I’ve noticed alot of things on the forums arnt being taken over to the wiki and as a result alot of things are being refered to forum posts. In a personal effort to bring attention to the Wiki i’m writing guides for new and old users of Mikrotik.
I’ve just completed my 2nd guide, so far i have a guide to setting up freeradius with mysql support and getting RouterOs to talk to it for PPPoE connections and the latest guide i just finished was a guide to securing a clean routeros load.
I really would like feedback from people here on what they think and perhaps area’s they would like me to write things on. I was planning on wiritng more guides on Radius intergration into Wireless and DHCP aswell as a Wireless Link planning guide
Awesome. I look forward to reading it so that I can compare my setup to your giude.
Now I am on for a search to implement Radius.
Does anyone know how to use the freeradius to restrict internet usage / surfing by employees through the MT Router???
I figured out how to use freeradius to setup users in mysql that are allowed access to winbox. Works great. I Would like to figure out how to use it to only allow certain users access to the internet through maybe a webpage login screen? or is this done by MT itself??? Anyone have comments / suggestions where to start???
Savage has helped me setup Frame-Pool so that PPPoE server clients that are authenticated in freeradius using MySQL are using the IP Pool setup for a PPPoE connection.
This makes it easier to use the PPPoE_POOL I setup for the PPPOE profile instead of using Frame-IP-Address which I would have to set for every client.
I would like to help as much as I can with your Freeradius, MySQL, and PPPoE Server setup as I can. I have finally gotten it all to work together.
Now I am mulling over writing a C# Front end to add users and passwords to the MySQL database with the choice of either choosing Frame-IP-Address or Frame-Pool. When choosing the pool it will use the MT’s POOL set for the PPPoE Profile.
If you choose Frame IP then you manually assign the IP Address. The Pool seems a much better idea as it cuts down on IP address mistakes and duplicates.
Anyways let me know your thoughts and if you would be interested in any contributions of my experience to help out your guide from somone who struggled through the ordeal of setting up freeradius, then MySQL and then settting up a PPPoE Server, Profile and AAA in MT, and then testing it using a Windows XP Pro PPPoE client connection to test.
Allright its 3:46am.. night everyone
‘Im a mouse in a cats world trying to find the cheese’
usercollide can be turned on and used, PROVIDED it is configured properly… See below.
checkrad does checks on the NAS, not FreeRadius, used during 1 above, and others below - read on.
max_attributes can be SIGNIFICANTLY lower… Even something like 20 may be to much… For MT Only implementations, something like 10 should actually be enough. How more attributes you send, how bigger the packets, and how slower the authentication process will become
max_requests_per_server is actually a good option to set (something like 512 or 1024 depending how busy you are). That will force FreeRadius to cycle child processes after a certain amount of requests, and will avoid the possibility of having a dead child process.
clients.conf - nastype should be set to mikrotik, or mikrotik_snmp, see below
It is bad security practise to specify anything except fixed static single IP addresses for NAS appliances, as it would be easy for a unauthorised NAS device to talk to FreeRadius, and possibly get highly sensitive authentication information
num_sql_sockets - imperative that if you do use SQL, that you have PLENTY of available sockets. There are also notes about this in the FreeRadius documentation, but I believe it is 2 x the amount of NASes on the system.
Duplicate users / user collision:
Two possibilities exist for user collision and managing duplicate users.
Using the usercollide = yes, FreeRadius will use the checkrad script to POLL the NAS in order to confirm whether a user is actually logged in, or not. Many times, Radius Accounting data can become stale. In practise, there are many times a communication error between the NAS and the Radius Server. If a user where to log out during that time period, Radius will not receive the information from the NAS that the user logged out.
The problem comes in when session limiting is enforced. Radius Accounting data shows that the user is still logged into the NAS because the “Accounting Stop” packet was never received from the NAS. If this is detected, FreeRadius will start up the checkrad script, to poll the NAS via SNMP or Telnet (Telnet is broken in checkrad for Mikrotik - use SNMP) to confirm whether the user is in fact logged into the NAS. If the script detects that the user is NOT actively logged into the NAS, the stale accounting data is updated inside FreeRadius, and the Authentication process continues as normal.
Please note: I am not at home currently and do not have my documentation with me. Some information may be inaccurate, I’ll attempt to update what is incorrect / inaccurate in due time.
Please note 2: I’ll sleep on it, but I may elect to write a advanced howto, to include things like rlm_ippool (FreeRadius IP Management), Session Management, Custom Authentication handlers via rlm_perl (for example), as well as Attribute Manupilation. There may be other things I will include as well such as Wireless and DHCP Authentication, will see how it goes after I start writing…
Usercollide is unstable and this has been confirmed to me from various freerad dev’s via e-mail - It causes more problems than it solves, Hence why i’ve left it off and it still continues to have a huge warning in the config files
Ah yeah, i’ll fix that up
Your right about this, however the only time this is an issue is during a DOS attack tho, I’ll add in a note for the security paranoid
Yeah you can do this but the guide was a basic guide - i’ve noted that this is something you look at for turning but the guide is there as a goto for a basic ‘stock’ build - very few things have been altered in the config’s - mainly just rubbish removed. I want users to understand radius - not just install it from a cookbook
Havnt run into issues with this but it will be changed
Once again i cant assume the user’s network will be designed in this way - alot of it’s open ended to allow for a wide range of user network setups. I will make a note of security but hey, atleast its not *
I think you should, i hold very specific views on my radius intergration, i hand out static IP’s to client and as a result removed ippool from the config.
As a note i was looking to write guides for wireless and dhcp radius auth, let me know if you want to write them - no point in us doubling up
I’ll check again, but I believe this is from old versions of FR. I’ll describe the differences and the different ways to do user collision in what ever I decide to write, but usercollide definately works without problems with the checkrad script in the newer versions of FreeRadius - again, provided it is configured properly… I am using them on my implementations dealing with over 200 requests/sec without one single problem…
Yea - that is one of the essential parts for usercollide=yes and checkrad to work properly. As is the naspasswd file… I guess that’s why some still deem it as ‘unstable’, because it’s never configured properly -g-
By all means go ahead. I’ll stick to the advance things then and we see what we end up with. Can always just add to each others work if things are missing / inaccurate… That’s the whole idea of a WIKI.
maybe i know one - there are users in 3 cathegories - web junkies (use web mostly and become angry if connection is slow) hmm… uploaders… download junkies - downloads everything using everything
I guess that’s why some still deem it as ‘unstable’, because it’s never configured properly -g-
web junkies (use web mostly and become angry if connection is slow)