Is is possible to have User-Manager functioning as a PPP radius client and server on the same box, ie access requests being authenticated and accounting being maintained on the same MT router?
All the MT documentation (as far as I can see) refers to AAA against a remote server.
If it can be done, and the client is on (say) the WLAN1 interface, what is the IP address of the ‘radius/U-M server’ the client has to be pointed at? Can it be any other interface on the same router? Can it even be the WLAN interface?
If it can be done, is it possible to echo the client’s radius packets to a remote radius server and database?
The reason behind this somewhat convoluted arrangement is that it enables users to access their own pages via the web-interface and for user-usage/time-expiry-warning etc emails to be generated by script accessing the local User-Manager ‘user’ database and sent from the User-Manager box while safely recording and backing-up all the accounting etc. info on, say, a MySQL database on (dare I say it?) a remote Windows machine.
Yes it is possible. Remember that Radius (or User Manager) is a package on it’s own, that runs pretty much independently, which gives you the freedom to move it to a remote server. But you can host it on the same machine.
I’ve got a network in which every base station runs it’s own User Manager, and it’s Radius Client points to itself.
Well that is the ideal - A centralized authentication point. But it is not so much a Remote Server as it is a “foreign piece of software” which doesn’t necessarily have to run on a different machine.
Point it to any interface on the router itself. e.g:
WLAN1 IP = 10.0.0.1
Ether1 IP = 192.168.0.1
Ether2 IP = 176.1.1.56
In /radius, your address can be any of these. Under /tool/user-manager/routers, the address must then ALSO be the address you chose to put in /radius.
You’ve got me there. I don’t know if that is possible. I’m inclined to say No, but I’ve learned that there’s a way around pretty much everything.
I guess as far as “backing up” goes, you can get your APs to export their user-manager files and get another router to download them from the APs and store them in a safe place. But as far as shadowing it to a different database - especially bridging it to MySQL… Oy.
Given our situation a remote server is a luxury we don’t need. Presently we’ve two access concentrators both using our mountaintop gateway (all 532s) as the RADIUS/User-Manager server but getting the two APs to do their own AAA for their own networks would reduce the load on the gateway machine, network traffic and the vulnerability of having all the recording on the one machine.
I find that User Manager works great on the same machine that it’s hosted on, but not any remote. The remotes can see the User Manager machine, and vice versa, but they cannot seem to authenticate against it. Just see Radius timeout, on the client router, and the User Manager host shows no record of it trying. I’m using L4 on the User Manager machine…does it need to have an L6 license to work with remotes?