Community discussions

MikroTik App
 
phearak
just joined
Topic Author
Posts: 14
Joined: Tue Oct 26, 2010 5:20 pm
Location: Cambodia

IAS and AAA integrate

Wed Oct 27, 2010 12:15 pm

Dear Sir,
Now i got problem with user-management for using Hotspot.
I have AD server and Radius Server. I have more 150 clients in my local. So i wish all my client can connect to wireless hotspot with user and password of AD. I mean i want to integrate AAA in Mikrotik with IAS Radius in Window server2003.
So do you have any recommend for this?
I have try to do as instruction in link: http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory , but i still can't.

Please give me a advice if you have experience with this.

AD:
IP: 192.168.20.22
G.W: 192.168.20.8
Secret: 123456
Mirktotik
public: 192.168.20.15
Local: 10.10.10.1
Secret: 123456

I hope all of you can help me.

Thank,
Phearak
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: IAS and AAA integrate

Wed Oct 27, 2010 3:49 pm

The steps on that wiki work, so you made a mistake when adapting them to your environment. Double check all IP addresses, and that they are what you expect them to be after any NAT that takes place. Use Wireshark and the built in router tools to dump traffic and verify them.
 
phearak
just joined
Topic Author
Posts: 14
Joined: Tue Oct 26, 2010 5:20 pm
Location: Cambodia

Re: IAS and AAA integrate

Wed Oct 27, 2010 4:55 pm

Dear Sir,
I still don't understand about it. You said I have problem with IP address.
I want to verify it again:
For AD server
IP: 192.168.20.22
Secret: 123456

For Mikrotik Ethernet:
Public: 192.168.20.15
G.W : 192.168.20.8
DNS : 192.168.20.23
Local: 10.10.10.1
For NAT I set: ip firewall nat>add chain=srcnat action=masquerade src-address=10.10.10.0/24 . Is it correct or not?

Why Clients under Mikrotik(Network: 10.10.10.0/24) can Ping to Network: 192.168.20.0/24, but Network range 192.168.20.0/24 can't ping back to Network: 10.10.10.0/24 ?
Do you have any advice for this? can you show me the code to solve this problem?

Please help me to solve this problem because I'm a new member, so I want to clear a bout it.

Thank for advance
Phearak
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: IAS and AAA integrate

Wed Oct 27, 2010 5:20 pm

Dear Sir,
I still don't understand about it. You said I have problem with IP address.
I want to verify it again:
For AD server
IP: 192.168.20.22
Secret: 123456

For Mikrotik Ethernet:
Public: 192.168.20.15
G.W : 192.168.20.8
DNS : 192.168.20.23
Local: 10.10.10.1
I didn't say you definitely have a problem with IP addresses, I suggested you check for that. I can't see your router configuration and IAS configuration so all I can do is guess. What did you set as the NAS IP address on IAS?
For NAT I set: ip firewall nat>add chain=srcnat action=masquerade src-address=10.10.10.0/24 . Is it correct or not?
Depends. If you want to hide the 10.10.10.0/24 network behind 192.168.20.15 then yes, that is correct. That's a network design question, so the answer depends on the network design you're going for. Personally I only NAT at the AS border - the handoff point to the ISP. Everything I have control over is routed and not NAT'd.
Why Clients under Mikrotik(Network: 10.10.10.0/24) can Ping to Network: 192.168.20.0/24, but Network range 192.168.20.0/24 can't ping back to Network: 10.10.10.0/24 ?
Do you have any advice for this? can you show me the code to solve this problem?
Because hosts on 192.168.20.0/24 don't have a route back to 10.10.10.0/24, and because you're NATing 10.10.10.0/24 to 192.168.20.15 according to what you posted, so that's what 192.168.20.0/24 sees the pings as coming from. 192.168.20.0/24 is completely unaware that 10.10.10.0/24 exists. If that's not what you want, you need to change your NAT configuration and install a route at least on the default gateway serving hosts on 192.168.20.0/24 pointing to 10.10.10.0/24 through 192.168.20.15.
 
phearak
just joined
Topic Author
Posts: 14
Joined: Tue Oct 26, 2010 5:20 pm
Location: Cambodia

Re: IAS and AAA integrate

Thu Oct 28, 2010 6:45 am

Dear Fewi,

Thank for your supports. I have tried to double check about my configuration again and again but it still can't.
Now i will show my real configuration code to you and i hope you can verify it for me.

1. IP address
Add Public IP to Public and local interface:
/ip address add address=192.168.20.15/24 interface=Public
/ip address add address=10.10.10.1/24 interface=local


2. Route:
add route to Public interface
/ip route add gateways=192.168.20.8


3. DNS
add DNS
/ip dns-server add primary-dns= 192.168.20.23


4. NAT
Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat dst-address=192.168.20.15 action=dst-nat to-addresses=10.10.10.1
Add rule allowing the internal server to talk to the outer networks having its source address translated to 192.168.20.15:
/ip firewall nat add chain=srcnat src-address=10.10.10.1 action=src-nat to-addresses=192.168.20.15


In this point Network range 192.168.20.0/24 can't access(ping) to range 10.10.10.0/24. why?

5. DHCP Server: set DHCP server on interface Lcoal

6. Hotspot Setup
ip hotspot profile set hsprof1 use-radius=yes
Log in: HTTP PAP
Hotspot address: 10.10.10.1


7. Radius on Mikrotik
/radius add service=hotspot
address= 192.168.20.22 (IP of AD Server)
secret: 123456789 (password for radius service on AD Server)
Authentication-port=1812
accounting-port= 1813


8. IAS Radius on Microsoft window 2003
New Radius Client
Friendly name: Hotspot
address: 192.168.20.15 (IP of Mikrotik on public interface)
Client-Vendor= Radius Standard
share secret: 123456789


As configuration above, when i try to use username and passwor of AD to log in wireless hotspot it always show error message: Radius Server not Responding
So do you have any recommence for me to add on these configuration?
Should we add more rule in Firewall filter?

I wish you can understand about its. So please help to verify this code to find my mistake.

Thank for advance
Phearak
 
phearak
just joined
Topic Author
Posts: 14
Joined: Tue Oct 26, 2010 5:20 pm
Location: Cambodia

Re: IAS and AAA integrate

Tue May 03, 2011 6:47 am

Now it work!

thank for support.

Who is online

Users browsing this forum: lmeira and 17 guests