Freeradius and PPPOE Interface vlan

RouterOS General
1

Hello all,

I have problem which i do not understand how to fix this.. i wish someone can guide me for my problem

I have PPPoE server on my mikrotik router with VLAN interface. If without FreeRadius all just works fine.. what i want to archive is.. to use FreeRadius as External Radius Server for user authentication (PPPoE Secret). However Router Mikrotik wont accept or reject login request from FreeRadius and just have no action or log in router about freeradius request, its happen when PPPoE server use VLAN interface.

My question is, how to use freeradius with vlan for PPPoE server (interface VLAN)? so client can do connect from freeradius.

If i use PPPoE server interface is ether it self (ether5) its always disconnected by it self and reconnect again every 1 or 2 seconds.

Any help are welcome..

Thank you and Best Regards

2

Post the export of your non-working configuration, see my automatic signature just below for anonymisation hints.

Your description is not really clear, but in any case, the router’s connection to an external RADIUS server doesn’t depend on whether the PPPoE server (which talks to the RADIUS to authenticate/enable clients) listens directly at Ethernet interface or at /interface vlan.

3

Thank you for reply

On Mikrotik

Flags: X - disabled, I - invalid
0 service-name="pppoe_server" interface=vlan1 max-mtu=auto max-mru=auto mrru=disabled
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=unlimited
pado-delay=0 default-profile=default

Flags: * - default
0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes
use-upnp=default address-list="" on-up="" on-down=""

1 name="profile1" local-address=103.12.0.1 remote-address=pppoe_POOL use-mpls=default use-compression=default
use-encryption=default only-one=default change-tcp-mss=default use-upnp=default
rate-limit="84k/10m 0/0 0/0 0/0 5 384k/1m" address-list="" dns-server=8.8.8.8,8.8.4.4 on-up="" on-down=""

2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes
use-upnp=default address-list="" on-up="" on-down=""

Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 D 192.168.3.5/24 192.168.3.0 ether1
1 100.8.0.1/14 100.8.0.0 ether5
2 103.12.0.1/14 103.12.0.0 vlan1

NAME RANGES

0 pppoe_POOL 103.12.0.50-103.15.255.254

Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ether1 ether 1500 1598 2028 E4:8D:8C:1F:C3:1F
1 ether2 ether 1500 1598 2028 E4:8D:8C:1F:C3:20
2 ether3 ether 1500 1598 2028 E4:8D:8C:1F:C3:21
3 ether4 ether 1500 1598 2028 E4:8D:8C:1F:C3:22
4 R ether5 ether 1500 1598 2028 E4:8D:8C:1F:C3:23
5 R vlan1 vlan 1500 1594 E4:8D:8C:1F:C3:23

Flags: X - disabled, R - running

NAME MTU ARP VLAN-ID INTERFACE

0 R vlan1 1500 enabled 400 ether5

Flags: X - disabled

SERVICE CALLED-ID DOMAIN ADDRESS SECRET

0 ppp 192.168.3.7 mycode

FreeRadius IP Address are 192.168.3.7. Mikrotik IP Address are 192.168.3.5

Mysql Freeradius

Nas Table
+----+-------------+-----------------+-------+-------+--------+--------+-----------+-----------------+
| id | nasname | shortname | type | ports | secret | server | community | description |
+----+-------------+-----------------+-------+-------+--------+--------+-----------+-----------------+
| 1 | 192.168.3.5 | Mikrotik Client | other | NULL | mycode | NULL | NULL | Mikrotik Client |
+----+-------------+-----------------+-------+-------+--------+--------+-----------+-----------------+
1 row in set (0.00 sec)

Radcheck Table

mysql> SELECT * FROM radius.radcheck;
+----+----------+-------------------------+----+-------------+
| id | username | attribute | op | value |
+----+----------+-------------------------+----+-------------+
| 1 | demos | Cleartext-Password | := | 12345 |
| 2 | tests | Cleartext-Password | := | 12345 |
| 3 | demos | User-Profile | := | 2M_Profile |
| 4 | tests | User-Profile | := | 10M_Profile |
| 5 | demos | Tunnel-Type | := | 13 |
| 6 | tests | Tunnel-Type | := | 13 |
| 7 | demos | Tunnel-Medium-Type | := | 6 |
| 8 | tests | Tunnel-Medium-Type | := | 6 |
| 9 | demos | Tunnel-Private-Group-Id | := | 400 |
| 10 | tests | Tunnel-Private-Group-Id | := | 400 |
+----+----------+-------------------------+----+-------------+
10 rows in set (0.01 sec)

RadGroupCheck Table

mysql> SELECT * FROM radius.radcheck;
+----+----------+-------------------------+----+-------------+
| id | username | attribute | op | value |
+----+----------+-------------------------+----+-------------+
| 1 | demos | Cleartext-Password | := | 12345 |
| 2 | tests | Cleartext-Password | := | 12345 |
| 3 | demos | User-Profile | := | 2M_Profile |
| 4 | tests | User-Profile | := | 10M_Profile |
| 5 | demos | Tunnel-Type | := | 13 |
| 6 | tests | Tunnel-Type | := | 13 |
| 7 | demos | Tunnel-Medium-Type | := | 6 |
| 8 | tests | Tunnel-Medium-Type | := | 6 |
| 9 | demos | Tunnel-Private-Group-Id | := | 400 |
| 10 | tests | Tunnel-Private-Group-Id | := | 400 |
+----+----------+-------------------------+----+-------------+
10 rows in set (0.00 sec)

RadGroupReply
mysql> SELECT * FROM radius.radgroupreply;
+----+-----------+-------------------------+----+---------------------------------+
| id | groupname | attribute | op | value |
+----+-----------+-------------------------+----+---------------------------------+
| 1 | 2M | Framed-Pool | = | PPPOE_POOL |
| 2 | 5M | Framed-Pool | = | PPPOE_POOL |
| 3 | 10M | Framed-Pool | = | PPPOE_POOL |
| 4 | 2M | Mikrotik-Rate-Limit | = | 384k/1m 0/0 0/0 0/0 8 128k/512k |
| 5 | 5M | Mikrotik-Rate-Limit | = | 384k/5m 0/0 0/0 0/0 6 384k/512k |
| 6 | 10M | Mikrotik-Rate-Limit | = | 384k/10m 0/0 0/0 0/0 5 384k/1m |
| 8 | 2M | Tunnel-Type | := | 13 |
| 9 | 5M | Tunnel-Type | := | 13 |
| 10 | 10M | Tunnel-Type | := | 13 |
| 11 | 2M | Tunnel-Medium-Type | := | 6 |
| 12 | 5M | Tunnel-Medium-Type | := | 6 |
| 13 | 10M | Tunnel-Medium-Type | := | 6 |
| 14 | 2M | Tunnel-Private-Group-Id | := | 400 |
| 15 | 5M | Tunnel-Private-Group-Id | := | 400 |
| 16 | 10M | Tunnel-Private-Group-Id | := | 400 |
+----+-----------+-------------------------+----+---------------------------------+
15 rows in set (0.00 sec)

I think thats all, let me know if you want to know or ask something... thank you and regards

4

radtest on SSH for freeradius

Sent Access-Request Id 15 from 0.0.0.0:55993 to 127.0.0.1:1812 length 81
User-Name = “demos”
User-Password = “12345”
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x00
Framed-Protocol = PPP
Cleartext-Password = “12345”
Received Access-Accept Id 15 from 127.0.0.1:1812 to 0.0.0.0:0 length 100
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Pool = “PPPOE_POOL”
Mikrotik-Rate-Limit = “384k/1m 0/0 0/0 0/0 8 128k/512k”
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = “400”

5

Can you confirm that my understanding of your OP, that the issue with Radius only exists when the PPPoE server is attached to a VLAN interface, whereas it works fine when the PPPoE server is attached to ether5 directly, is correct? Because at first glance I cannot see anything wrong in your setup, so maybe I have misunderstood what the actual problem is?

6

Anyway, I’ve asked for export of your configuration, and you’ve posted a print - it’s not the same.

So just a blind shot, have you set /ppp aaa set use-radius=yes? If yes, post the export.

7

Yes.. correct, however i found new problem direct attach to ether5, its always return cannot determine remote ip address… and disconnected after 2 seconds..

For use vlan… what cannot understand is.. radius cannot connect if ether5 attached by vlan… log have no update at all on my router for request or response…

8

Sorry for print… i will export and post here… give me a moment… thank you for your help…

9

Here AAA export.. thank you for your time and help
radius-aaa.rsc (165 Bytes)

10

I’ve specially checked all the available skins the forum offers. In every single one, my automatic signature is shown on the same place, right below the post. Please do read it.

If the issue is a configuration one (which is not 100 % sure), it is somewhere in the configuration where you don’t expect it to be, so posting export of just those bits of configuration you suspect to be related is useless.

So either post the export of your complete configuration, anonymised as per the hints in my automatic signature, or I give up.