MAC-based radius auth

silverstr8p · March 2, 2022, 10:22pm

I want to use a centralized freeradius server to authenticate LAN connected computers on my 750UP based on MAC address. My freeradius server is running and reachable. I have tried to create a radius service like:

[admin@MikroTik] > /radius print 
Flags: X - disabled 
 #   SERVICE     CALLED-ID     DOMAIN     ADDRESS                                     SECRET    
 0   ppp                                  10.30.10.5                                                         whatever
[admin@MikroTik] > ping 10.30.10.5
  SEQ HOST                                     SIZE TTL TIME  STATUS                            
    0 10.30.10.5                                 56  63 1ms  
    1 10.30.10.5                                 56  63 0ms  
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms

Do I need to create a ppp > PPPoE service as well? I have tried to enable ppp like:

[admin@MikroTik] > /ppp aaa set use-radius=yes
[admin@MikroTik] > /ppp aaa print 
                     use-radius: yes
                     accounting: yes
  use-circuit-id-in-nas-port-id: no
                 interim-update: 0s

My client (laptop) doesn’t seem to showing up in the queue or being rate-limited per daloradius profile. What am I doing wrong?

tdw · March 2, 2022, 11:59pm

It depends on how the LAN-connected computers are attached - if they are using PPPoE clients you would already have a PPPoE server configured on the Mikrotik, and these authenticate with username/password.

With regular IP-over-ethernet a common method is to use 802.1X https://help.mikrotik.com/docs/display/ROS/Dot1X to control network access by MAC or an EAP method utilising a username/password or certificate(s). It isn’t clear if port access supports bandwidth control, it may require DHCP to also use RADIUS https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-RADIUSSupport

silverstr8p · March 3, 2022, 2:05am

I don’t want customer router WAN’s to need PPPoE config, just a straight DHCP broadcast/lease with a traffic profile from a radius at the network core relayed back through the Mikrotik. Here’s my setup:

The radius server is reachable from the Mikrotik.

tdw · March 3, 2022, 3:59pm

You have nowhere where ethernet traffic is blocked until authorised. At most you can control IP address assignment to the customer router by configuring the DHCP server on the Mikrotik to use RADIUS, the Access-Accept can configure a simple queue in addition to the IP address handed to the customer.

silverstr8p · March 3, 2022, 5:56pm

Is it best practice to have the DHCP server pre-authorize with the remote Radius server before allowing the client to connect and give a lease? I guess the radius profile 10M/2M (or whatever) would then push this policy to the MT and it would enforce the rate-limit?

tdw · March 3, 2022, 10:10pm

The DHCP server receives a DHCP request from the customer device, issues a RADIUS request based on the DHCP request and will offer a DHCP lease if a RADIUS Access-Accept is received - there is no caching.

I’m not sure how the Mikrotik handles DHCP renews if you change the rate limits, and I recall that there were (maybe still are) issues with DHCP RADIUS accounting.

Regardless of using Mikrotik or anything else you can’t revoke a DHCP issued address until it has completely expired, unlike a PPPoE connection which can be killed at any point, and you have no control over any traffic between clients on the same tower. Big ISPs using DHCP often use a lease time of a few minutes, with caching DHCP proxies to handle the renew traffic locally, and option 82 injection at the edge so the client can be identified independently of the MAC address on their router.

tdw · March 3, 2022, 10:17pm

I also recall there is a Juniper white paper discussing PPPoE and IPoE in broadband networks, although it is mainly aimed at DSL / FTTx networks it has some applicability to fixed wireless too so might be worth a search for.