freeradius_dhcp with mikrotik

lashguti · July 24, 2014, 2:44pm

Hello,

if without address-list attribute my radius server can assign a client correct ip address,
but when I add “Mikrotik-Address-List” attribute to mysql as shown on the photo attached it says access-rejected and it does not
assign even ip address,

I have included dictionary file located at:
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary

freeradius -X output:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = “auth”
ipaddr = *
port = 1812
Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812

any ideas?

DLNoah · July 24, 2014, 8:06pm

In order to get useful FreeRADIUS debug information with radiusd -X, you need to do the following:

Stop the FreeRADIUS service (service radiusd stop if you’re on a RHEL based distro, not 100% sure of the Debian way to do it)
Use radiusd -X to start FreeRADIUS in debug mode
Make the DHCP request, so that debug mode catches the request
Post the debug output here

Otherwise, the first thing I can think of is that FreeRADIUS may be operating in PAP or CHAP mode (expecting a password along with the “username” of the MAC address), and the MT may not be sending the matching password. If that’s the case, your options run along either having an entry for Cleartext-Password = for your username (MAC Address) in the radcheck table, or having an Access-Type = Accept entry for that username in the radcheck table.

lashguti · July 24, 2014, 8:54pm

DLNoah:

In order to get useful FreeRADIUS debug information with radiusd -X, you need to do the following:

Stop the FreeRADIUS service (service radiusd stop if you’re on a RHEL based distro, not 100% sure of the Debian way to do it)

Use radiusd -X to start FreeRADIUS in debug mode

Make the DHCP request, so that debug mode catches the request

Post the debug output here

Otherwise, the first thing I can think of is that FreeRADIUS may be operating in PAP or CHAP mode (expecting a password along with the “username” of the MAC address), and the MT may not be sending the matching password. If that’s the case, your options run along either having an entry for Cleartext-Password = for your username (MAC Address) in the radcheck table, or having an Access-Type = Accept entry for that username in the radcheck table.

Thanks for reply,

if not adding address-list attribute, server assigns ip address to client without problem,

I had to kill freeradius process and then “binding” problem went away

lashguti · July 25, 2014, 7:27am

Found out that, it assigns IP, address-list and rate limit fine if only I enter debugging mode: freeradius -X
here is a log:

Ready to process requests.
rad_recv: Access-Request packet from host 149.30.11.107 port 60203, id=128, length=120
NAS-Port-Type = Ethernet
NAS-Port = 2202009973
Calling-Station-Id = "1:e8:99:c4:b7:a:87"
Framed-IP-Address = 192.168.100.3
Called-Station-Id = "server1"
User-Name = "E8:90:C4:B5:01:88"
User-Password = ""
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.100.2

Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "E8:90:C4:B5:01:88", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> E8:90:C4:B5:01:88
[sql] sql_set_user escaped user --> 'E8:90:C4:B5:01:88'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'E8:90:C4:B5:01:88' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'E8:90:C4:B5:01:88' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'E8:90:C4:B5:01:88' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user

Executing section post-auth from file /etc/freeradius/sites-enabled/default

+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 128 to 149.30.11.107 port 60203
Framed-IP-Address := 192.168.88.100
Mikrotik-Address-List := "test"
Mikrotik-Rate-Limit := "512k/2500k"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 149.30.11.107 port 60025, id=129, length=114
NAS-Port-Type = Ethernet
NAS-Port = 2202009974
Calling-Station-Id = "1:e8:99:c4:b7:a:87"
Called-Station-Id = "server1"
User-Name = "E8:90:C4:B5:01:88"
User-Password = ""
NAS-Identifier = "MikroTik"
NAS-IP-Address = 192.168.100.2

Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "E8:90:C4:B5:01:88", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> E8:90:C4:B5:01:88
[sql] sql_set_user escaped user --> 'E8:90:C4:B5:01:88'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'E8:90:C4:B5:01:88' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'E8:90:C4:B5:01:88' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'E8:90:C4:B5:01:88' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user

Executing section post-auth from file /etc/freeradius/sites-enabled/default

+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 129 to 149.30.11.107 port 60025
Framed-IP-Address := 192.168.88.100
Mikrotik-Address-List := "test"
Mikrotik-Rate-Limit := "512k/2500k"
Finished request 1.
Going to the next request
Waking up in 3.8 seconds.
Cleaning up request 0 ID 128 with timestamp +9
Waking up in 1.1 seconds.
Cleaning up request 1 ID 129 with timestamp +10
Ready to process requests.

DLNoah · July 25, 2014, 11:13am

Hm, if it’s assigning correctly in debugging mode, then what does the tail of the radius log (RHEL based default location is /var/log/radius/radius.log) show when you attempt an authorization with RADIUS running in service mode?