MAC Addresses in RADIUS requests have colons in them

RouterOS General
1

Greetings -

Re-posting from another forum in hopes of getting an answer quicker, sorry for the duplication.

Trying to get a MikroTik to auth properly against a RADIUS server. The issue is that, unlike other NASs we have, the MikroTik is transmitting the user’s mac address with colons separating each octet. This doesn’t work for us, because our user names are 12-digit mac addresses without colons.

How can I change this? I can’t find it in the manual and haven’t located it in the forums yet…I’m guessing that once I do find, I would also be able to make the Mikrotik transmit the mac as the password as well as the user name…?

Thanks for any help you can provide…

2

in the MT box it couldn’t be changed. Why can’t you elongate this username to 16 digits (with colons)?

Edgars

3

Re: elongating the username…I could do that, but our other NASs don’t put the colons in the mac address. Thus, I’d have to have two usernames for each MAC in every table, one with colons and one without…

Unless I’m just missing something huge, which is possible, as I’m just getting by with RADIUS…any advice is appreciated.

4

Depending on your RADIUS server you could perhaps tell it to rewrite the username before trying to do anything with it. Perhaps in the style of “if a request from this NAS is coming in, delete all colons from the username”…

5

That would definitely work, if only I knew how to do it.

I’m using FreeRadius on Slackware. I have the Mikrotik dictionary included (with it’s reference to group commented out, as the “Group” attribute was defined in the general dictionary already).

Do you have any thoughts/advice re: how to perform that decision process you mention above?

TIA -

RWS

6

You should search the FreeRadius docs for attr_rewrite. From memory something like to following should get you into the right direction:

attr_rewrite mac_colons {
   attribute = Username
   searchin = packet
   searchfor = ":"
   replacewith = ""
   append = no
}

But please check syntax and overall correctness before using this - it really was just from memory… :wink:

7

you’re a bad*ss, thanks…all I usually need is a push in the right direction

I’ll investigate further along those lines.

Thanks again -

RWS

8

Have you got things going?

I saw you got your problems using my code snippet solved on the FreeRadius mailing list…

9

Hi Christian -

Yes, thank you so much...I posted the following in that FreeRadius mailing list, but since it's totally about a Mikrotik I don't see the harm in including it here (a moderator may correct me, though - we'll see) -


The new NAS does not transmit a password along with the username, as illustrated below:

rad_recv: Access-Request packet from host 10.35.0.30:1034, id=50, length=60

    Service-Type = Framed-User
    NAS-Port-Id = "wlan1"
    User-Name = "00:0A:E9:06:29:07"
    User-Password = ""
    NAS-IP-Address = 10.35.0.30

In our AuthDB, every username (the 12 digit mac, no colons) has a password that exactly matches the username.

I tried to do this (and correctly loaded the module this time, thanks again to Dustin Doris):

#attr_rewrite blank_password {

attribute = User-Password

searchin = packet

searchfor = ""

replacewith = User-Name

ignore_case = yes

new_attribute = no

max_matches = 10

append = no

#}

However, as I mentioned, that totally broke every other Auth-Request in addition to not validating the new NAS Auth-Request in question.

So my boolean would be, "IF an Auth-Request comes in (??"from a particlar client"? or "from a particular shortname defined in clients.conf"? or would it be "with a blank password") THEN replace User-Password with (no colons, all lowercase) User-Name."

OR would I replace it with the User-Name as passed from the NAS and then operate on the password?

Thanks again for the assistance:

RWS