Mikrotik, FreeRADIUS, MySQL, FreeSide

Hammy · July 2, 2010, 11:03pm

I’m going to write a fresh WIKI document once I get this worked out properly. The others are outdated and incomplete.

I have Mikrotik talking to FreeRADIUS and am trying to get the MySQL to work as well. Hopefully I’ll also include a FreeSide bit as well. I’d like to support different realms for different resellers of my service (or hotspot roaming). Basically, everything that I can setup, I’d like to get this setup arranged for and working so I can have a complete WIKI document. Please make note of any and all errors and how to fix them.

While trying to use RADIUS to authenticate a WinBox access, I get the following error:

rad_recv: Access-Request packet from host 10.1.255.249 port 55118, id=212, length=109
Service-Type = Login-User
User-Name = “mhammett”
CHAP-Challenge = 0x5b96c7683e0d2b42d3d14f510b07a44c
CHAP-Password = 0x0082b37892e3f28e75f1622cc73a46cf78
Calling-Station-Id = “xxx.xxx.xxx.xxx”
NAS-Identifier = “Hammett Farms”
NAS-IP-Address = 10.1.255.249
± entering group authorize {…}
++[preprocess] returns ok
[chap] Setting ‘Auth-Type := CHAP’
++[chap] returns ok
++[mschap] returns noop
[suffix] No ‘@’ in User-Name = “mhammett”, looking up realm NULL
[suffix] No such realm “NULL”
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} → mhammett
[sql] sql_set_user escaped user → ‘mhammett’
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘%{SQL-User-Name}’ ORDER BY id → SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘mhammett’ ORDER BY id
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
[sql] expand: SELECT groupname FROM radusergroup WHERE username = ‘%{SQL-User-Name}’ ORDER BY priority → SELECT groupname FROM radusergroup WHERE username = ‘mhammett’ ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = ‘%{Sql-Group}’ ORDER BY id → SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = ‘full’ ORDER BY id
[sql] User found in group full
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = ‘%{Sql-Group}’ ORDER BY id → SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = ‘full’ ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
± entering group CHAP {…}
[chap] login attempt by “mhammett” with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
± entering group REJECT {…}
[attr_filter.access_reject] expand: %{User-Name} → mhammett
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 212 to 10.1.255.249 port 55118
Finished request 3260.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.255.249 port 55118, id=212, length=109
Sending duplicate reply to client HammettAP port 55118 - ID: 212
Sending Access-Reject of id 212 to 10.1.255.249 port 55118
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.255.249 port 55118, id=212, length=109
Sending duplicate reply to client HammettAP port 55118 - ID: 212
Sending Access-Reject of id 212 to 10.1.255.249 port 55118
Waking up in 4.9 seconds.
Cleaning up request 3260 ID 212 with timestamp +79976
Ready to process requests.

Here is my MySQL data:

mysql> show tables;
±-----------------+
| Tables_in_radius |
±-----------------+
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
±-----------------+
7 rows in set (0.00 sec)

mysql> select * from radcheck;
±—±----------±-------------------±—±----------+
| id | username | attribute | op | value |
±—±----------±-------------------±—±----------+
| 1 | test-user | Cleartext-Password | == | test-pass |
±—±----------±-------------------±—±----------+
1 row in set (0.00 sec)

mysql> select * from radgroupcheck;
Empty set (0.00 sec)

mysql> select * from radgroupreply;
Empty set (0.00 sec)

mysql> select * from radpostauth;
Empty set (0.01 sec)

mysql> select * from radreply;
±—±----------±------------------±—±--------------+
| id | username | attribute | op | value |
±—±----------±------------------±—±--------------+
| 1 | test-user | Framed-IP-Address | = | 65.182.165.90 |
| 2 | mhammett | Mikrotik-Group | = | full |
±—±----------±------------------±—±--------------+
2 rows in set (0.00 sec)

mysql> select * from radusergroup;
±---------±----------±---------+
| username | groupname | priority |
±---------±----------±---------+
| mhammett | full | 1 |
±---------±----------±---------+
1 row in set (0.00 sec)

SurferTim · July 3, 2010, 10:10am

Have you checked you FreeRADIUS setup with radtest? From a shell on the radius server:
radtest user password 127.0.0.1 0 radiussecret

I use the attribute ‘User-Password’ in radcheck table.
You have no password entered for the user you are testing.

Hammy · July 3, 2010, 11:13am

In FreeRadius2, Cleartext-Password has replaced User-Password for cleartext passwords. I don’t know how to make a non-cleartext password.

Radtest confirmed that FreeRadius is properly setup with the test-User account I initially created.

SurferTim · July 3, 2010, 11:18am

Just goes to show how fast stuff changes! Did you try logging in with that user/password from the router? User-Password was clear text also.

Hammy · July 3, 2010, 11:33am

uh oh, apparently my mhammett user never had a password entered or I somehow deleted it.

I also changed the == to := in radcheck. My mhammett user now can Winbox in.

Stuff changing is kinda why I wanted to build a new WIKI page, after I determined the ones that were there were no longer good enough.

Hammy · July 3, 2010, 11:55am

Yeah, user-password I gather used to be cleartext, but they changed it. Not sure why or how to make a non- cleartext password.

adrianatkins · July 3, 2010, 11:17pm

I already have what you’re doing and more.

I call it VX.

Carry on though - you are on the Right Track for sure.

Hammy · July 3, 2010, 11:55pm

The nerve gas?

adrianatkins · July 4, 2010, 8:07am

Sure !

It killed almost all of my user control, billing, admin and preventative maintenence issues on first contact.

jowi007 · July 4, 2010, 10:50am

try
www.radcontrol.org
the best there is

Hammy · July 5, 2010, 10:19pm

It doesn’t appear I can set either local address, nor which PPP profile to use.

My intent was to have regular profiles for paying customers, then when someone doesn’t pay, they get a different IP address, and route differently to a splash page on my billing server.

Looking at a DSL Reports thread, someone just changes what IP pool the user pulls from. Since I haven’t done a disconnect page yet and therefore haven’t needed to know this… if I put them in a different IP pool, will it route differently?

or should I do something else entirely to send deadbeats to the billing system?

http://www.dslreports.com/forum/r21745458-FreeRadius-Help-Plz

adrianatkins · July 5, 2010, 10:20pm

Second best.

It’s Good, but i did better.

Try Virtual Operator support.

adrianatkins · July 5, 2010, 10:23pm

Jeez !

It already has Virtual Operator Support !

Looks very good.

adrianatkins · July 5, 2010, 10:25pm

Does it do tickets ?

(damn ! clutching at straws here !)