Authenticating routers with dynamic IP's to User Manager

RouterOS The User Manager
1

Hey guys.

This is really kind of disappointing… I got the mikrotik solution mainly to, as time goes by, integrate a whole bunch of hotspot locations to authenticate at one central server. Now unless I’ve got it wrong, this doesn’t seem to be one of mikrotik’s capability’s…?? Not by default any how. I’m hoping that I’m wrong so I’ll describe my scenario to you and you can comment.

Location A,B and C. Now:

Location A - running mikrotik OS on a pc as user manger server with static Internet IP account.
(Ludicrously expensive, so no it’s not practical to get this type of account for A,B & C)

Location B & C - running router boards and Hotspot to my customers (hotel & cofe shop).
Both of these locations has PPPoE ADSL accounts (I.E. dynamic internet IP’s).

Now User Manager requires me to add a router to allow for authentication:

Name: Lacation_A and Location_B
IP Address: ???.???.???.??? (It changes every day and host names are not supported)
Shared Secret: easy_just_think_of_some_thing
Log events: Just tick what you want

So you can see my problem. How do I assign an IP to my router when it changes all the time? DynDNS is not supported and even if it was it doesn’t matter because host names in the “add router” field are not supported ether. Mikrotik has some really great features, but these features are some of the basic requirements for any router now a day’s aren’t they? I mean, every ADSL / ethernet router on the market (even the cheapest of the cheap ones) has a dynamic DNS function built in. Having mentioned that, how hard is it for User Manager to convert a host name to an IP address?

The only solution I can come up with (after thinking about it over coffe) is that I need to create a tunnel from each of my remote locations to Location A. Great idea bright spark (I’m thinking to myself), but isn’t that just a huge waste of resources??

I came across this post just now and realised that I’m not the only one following this logic.
http://forum.mikrotik.com/t/dhcp-routers/14380/1

Surely there has to be another way?? I mean, it’s Mikrotik! You can do anything with Mikrotik!? :open_mouth:

Any one with a resource saving solution?

P.S. - I really am a fan of mikrotik, I’m just trying to make the matter seam less serious by
masking it with sarcasm. :confused:

2

Hi.

I’ve got a solution for you.
First, lemme outline my scenario:
Locations A, B and C.

  • Location A is running a FreeRADIUS server, running behind dynamic-IP ADSL.
  • Location B is a network that has 3 Mikrotik boxes that auths against Location A.
  • Location C is a single Mikrotik x86 machine also authing against Location A.

Okay, in my scenario, there is no need for me to add routers under /tool/user-manager/routers, because I’m not using RouterOS on Location A, but I’ll outline a solution for you. Each of my ADSL routers on all three locations runs a DynDNS updater. This WILL be necessary if you want to resolve their IP addresses from their hostnames from the other locations. Since you mention this, I assume you have ADSL routers with DynDNS support.
Also take a look at Mikrotik’s ChangeIP support, for your reference.

So as you know, every so often your DSL routers’ WAN IPs change. Routers update their new IPs to DynDNS. All good. But the entries under /radius of your Mikrotik boxes are now no longer valid. What you’ll need is a script that can remove the previous entry, and replace it with a fresh one. Let’s suppose your FQDN you’re doing an update on is myrouter.domain.com, and the IP of your WAN that has been assigned to you is 12.34.56.78
Type this into your console and see what happens: “:put [:resolve myrouter.domain.com]”
You’ll see this appear on screen:
12.34.56.78

If it Doesn’t happen, check your DNS settings, and also log into your DynDNS account and see that your router has updated the IP correctly.

Now you can write a script that can remove the old Radius entry, and replace it with a freshly resolved one. Let’s suppose the services you want to run is ppp,hotspot and your secret is My_Secret, and your subscriber name is Admin.
Let’s also suppose your FQDN names that you are updating is
master.domain.com (for your main location)
hiltonhotspot.domain.com (for your hotspot running at, suppose the Hilton hotel)
sheratonhotspot.domain.com (for your hotspot running at, suppose the Sheraton hotel)

First, remove the old radius entry from your Hotspot routers. For the purposes of this script, I’m going to assume there’s only one Radius entry that uses PPP and Hotspot:
/radius remove [/radius find service=ppp,hotspot]

Then, add a new one with a freshly resolved address:
/radius add service=ppp,hotspot address=[:resolve master.domain.com] secret=My_Secret

You’ll also need to add perhaps a Netwatcher, or a Scheduler to just run this script every few hours, or as soon as the IP stops responding. See the manual for more details.

On your Auth server side, it’ll be almost identical.
I’m going to assume you named your router entries in /tool/user-manager/routers as follow:
For the Hilton hotspot: hilton1
For the Sheraton: sheraton1

Again, proceed to remove them, but use their names as search critera for the removal:
/tool user-manager router remove [/tool user-manager find name=hilton1]
/tool user-manager router remove [/tool user-manager find name=sheraton1]

Then proceed to add new ones with freshly resolved IPs:
/tool user-manager router add subscriber=admin name=hilton1 shared-secret=My_Secret ip-address=[:resolve hiltonhotspot.domain.com]
/tool user-manager router add subscriber=admin name=sheraton1 shared-secret=My_Secret ip-address=[:resolve sheratonhotspot.domain.com]

Again, you might want to put that script to be either triggered by netwatch when the IP stops responding, or just every hour or so.

That should be enough information to get you running.
If you need more help, just yell.

Cheers!
-Krige

3

Hey Krige.

Thank you so much for your detailed descriptions and insight.
This however was what I was afraid of :open_mouth:

I’m still a BIG noob at scripting…to be honest, I’ve only tried out one script (well since yesterday that would be two) and that is the Change IP one from the wiki. So it’s more of a copy&paste scenario if you know what I mean. The other one was a simple “mail me” script in netwatch to monitor an AP…didn’t even get it to work though and that was my first meet with “The Netwatcher” as well.

Now, I don’t scare that easily, so I’ve had a look at the scripts and dug deeper into console commands and your logic makes complete sense. The problem now lies with me.

Lets for instance take a look at the change IP script:
:log info “DDNS: Begin”
:global ddns-user “username”
:global ddns-pass “password”
:global ddns-host “yourdomain.where_ever.com”
:global ddns-interface “External_Port_Name”
:global ddns-ip [ /ip address get [/ip address find interface=$ddns-interface] address ]
:if ([ :typeof $ddns-lastip ] = nil ) do={ :global ddns-lastip 0.0.0.0/0 }
:if ([ :typeof $ddns-ip ] = nil ) do={
:log info ("DDNS: No ip address present on " . $ddns-interface . “, please check.”)
} else={
:if ($ddns-ip != $ddns-lastip) do={
:log info “DDNS: Sending UPDATE!”
:log info [ /tool dns-update name=$ddns-host address=[:pick $ddns-ip 0 [:find $ddns-ip “/”] ] key-name=$ddns-user key=$ddns-pass ]
:global ddns-lastip $ddns-ip
} else={
:log info “DDNS: No change”
}
}
:log info “DDNS: End”

Very nice and well done to who ever created it. But now what? I run it on my Router with V2.9.43 and it works great…it picks up my domain name and resolves the IP. BTW, on the PC server I’m running the latest v3… and it doesn’t pick up on the IP. Anyhow. Now, today my IP changed and I’m screwed. You never know when exactly it will change so you obviously have to monitor it. Preferably not utilising all your resources on this process ether.
So you have to use Netwatcher I gather to…I’m guessing now…ping/monitor your/itself and when the existing IP is not reachable any longer, you run the ChangeIP script. But no wait, now the netwatcher settings is also a dud because the IP changed and it will show up as off line all the time. So the script needs to include ether the editing or deletion and recreation of the netwatcher settings…

Whichever way is the best, I have not the slightest idea of where to start. Plus, how much resources does the router utilise to keep an eye on a device (weather or not it’s keeping an eye on itself)? Especially when it comes to monitoring remote routers - does this not effect your bandwidth? And another thing, does scripting between routerOS versions change??

In short - I would greatly appreciate your assistance. Where do I start? :blush:

P.S. - I don’t mind spoon feeding…just so you know :wink:

4

Correct. Much the same way as I described removing and re-inserting the /radius entry, the same will happen to the Netwatch entry.

Here’s my script - For reference, I called the script “fqdn_update”:

/radius remove [/radius find service=ppp]
/radius add service=ppp address=[:resolve my.domain.com] secret=MySecret
:log info “RADIUS Server IP Updated”
/tool netwatch remove [/tool netwatch find down-script=fqdn_update]
/tool netwatch add host=[:resolve my.domain.com] interval=60s timeout=5s down-script=fqdn_update
:log info “NetWatch RADIUS Monitor Updated”

So there you see how to do the netwatcher entry. Mine searches for the Netwatcher entry that will trigger the script fqdn_update, and removes it, then proceeds to replace it with a new addy. It just pings it once every minute to see if it’s still there.
When it’s not there, it triggers the Down Script.

Well, you know, this is a method that works for me.
My ADSL routers do my DynDNS updating, so I don’t know if I can help on the ChangeIP thing.

I’m not 100% sure how much resources it uses, but I imagine it can’t be a lot at all.
I’ve had some scripting issues between 2.9.46 and 3.0rc5, but this one I just pasted to you did run fine on 2.9.46, although now I’m using 3.0rc5 on one router, and rc6 on another.

Let me know if that helps or if you need more help.

-K