Mikrotik and IAS [Please help!]

smalltime · November 3, 2010, 5:17am

Dear Sir,

I want to work Mikrotik with AD but i can’t even i try to do as instruction from http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory.
Maybe i’m not clear about Radius server. So please help to verify as bellow:

On IAS Radius server:
Friendly Name: MikroTik
IP: 192.168.100.253 (IP of Hotspot gateways on Local interface of Mikrotik)
Client-Vendor: RADIUS Standard
Shared secret: xxxxxx
Authentication port=1812
Accounting port=1813

On Mikrotik Radius Client:
service=Hotspot,ppp
address=10.10.10.2 (ip address of AD server)
secret=xxxxxx
authentication_port=1812
accounting_port=1813

/ip ppp AAA
use_radius=yes
accounting=yes

/ip ppp pptp-server
enabled=yes
authentication=mschap1,mschap2

For NAT:
add chain=srcnat action=masquerade src-address=192.168.10.0/24.

When i test with tool ntradping, it always whow message reject. So this problem can cos from NAT or not? if yes, what should i do for NAT?

Please give me instruction for this…!

Thank for advance

Smalltime

SurferTim · November 3, 2010, 11:46am

I would change this rule. Since the server is on a 10.10.10.x net, the radius client is masquerading as 10.10.10.1 (ip of that interface). If that ip is not in the client list for the radius server, it will reject.

For NAT:
add chain=srcnat action=masquerade src-address=192.168.10.0/24.

I use
add chain=srcnat action=masquerade out-interface=ether1

BTW, the masquerade you have now is normally added when you choose “masquerade network? yes” in the hotspot setup. I always select “no”.

ADD: I just noticed something else. The ip address of the client is 192.168.100.253 in the radius server, but the masquerade shows 192.168.10.x net. ??

smalltime · November 3, 2010, 1:08pm

Dear Sir,
Thank for your support, sorry for masquerade mistake.
Rule of NAT i set is: add chain=srcnat action=masquerade src-address=192.168.100.0/24.
Now i seem conflict with NAT, i hope you can verify me again:

AD Server: IP: 10.10.10.2
Mikrotik: Ether1(public): 10.10.10.15
Ether2(local): 192.168.100.253

So what should i NAT? can you show me again?
According to rule above, do you think it should complete or not yet? what should we add?
oh, when i use username and password of AD to log on web hotspot, it always show message: Radius Server not respon. why?

I wish you can help me!

Thank,
smalltime

SurferTim · November 3, 2010, 1:15pm

The radius server is probably not responding because the ip of the requesting device is not in the client list. That is as good as a reject.

I use this:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

If ether1 is not your WAN interface, change that to the appropriate interface.

Then remove the other masquerade rule.

Insure the client ip in your radius server is the same as the ip in “/ip hotspot profile” under “hotspot-address”.

smalltime · November 3, 2010, 2:46pm

Dear Sir,

Now i try to test as your instruction but it still not work:

client ip in my radius server(IP: 10.10.10.2) is the same as the ip in “/ip hotspot profile(IP: 10.10.10.2)” under "hotspot-address
ether1 is wan interface ip: 10.10.10.15, so it stand in range with AD server

for ether2 is local network range 192.168.100.0/24 and it is hotspot-address.
I want to note that range 192.168.100.0/24 can access to range 10.10.10.0/24, in oppositely range 10.10.10.0/24 can’t access back. So do you think it can affect to my problem now? if yes, how to solve it?

So according to detail above, does it still have mistake?
Please help me again.

Regard,
smalltime

SurferTim · November 3, 2010, 2:52pm

The ips should be each other’s ip. The server should have the ip of the hotspot (192.168.100.x) in the client section. The router’s /radius section should have the ip of the server (10.10.10.2).

Get the radius server responding, then we will do the firewall to block access.

smalltime · November 3, 2010, 3:05pm

Dear sir,

that point is what i want, so can you show me how to do firewall block access?
could you you show how to configure it? Now i simply no more idea about it!

Please help me again…

Regard,
Phearak

SurferTim · November 3, 2010, 4:10pm

This should drop any new connection from the 10.10.10.0/24 net to the 192.168.10.0/24 net. Your IAS server will be connection-state=established when responding to radius requests, so it won’t be dropped.

/ip firewall filter
add chain=forward src-address=10.10.10.0/24 dst-address=192.168.10.0/24 connection-state=new action=drop

smalltime · November 4, 2010, 9:57am

Dear Sir,

I have tried again and again as your instruction but still not work.
i set:
__

NAT:
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

__

Filter:
/ip firewall filter add chain=forward src-address=10.10.10.0/24 dst-address=192.168.10.0/24 connection-state=new action=drop

When i try to use user of AD to log on web hotspot it still show message: Radius Server not Responding

I want to make sure that on IAS Radius server, IP we input ip on ether1(WAN) or ether2(LAN) of Mikrotik? But i try both it still not work.

Do you think it have firewall rule to allow DNS of AD server or not?
Do you think, problem can from AD server or not? But for IAS Radius i do as instruction on link: http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory.

I hope you can show me with your experiences and pass me from this way.

Regard,
Phearak

SurferTim · November 4, 2010, 10:21am

Did you allow ports 1812 and 1813 through your IAS server firewall?
Can you ping the server from the router?
/ping 10.10.10.2

smalltime · November 4, 2010, 2:06pm

Oh, i have add firewall filter rule as bellow:

_>ip firewall filter add chain=forward dst-port=1812 action=accept dst-address=10.10.10.0/24

ip firewall filter add chain=forward dst-port=1813 action=accept dst-address=10.10.10.0/24
Note: 10.10.10.0/24 net is range of WAN_

Do you think this code correct or not?

From router can ping to IP= 10.10.10.2 but this IP can’t ping back to net 192.168.100.24(range of local).
how to fixed this problem?

Thank for advance,
Phearak

SurferTim · November 4, 2010, 2:11pm

Hi smalltime! I did not mean the firewall in the router. Have you set the firewall in your IAS SERVER to allow ports 1812 and 1813 access through the IAS SERVER FIREWALL?

ADD: You cannot ping anything in the 192.168.10.x net from 10.10.10.x net, even from the server. That is connection-state=new. Those are dropped by the firewall rule I gave you.

smalltime · November 4, 2010, 2:27pm

Dear sir,

hooo… i just configure as instruction as link: http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory.
Does on IAS have rule to allow port as Mikrotik? how?

Please show me this step!

regard,
smalltime

SurferTim · November 4, 2010, 2:31pm

That is the radius setup for the IAS service. Those are the correct ports. But if you do not go to the firewall setup, and allow those ports access through the FIREWALL, the IAS server ports cannot be accessed from anything but local (internal, assigned in the server) addresses.

smalltime · November 4, 2010, 2:45pm

oh, for window firewall i turn off already. so think it can’t block port these port.
Now i test turn on firewall and make exception for port 1812 and 1813, but it still can’t.
So do you think should we add more rule on our router or not?

Regard,
smalltime

SurferTim · November 4, 2010, 2:55pm

I did not want you to add the firewall rule you have now until you got the IAS server working. I use an external radius server also, and it does not require any special rules in the router firewall.

Do you have the radius logging enabled?
/system logging
add topics=radius action=memory
Then try a login and check the log.

smalltime · November 4, 2010, 3:18pm

Yep, i enable already. Please check on attach file of message error.

regard,
smalltime

SurferTim · November 4, 2010, 3:35pm

According to your log, the IAS server never responded. If you can ping it from the router, that means it is usually something in the IAS server firewall. Most default firewall setups allow a ping, but drop a radius request. You must enter the exception in the firewall to allow access on those ports.

Check the IAS server logs. See if there is something there that would indicate why it would not respond.

smalltime · November 4, 2010, 3:56pm

Dear Sir,
I hope problem in this point also because Router(IP:192.168.100.x) can ping to IAS AD(IP:10.10.10.2), but AD server can’t access to router back. In this point i don’t know problem from router or IAS server?
for one more thing:

on IAS i have turn off firewall already, why IAs still not respond for router request?
On router i allow port and icmp and disable rule that you have give me but it still can’t access from IAS to router

_>ip firewall filter add chain=forwarding dst-address=10.10.10.0/24 protocol=icmp action=accept

ip firewall filter add chain=forwarding dst-address=10.10.10.0/24 protocol=udp port=1812 action=accept
ip firewall filter add chain=forwarding dst-address=10.10.10.0/24 protocol=icmp port=1812 action=accept_

So do you think this rule correct or not? or should we add more rule to allow access?

Regard,
Phearak

SurferTim · November 4, 2010, 4:05pm

Can you post “/ip firewall filter”? It would probably be an input chain that would block this request, not a forward chain.

ADD: And there is no “chain=forwarding” by default. You would need to jump from an existing chain to use that. The default is “chain=forward”.