for Request Type “Accounting Start” click send and reply should be “Accounting-Response” if the RADIUS server is working. (Ref: IAS-Test2.JPG) [[16]]

Part D – Activating Domain Users for IAS RADIUS

1. Check for respective User properties if they are member of “RAS and IAS Server” groups, if not add them as group members. (Ref: AD-User_IAS1.JPG) [[17]]

2. Next check the Dial-in tab and enable Allow access for Remote Access Permission. (Ref: AD-User_IAS2.JPG) [[18]]

Part E – Using CHAP Authentication method

1. To use CHAP authentication method for Hotspot kindly go to the respective users in the Active Directory user properties.

2. At Account tab just below Password never expire check box, enable “Store password using reversible encryption” option. Note: This is required for CHAP to work in IAS (Ref: CHAP-Test-1.JPG) [[19]]

3. Next Reset the respective user password for the encryption function to take place. Exit Active Directory Users and Computers mmc console. (Ref: CHAP-Test-2.JPG) [[20]]

4. Go to Hotspot Server Profile, click Login By tab and ensure HTTP CHAP is enable. You can leave HTTP PAP just incase users cannot login using CHAP it will use PAP method. (Ref: CHAP-Test-3.JPG) [[21]]

5. Finally test if the CHAP authentication is working using NTRadPing and it should show “Access-Accepted” which means it is working! (Ref: CHAP-Test-4.JPG) [[22]]

Note: Please see attached setup image files for illustrations.

P.S. Many Thanks to Mat Dawam mda@landasan.com.my and Hamidi Yaacob hamidi@landasan.com.my of Landasan Teknologi (M) Sdn Bhd for Technical Support of MikroTik RouterOS deployment in Malaysia for Metropolitan College Malaysia.

The End

Any comments are welcome?

Regards,

Rodney 9W2YJ Ham Radio Operator

Please post this as regular articles, not in the talk pages. --N.R. 12:16, 20 November 2006 (EET)

I am not too sure how to do that, could you kindly guide me or help me shift it as regular articles? Thanks... Rodney Simply hit the `edit` button on top of a page. i have already posted your guide in the AAA with active directory article. To make a new article, simply open http://wiki.mikrotik.com/Name_Of_Your_Article and it will show the edit interface. --N.R. 10:52, 24 November 2006 (EET)