Hello,
I have some questions in aim to have a radius server with some specific attributs for customer. It is for a PPTP server :
I have found attributs for remote ip (Framed-IP-Address). But I don’t found for “local ip” and “routes” (I have to specify the route for each customer). Questions :
Thank you.
I’m not sure that the supported RADIUS attributes https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Supported_RADIUS_Attributes have made it to the new help pages.
And stop using PPTP, it has been known to be insecure for at least a decade.
Thank for reply. I have found attributs for local IP and route (Framed-Routes). Btw, How can I check in my CHR if it is the right route that Radius assigned ?
Indeed, It also works with L2TP as well as PPTP. Radius > ipsec.
They will appear as dynamic entries under /ip route with the name of the PPPTP/L2TP connection as the gateway.
Thank you. Btw, it doesn’t appear while I assigned the Framed-Route attribute in my daloRADIUS :
Reply attributes > Framed-Route = 192.168.0.1/24.
Is there another setting that I have to set ?
Per the wiki page for the Framed-Route attribute Format is specified in RFC 2865 (Ch. 5.22) so you should be sending 192.168.0.1/24 0.0.0.0 1
I tried “192.168.0.1/24 0.0.0.0 1” into Framed-Route (in replycheck). Same, it doesn’t appear in IP>routes.
Have I to change the IP addr for the route ? I only want to set this option in aim to be sure that is functional via daloradius.
I can’t immediately recall if the Mikrotik rejects routes where the subnet bits are not zero, so for 192.168.0.1/24 it should really be 192.168.0.0/24
I tried : 192.168.0.0/24 192.168.0.1 1
Same, it doesn’t appear on IP>routes.
Is 192.168.0.1 the client remote address? It is safer to use 0.0.0.0 which indicates to use the tunnel regardless of address.
An alternate method is to use Framed-IP-Address and Framed-IP-Netmask if the address is part of the routed subnet, in place of using Framed-IP-Address and Framed-Route.
Finally it’s work. My CHR’s config :
WAN : 192.168.0.18/24 (router in DMZ)
LAN PPP : 192.168.0.60/24 ( = local IP)
Daloradius :
Framed-IP-Address 192.168.0.220/24 ( = remote client PPP IP)
Framed-Route : 192.168.0.0/24 192.168.0.220 1
Then, on IP>Route, I have :
DAd+ : 0.0.0.0/0 192.168.0.1
DAC+ : 192.168.0.0./24 radius
DAC+ : 192.168.0.0./24 WAN
Dv : 192.168.0.0/24 192.168.0.220
DAC : 192.168.0.220 → pptp-client
Btw, it is right if I have 2 routes : the DAC & Dv (that I had manually via daloradius) for PPTP client IP ?
thank you.
Two routes is correct - one from the point-to-point tunnel, the second the subnet route.
However you can’t have the same subnet on both your CHR and the remote client, routing relies on subnets not overlapping with each other as it has no way of knowing which interface to use if they do.
Yes, it is just to test the function Framed-Route.
Moreover, do you know if it is possible to add those attributs in MangoSpot ? I tested only for daloradius. I don’t find for MangoSpot.
That isn’t something I have used, if it doesn’t have options for specfic RADIUS reply attributes it depends if it has any mechanism for adding generic/custom ones.