I’ve been looking for an answer in the forum in every “radius” post, but i don’t find an appropiate one to my problem.
I want to use mikrotik APs to receive conections from windows XPs laptops authenticating to an Active Directory server. The scenario is this:
Windows XP laptop ↔ Mikrotik AP ↔ Freeradius ↔ AD server
The mikrotik AP needs to be a mere bridge to allow the laptops authenticate into the freeradius server.
The problem it’s that the only way to use radius (in the wireless interface) is sending the MAC address as the user-name
service (multiple choice: hotspot | login | ppp | telephony | wireless | dhcp; default: “”) - router services that will use this RADIUS server
[..]
wireless - wireless client authentication (client’s MAC address is sent as User-Name)
I don’t see any way to force the AP to send the user/pass values to the freeradius (even with the last routerOS). Don’t know if it’s a new feature that will be added in the next OS release.
what do you propose the “password” be? - the only option i can see would be some kind of WPA/WEP - where the WEP/WPA key would be returned from radius - something that is possable
If I don’t misunderstand you intentions, you could run a HotSpot on the MikroTik AP configured to authenticate via FreeRadius. Then set FreeRadius to authenticate the users against the Active Directory (which should be possible, but I haven’t tried or even made sure that it can do that. But some RADIUS server surely can authenticate against AD.).
Because when using HotSpot, your users can enter username/password (which was what you requested, I suppose)…
The problem is “laptop connection by wireless authenticating against an active directory server”. The solution i’ve planned “laptop connect to a mikrotik ap that leaves the authentication layer to a freeradius (because i think an AD server not allow 802.1x protocol), the freeradius use the AD server as authorization BBDD”.
The problem it’s the way to send the user/pass to the freeradius, mikrotik ap sends (as username/password to the radius only the mac addres of the client) so it’s not a valid solution.
I configured the mikrotik with wpa-psk (each client has the same shared-key) and this phase it’s correct, but the following (receive user/pass from the laptop clients) it’s where the problem is now.
As christian comments, i added the hotspot service under the radius, but WinXP sends the user/pass in the phase of connection to the wifi-lan under the protocol MSCHAP-v2 and seems that it’s not working with hotspot service because don’t sends anything to the freeradius.
So, my questions are:
a) the hotspot needs to be configured in a determinate way? (create a group os users, etc)
b) it’s possible to use the wpa-enterprise mode in mikrotik APs? (because it’s possible to use the radius as 802.1X authentication server)
c) could i configure the wireless service in the mikrotik AP to send all the authenticate packets to the freeradius and not only the mac address?
hope I explain myself more clearly and thanks for the answers.
What exactly do you want to authenticate? The Windows logon? I don’t get it, I suppose.
I thought you wanted the laptops to connect to the AP, and the be able to log on “for internet usage” using their Active Directory username/password? If yes, they should enter those credentials into the hotspot login page in the scenario I described above.
If you want to authenticate your Windows logon over wireless to an AD server and ALSO have the laptop authenticate to get to the wireless net at all - I don’t have an idea how to do that.
But then I’m just not beaten with too much of Windows/AD knowledge to answer for this scenario. It sounds like the option “logon over dialup-networking” that I seem to remember to have seen somewhere someday … But I suppose someone else will have to jump in here.
I’m not sure what version of Windows server you are using, but Server 2000 has “Internet Authentication Services” (i.e. RADIUS) built into it, and can natively authenticate against an AD username / password. So you can use RADIUS HOTSPOT to logon via the AD username and password, or you could set the AD username to be the MAC address, password to be the MAC address, and bypass the logon.
It wasn’t that easy to setup but maybe easier than making FreeRadius talk to AD…
yes, i need to authenticate the Windows logon over wireless, only this service (the internet access may come with it or not).
I think that has to be possible to do it because one of the options inside the EAP protocol in the laptops is to send the windows logon as ID/PW to authenticate over wireless.
Assigned the hotspot service to use the radius configuration in the mikrotik AP, and force to use radius but nothing works, maybe i have to read more about the hotspot service to understand it better .
I’m gonna try to use the AD server as the radius as “directwireless” comments and see more options in the hotspot service.
Thanks for the help.
P.D: the freeradius configuration it’s not a problem, see this .pdf.
EAP Authentication also possible here, can be done in FR to AD/LDAP (mainly uses certificates to authenticate if I’m not mistaken). Darn hard to setup. This is above me
I put a win2003 server with IAS as a radius and have the same problem.
How i understand the whole thing is:
using wireless connections has two parts, first one is the association with an ap, second one is the authentication into the network (receive an IP, search for a domain controller…).
the association use WEP/WPA-PSK/WPA-enterprise/WPA2 and so on.
the authentication use EAP, PEAP… (as authorization database you can use a radius or a local list of allowed users).
I could make the association part without problem. But for the authentication part i need to logon on a windows net with the username/pass stored in a AD server, so i could map some drives to the laptops and execute logon scripts to install some software. The “-radius-mac-authentication” of the wireless service it’s no enough, and the hotspot service i think it’s not gonna work.
right now i doubt the whole thing (logon in a windows net over wireless same as wired ethernet) it’s possible, but some microsoft documents (1 y 2)
make me think that it could be possible but i don’t know how to do it
… But I suppose someone else will have to jump in here.
.