many problems with radius for hotspot

ruebenmaster · April 5, 2013, 1:54pm

Hallo,
i have a mikrotik routerboard RB2011UAS-RM Software Version 5.22 with hotspot configuration. for the users there is an external radius server there. if users try to authentify themselves on hotspot, the mikrotik router son't want to contact the external radius server. i try a lot of configuration examples, they given in wiki.mikrotik.com, but it don't work.
if i start a tcpdump on the radius server, i can't see packets to port 1812 or 1813.
How can I persuade the router, that it queries the external radius?

[admin@MikroTik] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS

NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT

0 hotspot1 ether2-Internat ip-pool-Internat hsprof1 5m
[admin@MikroTik] /ip hotspot> /radius
[admin@MikroTik] /radius> print
Flags: X - disabled

SERVICE CALLED-ID DOMAIN ADDRESS SECRET

0 ;;; AkoCafe (Radius Server)
login Aloisius01 172.16.1.2 aloiGeheimXX
hotspot
[admin@MikroTik] /radius> /ip firewall
[admin@MikroTik] /ip firewall> print
bad command name print (line 1 column 1)
[admin@MikroTik] /ip firewall>
[admin@MikroTik] /ip firewall> connection
[admin@MikroTik] /ip firewall connection> print
Flags: S - seen reply, A - assured

PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 udp 192.168.99.254:45485 192.168.99.1:53 5s
1 udp 192.168.99.254:41703 192.168.99.1:53 0s
2 S udp 192.168.99.167:51709 192.168.0.1:53 0s
3 SA tcp 192.168.88.254:1052 192.168.88.1:22 established 4m59s
4 udp 192.168.99.254:47723 192.168.99.1:53 6s
5 igmp 0.0.0.0 224.0.0.1 9m45s
6 S udp 192.168.99.167:60520 192.168.0.1:53 8s
7 S udp 192.168.99.108:55177 192.168.100.1:53 6s
8 udp 192.168.99.254:37471 192.168.99.1:53 8s
9 udp 192.168.99.104:64492 192.168.100.1:53 8s
10 S udp 192.168.99.167:58663 192.168.0.1:53 0s
11 udp 192.168.99.254:47950 192.168.99.1:53 8s
12 udp 192.168.99.254:58810 192.168.99.1:53 6s
13 S udp 192.168.99.108:56402 192.168.100.1:53 7s
14 S udp 192.168.99.167:59503 192.168.0.1:53 7s
15 udp 192.168.99.167:56908 192.168.0.1:53 7s
16 udp 192.168.99.254:41457 192.168.99.1:53 6s
17 udp 192.168.99.254:35702 192.168.99.1:53 6s
18 udp 192.168.99.254:55638 192.168.99.1:53 0s
19 udp 192.168.99.254:45089 192.168.99.1:53 2s
20 udp 192.168.99.108:61992 192.168.100.1:53 8s
21 tcp 192.168.99.254:64874 192.168.99.251:50141 established 3h53m51s
22 udp 192.168.99.254:46987 192.168.99.1:53 1s
23 udp 192.168.99.254:36322 192.168.99.1:53 0s
24 udp 192.168.99.254:59961 192.168.99.1:53 5s
25 udp 192.168.99.254:51686 192.168.99.1:53 3s
26 udp 192.168.99.254:33277 192.168.99.1:53 3s
27 udp 192.168.99.254:33493 192.168.99.1:53 1s
28 udp 192.168.99.254:48412 192.168.99.1:53 4s
29 udp 192.168.99.254:37385 192.168.99.1:53 8s
30 udp 192.168.99.254:53032 192.168.99.1:53 9s
31 S udp 192.168.99.167:61406 192.168.0.1:53 0s
32 S udp 192.168.99.167:61731 192.168.0.1:53 0s
33 udp 192.168.99.254:55810 192.168.99.1:53 4s
34 S udp 192.168.99.167:57559 192.168.0.1:53 7s
35 tcp 192.168.99.254:64874 192.168.99.29:62489 established 8h45m29s
36 udp 192.168.99.254:39424 192.168.99.1:53 2s
37 udp 192.168.99.254:57604 192.168.99.1:53 4s
38 udp 192.168.99.254:49394 192.168.99.1:53 4s
39 tcp 192.168.99.254:64874 192.168.99.29:62629 established 9h14m13s
40 udp 192.168.99.254:43060 192.168.99.1:53 2s
41 udp 192.168.99.167:62204 192.168.0.1:53 9s
42 udp 192.168.99.254:59362 192.168.99.1:53 8s
43 udp 192.168.99.108:60050 192.168.100.1:53 9s
44 udp 192.168.99.254:50340 192.168.99.1:53 2s
[admin@MikroTik] /ip firewall connection>

There are no connections to radius server (172.16.1.2).

Greetings in hope of a little help.
Stephan, DER Ruebenmaster

SurferTim · April 5, 2013, 3:57pm

[admin@MikroTik] /radius> print
Flags: X - disabled

SERVICE CALLED-ID DOMAIN ADDRESS SECRET

0 ;;; AkoCafe (Radius Server)
login Aloisius01 172.16.1.2 aloiGeheimXX
hotspot

Your setup is difficult to follow. Is this all that is in /radius? It appears you have a hotspot entry but nothing in any of the entries like address and secret. I see a login service set up ok, but not the hotspot. Post another /radius print. Insure you include everything. If you do not have a hotspot service set up, then this should do it.

/radius
add service=hotspot address=172.16.1.2 secret=radiussecret timeout=2s

I changed the timeout to 2 seconds. If you use FreeRADIUS 2, it requires that due to a 1 second delay on Access-Reject.

Also enable radius auth in the hotspot.

/ip hotspot profile
set X use-radius=yes

Change X to the item number of the hotspot profile.

If that still doesn’t work, enable verbose logging for radius

/system logging
add topics=radius,debug action=memory

Then try a login and check the router log.

ruebenmaster · April 7, 2013, 7:37pm

Hallo SurferTim,
Thx for your help. But no Chance for Radius,

radius debug packet sending the follow:

Signature = 0x…
Acct-Status=7
NAS-Identifier = “MikroTik”
Acct-Delay-Time = 0
NAS-IP-Address = 172-.16.1.1
sending 05:00 to 172.16.1.2:1813
sending Accounting request with Id 8 to 172.16.1.2:1813
reveived packet for 3f:37 with bad signature, dropping
timeout for 3f:37
(hotspot info): Frank (i’m) (192.168.99.13): login failed: RADIUS server is not responding
and so on…

icmp connections between the radius server and mikrotik router is ok (about <1ms). maybe the mikrotik router thinks that himself is the ip address from the radius server. If i ping from the mikrotik router to radius, there where positiv answers from mikrotik. The radius server (tcpdump) don’t know any icmp packets from mikrotik router that time!

i try other options an scan networking packets.

Many greetings from germany (Kraichgau)
Stephan

SurferTim · April 7, 2013, 8:04pm

What is the ip address of the radius server? Bad signature could indicate incorrect secret. It appears you have logged in because that is an accounting packet if I am not mistaken.

Are you certain the information you entered in the client section of the radius server is correct? What does the radius server log show?

Add: Do you store the passwords encrypted on your radius server?

ruebenmaster · April 8, 2013, 6:26pm

Hallo SurferTim,
there’s no connection to the radius Server from MikroTik Router. The radius Server’s IP: 172.16.1.2; MikroTik has 172.16.1.1 in this network.

I mean that the passwort on the radius server ist encrypted, but i’m not sure. I’m not at home these days (till wednesday) than i can take a look.

Greetings
Stephan

SurferTim · April 8, 2013, 6:47pm

Have you used this RADIUS server before, or is this the first time?

Did you check the entry for that router in the RADIUS server clients.conf?
http://freeradius.org/radiusd/man/clients.conf.txt

It should look like this:

client myrouter1  {
   ipaddr       = 172.16.1.1
   secret       = radiussecret
   shortname  = myrouter01
   nastype     = other
}

Insure the RADIUS server firewall allows ports 1812 and 1813 through, at least from 172.16.1.1.

Check the radius log. Is there any entries there about the attempted transaction?

If you want more specific help, you must be more specific about the RADIUS server O.S. and RADIUS version.

ruebenmaster · April 8, 2013, 6:55pm

Hallo SurferTim,
i will look tomorrow evening, because from hotel i doesn’t connect the mikrotik or radius server.

The radius server is old, ubuntu 7 with freeradius, maybe version 1.

The firewall rules on mikrotik i want to set. But all i configure, no chance.

The client.conf is like you wrote. But tomorrow i will send you more informations about, sorry for waiting.

Tomorrow i will set the mikrotik to default und configure it new…

Greetings from Pfalz! (very good wine)
Stephan

SurferTim · April 8, 2013, 7:04pm

How about the firewall rules on the server? Do you have UDP ports 1812 and 1813 open for 172.16.1.1? That caused me a problem until I figured it out.

Add: I open TCP ports 1812 and 1813 also.

ruebenmaster · April 12, 2013, 7:30am

Hallo SurferTim,
this evening i will setup the routerboard new.

I visit the radius server in a dark bar eastside… ) , and this are his informations:

root@radiusserver:/etc/freeradius# freeradius -v
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:34
Copyright (C) 2000-2006 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
root@radiusserver:/etc/freeradius# cat clients.conf
client 127.0.0.1 {
shortname = localhost
secret = GeheimXX
}
client 172.16.1.1 {
shortname = AloisiusXX
secret = GeheimXX
}
root@radiusserver:/etc/freeradius#

root@radiusserver:~# uname -a
Linux radiusserver 2.6.20-15-server #2 SMP Sun Apr 15 07:41:34 UTC 2007 i686 GNU/Linux
root@radiusserver:~#

root@radiusserver:~# ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=64 time=0.266 ms
64 bytes from 172.16.1.1: icmp_seq=2 ttl=64 time=0.306 ms
64 bytes from 172.16.1.1: icmp_seq=3 ttl=64 time=0.321 ms
64 bytes from 172.16.1.1: icmp_seq=4 ttl=64 time=0.321 ms
64 bytes from 172.16.1.1: icmp_seq=5 ttl=64 time=0.322 ms
64 bytes from 172.16.1.1: icmp_seq=6 ttl=64 time=0.316 ms

— 172.16.1.1 ping statistics —
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.266/0.308/0.322/0.028 ms
root@radiusserver:~# ping 172.16.1.3
PING 172.16.1.3 (172.16.1.3) 56(84) bytes of data.
64 bytes from 172.16.1.3: icmp_seq=1 ttl=64 time=0.236 ms
64 bytes from 172.16.1.3: icmp_seq=2 ttl=64 time=0.266 ms
64 bytes from 172.16.1.3: icmp_seq=3 ttl=64 time=0.257 ms
64 bytes from 172.16.1.3: icmp_seq=4 ttl=64 time=0.298 ms
64 bytes from 172.16.1.3: icmp_seq=5 ttl=64 time=0.310 ms
64 bytes from 172.16.1.3: icmp_seq=6 ttl=64 time=0.271 ms

— 172.16.1.3 ping statistics —
6 packets transmitted, 6 received, 0% packet loss, time 5002ms
rtt min/avg/max/mdev = 0.236/0.273/0.310/0.024 ms
root@radiusserver:~# ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=64 time=0.022 ms
64 bytes from 172.16.1.2: icmp_seq=4 ttl=64 time=0.023 ms
64 bytes from 172.16.1.2: icmp_seq=5 ttl=64 time=0.022 ms
64 bytes from 172.16.1.2: icmp_seq=6 ttl=64 time=0.020 ms

— 172.16.1.2 ping statistics —
6 packets transmitted, 6 received, 0% packet loss, time 5001ms
rtt min/avg/max/mdev = 0.014/0.020/0.023/0.006 ms
root@radiusserver:~# arp -a
? (172.16.1.1) at D4:CA:6D:8D:9C:D9 [ether] on eth3
? (172.16.1.3) at 00:50:56:94:77:DC [ether] on eth3
root@radiusserver:~#

D4:CA:6D:8D:9C:D9 is the RouterBoard; 00:50:56:94:77:DC is a virtuell mikrotik router with software license. Both mikrotik Routers are in Version 5.22.

I have access the output to radiusserver on Port 1812-1813 iin the firewall rules.

Today i want to write a scritp to install the miktorik router new. in this script we canb control all positions of hotspot configuration.

Internet ------ Firewall ------ mikrotik —hotspot-- Clients
:
:
:
Radius

The mikrotik is the gateway, hotspot, DNS-Server, NTP-Server and dhcp-Server for the clients using 192.168.99.0/24; Routerboard: 192.168.99.254
The network to radius: 172.16.1.0/20 (Routerboard: 172.16.1.1; Radius: 172.16.1.2; virt. mikrotik: 172.16.1.3)

The Gateway for the RouterBoard will be 192.168.100.1, because there is a transfernet between mikrotik and firewall. The transfernet is: 192.168.100.0/24 an the firewall is .1. The Firewall ist DNS Server and NTP Server for mikrotik Routerboard. Ups! The Routerboard’s IP Address here is: 192.168.100.245, because of the rules in the firewall. .245 is free in internet and allowed to ask dns and ntp.

No i must go troubleshooting another network problem. But at the evening i will beginn my work on routerboard.

Maybe i can reach a ssh connection from aouside to routerboard later… Then the professionals like you can take a look on it. (I will kiss the firewall admin… ;o)))) )

Greetings from a sunny day in Neckarbsichofsheim
Stephan, the Ruebenmaster

SurferTim · April 12, 2013, 10:32am

Check you server radius logs. If there are no entries, then it sounds like you have a firewall issue.

add: Run radiusd in debug mode on the server. That might help you find the problem.
radiusd -X

http://freeradius.org/radiusd/man/radiusd.html#lbAF

ruebenmaster · May 5, 2013, 12:29pm

Hallo Surfer Tim,
Sorry’ i had an accident and was ill this time. Now i have connect mikrotik routerboard to a DSL.
Let’s See how the Situation will be this evening.

Greetings
Ruebenmaster

ruebenmaster · May 12, 2013, 7:47pm

Hi @all,
Sorry, but idon’t know. Again and again i test This routerboard. But no chance get the Radius Server. Without hotspot active, all is OK. The chef is angry, bying another solution.
But, the good thing, the router is mine.

I will tell you the New test tomorrow.

Greetings
Stephan