IKEv2 and EAP Radius - No accounting records

achelon · August 20, 2017, 12:09pm

Hi,

I have set up IKEv2 server running on my Mikrotik 6.40.1 with authentication done by EAP passthrough to a RADIUS server which works fine except that no RADIUS Accounting records are ever sent from the Mikrotik to the RADIUS server; I only see the Auth requests.

I know accounting works because it works fine for my Wireless clients.

Does anyone have any suggestions? Has anyone ever got RADIUS accounting with IKEv2 EAP passthrough working on their Mikrotik?

Regards,
Achelon

pe1chl · August 20, 2017, 5:49pm

it is likely that accounting records are only written for protocols where a dynamic interface is created for the traffic (PPP based)

achelon · August 20, 2017, 5:54pm

OK, understood. That is a shame.

Regards,
Achelon

pe1chl · August 20, 2017, 6:55pm

Well, EAP on WiFi also does accounting, so maybe it is only an issue with IKEv2.
Of course you can always do a feature request via the mail address…

mrz · September 7, 2017, 9:42am

Accounting for IKEv2 currently is not implemented.

eifLZ9D8zSwW · February 12, 2018, 1:17pm

Hi achelon,
would you be so kind and share config for IKEv2 eap radius?
What client do yu use? W10 / Android with Strongswan?

thanks a lot

vmarkovsky · May 10, 2018, 11:55pm

Hi achelon, would you be so kind and share config for IKEv2 eap radius?

achelon · May 16, 2018, 10:06pm

Hi,

As requested. though I don’t think there is anything special about my config. The IKEv2 accounting thing is still not fixed as well after all this time. Here is it.

Regards,
Achelon

/radius
add address=<radius server IP> secret=Password service=ppp,login,hotspot,wireless,dhcp,ipsec timeout=3s

/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no
add name=cfg_priv split-include=0.0.0.0/0,<LAN SUBNET> static-dns="" system-dns=yes

/ip ipsec peer proposal
set [ find default=yes ] dh-group=modp2048,modp1024 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default proposal-check=obey
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1d name=proposal_1 proposal-check=obey

/ip ipsec policy group
set [ find default=yes ] name=default
add name=group1

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=no enc-algorithms=aes-256-cbc lifetime=1d name=default pfs-group=none

/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=<cert filename> comment=IKEv2 disabled=no dpd-interval=2m exchange-mode=ike2 \
    generate-policy=port-strict local-address=<WAN IP> mode-config=cfg_priv my-id=fqdn:<WAN FQDN> passive=yes policy-template-group=\
    default proposal=proposal_1 send-initial-contact=no

/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes

/ip ipsec user settings
set xauth-use-radius=yes

giguard · October 1, 2018, 4:31pm

This thread is about one year old. Still not implemented?
I would really really love to see this implemented.
I’m running 6.42.3 and no accounting records are issued by Mikrotik.

achelon · October 15, 2018, 9:09pm

I know, this is so frustrating. I thought it might be fixed after a year.

emils · March 18, 2019, 11:42am

What’s new in 6.45beta16 (2019-Mar-18 07:49):

Changes in this release:

*) ipsec - added support for RADIUS accounting;

RADIUS accounting has been implemented. Please let us know if you have any feedback or issues with it.

achelon · March 19, 2019, 1:58am

I have just tested this and to be fair, it seems to work. Thanks for listening, i had given up hope.

Achelon

achelon · March 24, 2019, 2:57am

Does anyone know what the value passed in NAS-Port-Id means for IPSEC sessions? The documentation doesn’t (yet?) cover IPSEC:

NAS-Port-Id - async PPP - serial port name; PPPoE - ethernet interface name on which server is running; HotSpot - name of the physical HotSpot interface (if bridged, the bridge port name is showed here); not present for ISDN, PPTP and L2TP

emils · March 25, 2019, 10:21am

Do you have any specific needs or ideas what might be a good value to pass in NAS-Port-Id? Currently a hex value of the remote peer’s ID is written there and as far as we can see, RFC is not very specific what should be written there. Perhaps, the specific Identity ID could be written there?

burkon · March 29, 2019, 3:16pm

Hi,

I’m trying to setup something like this. But I’m pretty much stuck on the radius setup.

Does anyone have some pointer to a document where this is described.

Thanks
Ekkehard

emils · April 1, 2019, 7:26am

There are many tutorials on the Internet about how to set up EAP RADIUS server. You can also take a look at this wiki article which describes how to set up Freeradius EAP authentication for wireless, that has pretty much the same configuration for IKEv2.

https://wiki.mikrotik.com/wiki/Manual:Wireless_EAP-TLS_using_RouterOS_with_FreeRADIUS

achelon · April 2, 2019, 10:48pm

The current approach is fine, I was just curious.

One other question I have - although I receive the start and stop accounting records, I never receive any interim records - is this by design or a bug?

Regards,
Achelon

emils · April 3, 2019, 5:25am

Make sure you specify “interim-update” parameter under ‘/ip ipsec settings’. This setting currently is CLI only.

achelon · April 3, 2019, 11:41pm

You are correct, works fine when this is set to a non-zero value.

Sent from my iPad using Tapatalk