Hi,
I’ve created a freeRADIUS + MySQL + daloRADIUS server and it’s working great for login and hotspot services.
My problem is: hotspot users can access winbox with read permissions
Which attributes can I use to control/restrict hotspot users to login only in hotspot service?
Which attributes can I use to allow superusers login with full permissions and login in hotspot too?
Thanks!
I have not used hotspot functionality but there are several places to limit winbox access.
1**. INPUT CHAIN**. At the end of the input chain of the default firewall rules I do three modifications, after GETTING RID of the !LAN rule.
a. create a rule to allow only those on an admin access firewall list to the router itself.
b. add any services that are required by LAN users
c. add a drop all else rule.
add action=accept chain=input comment="Allow ADMIN to Router" log-prefix=\
AdminAccess src-address-list=adminaccess in-interface-list=LAN
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow NTP service" connection-state=\
new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
NTPserver
add action=drop chain=input comment="Drop All Else"
SYSTEM IP SERVICES. Here is where I decide on the winbox port and I dont use the standard one. One can also delineate sources of allowed access as well (single IPs, subnets). There is also room here for certificates and TLS although I have not used them yet.
TOOLS MAC SERVER WINBOX MAC SERVER. This is not an obvious setting but it is recommended to disable mac server but then to go winmac server and put the appropriate interface as being allowed to access winbox mac server. What I do here is define which interfaces I want to allow (where I may need access to any of my devices) in the interface list and interface list members.
Such as create a list called winboxaccess and then add interfaces to that list.
SERVICES USERS. This one may be a bit trickier with hotspot but here is where one allows which users to access the router as well and password access. One can delineate the groups and what rights the groups have per user.
Thanks for all those hints
But I’m looking for something at RADIUS level to control this
The radius debug from RouterOS shows me it uses these attributes to check a hostpot user authorization against RADIUS:
sending Access-Request with id 173 to 172.16.40.40:1812
Signature = 0xbb737bf6ac8c0fbb0da6b90071b24091
NAS-Port-Type = 15
Calling-Station-Id = "48:49:C7:00:6F:3C"
Called-Station-Id = "hotspot1"
NAS-Port-Id = "bridge-HotSpot"
User-Name = "hotspot"
NAS-Port = 2150629417
Acct-Session-Id = "80300029"
Framed-IP-Address = 192.168.33.109
MT-Host-IP = 192.168.33.109
CHAP-Challenge = 0x58ae9fd0adeec16e24f5c7aae72c0754
CHAP-Password = 0x3db88d6a5032ce4a6c8a913143415b46
Service-Type = 1
WISPr-Logoff-URL = "http://192.168.33.1/logout"
NAS-Identifier = "RTR-CE-HOTSPOT-01"
NAS-IP-Address = 192.168.33.1
Edit:
I noticed management service (Winbox, SSH, telnet) uses MS-CHAP-Challenge attribute and hotspot service uses CHAP-Challenge attribute
Solved: After set up Auth-Type := CHAP in RouterOS-Hotspot-Access Group as a Check Attribute, hotspot users can’t login to management (Winbox, SSH, telnet) anymore and they can login to hotspot service without problems (Hotspot Service uses Login By: HTTP CHAP)