FreeRADIUS + MAC Authentication

RouterOS General
1

I have a problem with freeradius server and mikrotik ‘Remote MAC Authentication’.

I configured my server:

  1. copied and included dictionary.mikrotik file,
  2. in clients.conf added ‘nastype = mikrotik’
  3. in users added (for testing)
    00:E0:63:50:38:B1 User-Password == “”

When my mikrotik box send the Access-Request, I see this
( radiusd running with -X):

rad_recv: Access-Request packet from host 10.1.100.246:1044, id=30, length=71
Service-Type = Framed-User
NAS-Identifier = “Raptor-00”
NAS-Port-Id = “wlan1”
User-Name = “00:E0:63:50:38:B1”
User-Password = “”
NAS-IP-Address = 10.1.100.246
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module “preprocess” returns ok for request 13
modcall[authorize]: module “chap” returns noop for request 13
modcall[authorize]: module “mschap” returns noop for request 13
rlm_realm: No ‘@’ in User-Name = “00:E0:63:50:38:B1”, looking up realm NULL
rlm_realm: No such realm “NULL”
modcall[authorize]: module “suffix” returns noop for request 13
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module “eap” returns noop for request 13
users: Matched entry 00:E0:63:50:38:B1 at line 5
modcall[authorize]: module “files” returns ok for request 13
modcall: group authorize returns ok for request 13
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 30 to 10.1.100.246:1044
Finished request 13

but my mikrotik resending Access-Request some times and then waiting…
I can see on the Radius Server Status window (in mikrotik winbox), that every requests are timeout!

This radius server working fine with another type of nas (ex.: cisco ap)
Freeradius version is 1.0.4 on FreeBSD 5.1 host.

Any idea?

2

Did you have more than one IP adressess configured at PC running radius server ?
May be the case is :

  1. nas send access-request to radius server
  2. radius server authenticate succefull and send access-accept, but from anoter ip addreess because of routing table.
  3. nas is keeping to retransmit access-request intil radius timeout.

In this case you should configure radius server to listen on that particular ip address taht is configured in nas radius client.

Hope this help

3

nhalachev!

you are a God! :smiley:

It was the problem.
But it’s interesting that this wasn’t problem for the cisco ap340 :open_mouth:

thanx & regards,

4

Well, then this is a serius security bug into cisco firmware i think …

5

maybe,
but our radius server installed 3 years ago, on a debian with only one ethernet interface (with one ip address) and this problem wasn’t a problem :slight_smile:) (and i seen than the ip address configured exatly)
now we changed our last linux server to freebsd and i forget setup the radius ip address .. :neutral_face: