Hi all,
i try configure freeradius for authentification clients to wifi. I use capsman. RouterOS 6.40.
I need :
- user authentification - WORKS
- set ip address to client - WORKS
- add client to vlan - NOT WORK
- set comment to capsman wifi registration table - NOT WORK
I have set vlan3 as interface, i have configured bridge.
Here is client configuration in file users (freeradius) :
bob Auth-Type := EAP, Cleartext-Password := "hello"
[list]Mikrotik-Wireless-Comment = franko_phone,
Mikrotik-Wireless-VLANID = 3,
Mikrotik-Wireless-VLANID-Type = 2[/list]
E8:B4:C8:XX:XX:XX Auth-Type := Accept
[list]Framed-IP-Address = 192.168.109.101[/list]
Authorization is successfully :
tail -f /var/log/freeradius/radius.log
Mon Oct 23 13:16:41 2017 : Auth: (44) Login OK: [bob/<via Auth-Type = eap>] (from client private-network-1 port 0 via TLS tunnel)
Mon Oct 23 13:16:41 2017 : Auth: (45) Login OK: [bob/<via Auth-Type = eap>] (from client private-network-1 port 0 cli E8-B4-C8-XX-XX-XX)
And here is output debug mode : freeradius -X
(8) Received Access-Request Id 18 from 10.0.0.11:39153 to 10.0.1.66:1812 length 262
(8) Service-Type = Framed-User
(8) Framed-MTU = 1400
(8) User-Name = "bob"
(8) State = 0x19fef7b31ef6eecbfaf47510ca9e8ed9
(8) NAS-Port-Id = "CORSPI-CZ1"
(8) NAS-Port-Type = Wireless-802.11
(8) Acct-Session-Id = "8210002e"
(8) Calling-Station-Id = "E8-B4-C8-XX-XX-XX"
(8) Called-Station-Id = "D4-CA-6D-XX-XX-XX:corspi-capsule"
(8) EAP-Message = 0x02080050190017030100200d6118d9e079b16eaf55c8cbb8ad4cc18e7855b74de1d055ffecefd057c68d311703010020508279f1c863c4c997430b2f4e2e280852ba924d2157bceedf8192b79a1cd640
(8) Message-Authenticator = 0x1bbc851d227d52af864e5a171a5f160e
(8) NAS-Identifier = "CAPSMAN Controller"
(8) NAS-IP-Address = 10.0.0.11
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log: --> /var/log/freeradius/radacct/10.0.0.11/auth-detail-20171023
(8) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.0.0.11/auth-detail-20171023
(8) auth_log: EXPAND %t
(8) auth_log: --> Mon Oct 23 16:03:56 2017
(8) [auth_log] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 80
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x639aba5a6292a07c
(8) eap: Finished EAP session with state 0x19fef7b31ef6eecb
(8) eap: Previous EAP request found for state 0x19fef7b31ef6eecb, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to bob
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "bob"
(8) eap_peap: State = 0x639aba5a6292a07c0bfedd921b9d501f
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020800061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "bob"
(8) State = 0x639aba5a6292a07c0bfedd921b9d501f
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Cleartext-Password := "bob"
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry bob at line 90
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x639aba5a6292a07c
(8) eap: Finished EAP session with state 0x639aba5a6292a07c
(8) eap: Previous EAP request found for state 0x639aba5a6292a07c, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) post-auth { ... } # empty sub-section is ignored
(8) Login OK: [bob/<via Auth-Type = eap>] (from client private-network-1 port 0 via TLS tunnel)
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Mikrotik-Wireless-Comment = "franko_phone"
(8) Mikrotik-Wireless-VLANID = 3
(8) Mikrotik-Wireless-VLANID-Type = 2
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0xd7fd0cdb0bda795c15493778351b86b2
(8) MS-MPPE-Recv-Key = 0xb74a98f282b3bafa5afafb62c7103f5c
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "bob"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Mikrotik-Wireless-Comment = "franko_phone"
(8) eap_peap: Mikrotik-Wireless-VLANID = 3
(8) eap_peap: Mikrotik-Wireless-VLANID-Type = 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xd7fd0cdb0bda795c15493778351b86b2
(8) eap_peap: MS-MPPE-Recv-Key = 0xb74a98f282b3bafa5afafb62c7103f5c
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "bob"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Mikrotik-Wireless-Comment = "franko_phone"
(8) eap_peap: Mikrotik-Wireless-VLANID = 3
(8) eap_peap: Mikrotik-Wireless-VLANID-Type = 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xd7fd0cdb0bda795c15493778351b86b2
(8) eap_peap: MS-MPPE-Recv-Key = 0xb74a98f282b3bafa5afafb62c7103f5c
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "bob"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0x19fef7b311f7eecb
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Sent Access-Challenge Id 18 from 10.0.1.66:1812 to 10.0.0.11:39153 length 0
(8) EAP-Message = 0x0109002b190017030100202e6cecf907bbccb7d49af0b495366649d7eb36297f09bf4dda50ce13be7d2da5
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x19fef7b311f7eecbfaf47510ca9e8ed9
(8) Finished request
Waking up in 4.7 seconds.
Can you please help me with correct configuration ?