Hello,
I have just set up Mikrotik to use radius for dhcp authenticating. I have read the docs and haven’t found an answer: how to pass dns servers to such dhcp clients? Now i have /ip dhcp-servers network statements but I would like to use radius parameters for that. How can I do it?
Regards,
Gregor
The standard radius attributes are MS-Primary-DNS-Server and MS-Secondary-DNS-Server.
How MT have implemented that on a DHCP level, is not known to me. Try those two, if they don’t work I believe you’ll have to do it in some other form (not radius).
–
C
radio:~# grep -i MS-Primary-DNS-Server /usr/share/freeradius/dictionary*
/usr/share/freeradius/dictionary.microsoft:ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
I don’t think that dictionary.microsoft is a “standard”. Do you say that Mikrotik accepts parameters that are not defined in mikrotik’s dictionary?
Gregor
Yes, it does. I use them frequently on PPPoE without any problems.
Remember, a vendor specific dictionary, does not mean the vendor ONLY accepts it’s own attributes. A vendor dictionary is there to allow other vendors to talk to their own software. It’s a dictionary to make everyone talk the same language - and does NOT mean vendor XYZ only speaks one language defined in their own dictionary… What attributes are understood by the vendor depends greatly on what the PPP implementation understands - In MT’s case, this would be linux. man ppp, you’ll see there are plenty of other documented attributes that are accepted, and that are understood. The MT dictionary and attribute description on the web site, is merely a description of the MT propriotary attributes that MT decided to ‘create’ for use in their systems.
MS-Primary/Secondary-DNS-Server is one of the only ways I know to specify DNS servers to PPP Connections via Radius. Cisco uses them, MT accepts them (even through they’re not documented), and I’m sure allot of other NAS providers use them as well.
MS-Primary/Secondary-DNS-Server IMHO can also be clasified as ‘standard’ as they are defined very clearly in RFC2548. For a reference of attributes, feel free to have a look at http://www.freeradius.org/rfc/attributes.html And no, that does also not mean that MT will understand, honour, or abide to ALL those attributes.
–
C
Yes, it works! Thank you for your help, it is a pity that this all is not documented in http://www.mikrotik.com/docs/ros/2.9/guide/aaa_radius - one more time thanks!
Gregor
They do not list them on the web site, as I guess there are to many. Things that are important that you should have noticed:
MikroTik RouterOS RADIUS Client should work well with all RFC compliant servers.
Now, when you start reading the various RFCs dealing with Radius, Authentication, Accounting, and Authorization, you would see that many of these RFCs specifically names Attributes that are supported through the RFC. If the software or NAS claims to support RFCxyz, then it must support anything mentioned inside the RFC. In MT’s case, this will include allot of attributes not listed on the web site, but listed in the RFCs.
Quite normal I’d say - but don’t rely on Vendor information only. Read the RFC Documents, make sure you understand what you are implementing before you start implementing it 
–
C
Accounting is something that I try next month 
One more question - how to specify in radius dns suffix? I mean parameter named domain used in /ip dhcp-server network.
I may stand corrected, but I don’t believe there is a standard Radius Attribute for that parameter. If there’s not a standard one (you can go through the various RFCs to see if there is one), then that is something that Mikrotik would need to add and implement through their propriatory vendor Dictionary.
DHCP Authorisation via Radius is not something I normally do, so my knowledge is limited on that. Go through the RFCs, have a look if there is something…
–
C
Ooops, I have confirmed both attributes to work, but I have made only a quick test and I was wrong 
If there are no dns-servers in /ip dhcp-server network, mikrotik assigns its own dns servers (used in /ip dns), not the ones sent by MS-Primary-DNS-Server and MS-Secondary-DNS-Server.
So the question still remains - how to pass dns servers via radius/dhcp?
Gregor
Radius is a dialup authentication system. It really peeves me off that every second guy thinks about a new way how to cheat the RFCs to make their own unique propriotory software… (sorry, just wanted to get that off the chest cough)
The whole DHCP via Radius thing, is described in RFC4014. From the RFC, only User-Name (the MAC Address), Service-Name, Session-Timeout, Framed-Pool, Framed-IPv6-Pool, and vendor specific attributes are supported.
Unless Mikrotik expand on their custom dictionary, and add custom attributes to actually support standard DHCP options via Radius, you are limited to those 4 or 5 attributes only.
The alternative (and as I said, I don’t use this so I don’t know if this will work), is to configure a normal DHCP Server, add all the options you need (DNS, Domain Name, WINS, etc) into the DHCP Scope’s options, and then switch that to Radius Authentication. It might work, provided that Radius does not overrright what has allready been configured in the scope. If it does overright, well… Let’s just say that I won’t be to impressed…