hello everyone, I have an issue and I want to figure out a solution, I created a hotspot on the Lan interface , and we have active directory , I did authenticate the users via IAS to ask the active directory database, everything is fine, BUT I want to go further more to make the users in different user-profiles so I can MARK the packets based on the groups “not necessary the same group names from active directory” …
Any solution should be acceptable, but I want it to be somehow dynamic so not to change anything later …
I use FreeRADIUS, but I don’t think it matters what radius it is. You must set your IAS server to return “Mikrotik-Group” for clients that should have a hotspot user profile other than “default”.
Warning! If the user profile name does not exist, you will get a “configuration error” on your login page.
Hmmm So you are talking about the Radius server is going to return me back the user group too, but this should be a predefined attribute on the radius server named “Mikrotik-gorup”, I found many attributes on the IAS server, but didn’t see “Mikrotik-group” among them “windows2003 server”.
But you put me on the right direction at least, now if I found that “Mikrotik-gorup” what is going to happen ? Does the Domain user groups are going to be returned back to my mikrotik hotspot router so it will put these groups instade of the user-profiles in the user-profiles tab ??
For example, I have a hotspot user profile named “managers”. More bandwidth.
So for the users I want to have that bandwidth, I send Attribute=Mikrotik-Group and Value=managers.
If you want to see if it is getting through, enable radius logging.
/system logging
add topics=radius action=memory
Try a login with a user that should have the Mikrotik-Group attribute, then check the log.
Ok I decided to go using freeradius instead of IAS, so can you please post your freeradius configurations , or at least the link where you get it run from ?
I am using this guide now, but I do get the error : “cannot join as standalone machine” when I try to register the radius on the active directory domain using the command :
The message :
" Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) "
Is there when I try to test the radius server with radtest , the Secret is 100% correct but there is something wrong about it, maybe the encryption but the ntlm_auth is correct :
