I need your guidance. I'm trying to create a basic RADIUS server using User Manager that will authenticate wireless clients connecting to a Unifi AP (the AP will be the authenticator) with a username and password combination; my end-goal is to hand out static dhcp leases to addresses based on the user and pass combination. I got to a point where I have set up user-manager and enabled a couple of users but access requests get denied. My configuration is very simple:
/user-manager user
add name=user1
add name=test
/user-manager
set certificate=*0 enabled=yes use-profiles=yes
/user-manager router
add address=192.168.1.30 comment=local name=local
The following is the export of ip dhcp-server which should hand out the ip addresses (please don't focus on the static part missing, I just want to get this thing working first)
I'm not well-versed in external authentication using RADIUS so I might be doing obvious mistakes. For instance, do I need to have a certificate when logging in with username and password or is it optional (for now I just want to authenticate using user and pass ? I have enabled debugging of user-manager and I see that access requests are coming in from 192.168.1.30 (the authenticator) and are getting rejected (wireshark packet capture says that the username doesn't exist but this is definitely not true). I'm guessing some sort of incompatibility in the configuration between user-manager and the authenticator (unifi ac mesh) or maybe the settings I'm using on my phone to connect but I'm not sure. If you need any other info please let me know.
I have no idea specifically, but generally speaking when there is an asterisk followed by a number it means that something was there and it isn't anymore, see point #21 :
Besides this, the other general consideration applies, a Mikrotik configuration is a (complex) set of interconnected (some evidently, some not so much so) things, it is always advised to post for review the WHOLE configuration export, as the problem may well be in some other parts that you did not share.
This is perfectly normal and not a problem with whoever set up the device.
To remove certificate=*0, you can set it to ="" (nothing to do on GUI), but this is just a cosmetic issue.
That's a generic ID, not the ID of a specific certificate, which was later deleted and remained *0.
Hi guys thanks for chipping in. Well i tried setting up a certificate and then removed it but the "*0" would not go away either by clicking the UP arrow on winbox to remove the field altogether or by using cli option certificate=""; actually the cli option throws this error "ambiguous value of certificate, more than one possible value matches input" and it doesn't do anything (this is routeros 7.16.1).
I actually solved the issue thanks to a link provided by a user on reddit. You need to have a profile assigned for each user in user-manager starting from v5. Now I got it up and running and I'm experimenting with my options. Thanks again!
Thanks so much @rextended! I totally missed the use-profile=yes option. I know that the "*0" is cosmetic but it gets on my nerves when I see it :P.
Btw, do you know why I cant use the option "" when trying to remove an option from the cli? My main issue with is with firewall rules: for example when I want to remove src-address from a firewall rule I do /ip/firewall/filter set 0 src-address="" and I get "value of range expects range of ip addresses". I've also tried with edit; edit doesn't throw an error but again it changes nothing, i.e., the src ip address goes nowhere.
