I have installed Mikrotik 2.9.10 , installed as Hotspot gateway , to authenticate againt Freeradius + Mysql.

When I run Freeradius in debug mode and use other clients (like NtRadping) against it , it authenticates well. I see the expected response


But with Mikrotik 2.9.10, Freeradius sends well the Access-Accept response to Mikrotik, but Mikrotik seems to ignore it and display “Radius server is not responding”

Did someone on the list experienced this before ?
Any idea what I might try else to solve this

Thanks in advance

do the RADIUS secret on the router match the one of the RADIUS server?

If he’s seeing an Access-Accept in the FreeRADIUS debug log, the secrets have to match.

I suppose it’s more a problem of perhaps firewalling the RADIUS replies in the input chain on the hotspot?

Best regards,
Christian Meis

if he is not using PAP authentication, then secrets are only checked on reply, so the server may accept the authentication even though it will not be accepted by the router.

Right, didn’t think of that…

Christian

Thanks all for helping to solve my problem.

I did read this in the RouterOS documantation in “Radius client” section , but i do not understand very well what it is means.

I quote :
< When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using shared secret, secret is used only in authentication reply, and router is verifying it. So if you have wrong shared secret, RADIUS server will accept request, but router won’t accept reply. You can see that with /radius monitor command, “bad-replies” number should increase whenever somebody tries to connect >

Please can someone explain a little better what it means ?

I am collecting my radius and mikrotik config to post to the list soon.

Here are the relevant config of my mikrotik and my freeradius server.

=========-========================
ip hotspot settings - created with /ip hotspot setup

[admin@MikroTik] > /ip hotspot export

jan/04/2006 18:12:48 by RouterOS 2.9.10

software id = 0I3A-WPT

/ ip hotspot
add name="hs-ether2" interface=ether2 address-pool=hs-pool-2 profile=hsprof1 idle-timeout=5m keepalive-timeout=none addresses-per-mac=2
disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=192.168.1.2 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=http-chap,http-pap split-user-domain=no use-radius=yes radius-accounting=yes radius-interim-update=received
nas-port-type=ethernet
add name="hsprof1" hotspot-address=192.168.1.2 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=http-chap,http-pap split-user-domain=no use-radius=yes radius-accounting=yes radius-interim-update=received nas-port-type=ethernet
/ ip hotspot user
add name="pascal" password="pascal" profile=default comment="" disabled=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no

\

mikrotik radius client settings

[admin@MikroTik] > /radius export

jan/04/2006 18:13:58 by RouterOS 2.9.10

software id = 0I3A-WPT

/ radius
add service=hotspot called-id="" domain="" address=192.168.1.3 secret="testing" authentication-port=1812 accounting-port=1813 timeout=1s
accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=no port=1700




\

FREERADIUS CONFIGURATIONS users in Mysql

mysql> select * from usergroup;
+----+------------+-----------+
| id | UserName | GroupName |
+----+------------+-----------+
| 1 | fredf | dynamic |
| 2 | barney | static |
| 3 | dialrouter | netdial |
+----+------------+-----------+
3 rows in set (0.02 sec)


mysql> select * from radcheck;
+----+----------+-----------------+----+-------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------------+----+-------+
| 3 | fredf | Password | == | wilma |
| 4 | fredf | Max-All-Session | := | 1000 |
+----+----------+-----------------+----+-------+

mysql> select * from radgroupcheck;
+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
| 1 | dynamic | Auth-Type | := | Local |
| 2 | static | Auth-Type | := | Local |
| 3 | netdial | Auth-Type | := | Local |
+----+-----------+-----------+----+-------+
3 rows in set (0.02 sec)

Again thanks in advance.

in this can help , here is the deug output of freeradius using Mikrotik.
As one see Freeradiu sent out : Session-Timeout in the access-accept and tried to resend to the NAS:

Wed Jan 4 18:36:46 2006 : Debug: rad_check_password: Found Auth-Type Local
Wed Jan 4 18:36:46 2006 : Debug: auth: type Local
Wed Jan 4 18:36:46 2006 : Debug: auth: user supplied CHAP-Password matches loca l User-Password
Wed Jan 4 18:36:46 2006 : Debug: Processing the post-auth section of radiusd. conf
Wed Jan 4 18:36:46 2006 : Debug: modcall: entering group post-auth for request 0
Wed Jan 4 18:36:46 2006 : Debug: modsingle[post-auth]: calling sql (rlm_sql) for request 0
Wed Jan 4 18:36:46 2006 : Debug: rlm_sql (sql): Processing sql_postauth
Wed Jan 4 18:36:46 2006 : Debug: radius_xlat: ‘fredf’
Wed Jan 4 18:36:46 2006 : Debug: rlm_sql (sql): sql_set_user escaped user → ’ fredf’
Wed Jan 4 18:36:46 2006 : Debug: radius_xlat: ‘INSERT into radpostauth (id, us er, pass, reply, date) values (’‘, ‘fredf’, ‘Chap-Password’, ‘Access-Accept’, NO W())’
Wed Jan 4 18:36:46 2006 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values (‘’, ‘fredf’, ‘Chap-Passw ord’, ‘Access-Accept’, NOW())
Wed Jan 4 18:36:46 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed Jan 4 18:36:46 2006 : Debug: rlm_sql (sql): Released sql socket id: 2
Wed Jan 4 18:36:46 2006 : Debug: modsingle[post-auth]: returned from sql (rlm _sql) for request 0
Wed Jan 4 18:36:46 2006 : Debug: modcall[post-auth]: module “sql” returns ok for request 0
Wed Jan 4 18:36:46 2006 : Debug: modcall: group post-auth returns ok for reques t 0
Sending Access-Accept of id 0 to 192.168.1.2:1026
Session-Timeout = 1000
Wed Jan 4 18:36:46 2006 : Debug: Finished request 0
Wed Jan 4 18:36:46 2006 : Debug: Going to the next request
Wed Jan 4 18:36:46 2006 : Debug: — Walking the entire request list —
Wed Jan 4 18:36:46 2006 : Debug: Waking up in 6 seconds…
rad_recv: Access-Request packet from host 192.168.1.2:1026, id=0, length=164
Wed Jan 4 18:36:47 2006 : Debug: Sending duplicate reply to client netgate-chil lispot:1026 - ID: 0
Re-sending Access-Accept of id 0 to 192.168.1.2:1026
Wed Jan 4 18:36:47 2006 : Debug: — Walking the entire request list —
Wed Jan 4 18:36:47 2006 : Debug: Waking up in 5 seconds…
rad_recv: Access-Request packet from host 192.168.1.2:1026, id=0, length=164
Wed Jan 4 18:36:48 2006 : Debug: Sending duplicate reply to client netgate-chil lispot:1026 - ID: 0
Re-sending Access-Accept of id 0 to 192.168.1.2:1026
Wed Jan 4 18:36:48 2006 : Debug: — Walking the entire request list —
Wed Jan 4 18:36:48 2006 : Debug: Waking up in 4 seconds…
Wed Jan 4 18:36:52 2006 : Debug: — Walking the entire request list —
Wed Jan 4 18:36:52 2006 : Debug: Cleaning up request 0 ID 0 with timestamp 43bc 07ae
Wed Jan 4 18:36:52 2006 : Debug: Nothing to do. Sleeping until we see a reques t.

This may sound silly, but you don’t perhaps have a firewall on the MT dropping the replies from the Radius server?

There’s no question the radius server gets the request and sends the responce. Your MT just doesn’t get it. It almost certainly sounds like a connectivity / firewalling issue to me.

My radius problem was solved.

It seemed to be a link negociation problem between the NIC in Mikrotik and the NIC in the Freeradius Server ( i connected them with a cross cable).

But i would like to see on this list a sample of CHAP radius users file.
What must be defined at Mikrotik side and what must be defined at radius side.
Right now , i am just using PAP and don’t really know how to setup CHAP.

Thanks u in advance.

Simply enable CHAP in your authorize section in radius.conf? There’s no special or additional attributes as such required. Just configure it properly. There are plenty of documentation in FreeRadius that describes how to achieve this.

I have the same problem here, but I cant find the solution.

Free Radius is recibing the request and sending the reply to MIkrotik, but Mikrotik is not accepting the reply, You can see the connection in the firewall conection monitor, but mikrotik does not respond to this reply, I tried so many thing… this is geting frustating… I have no rules in the firewall, Mikrotik has a basic hotspot setup done in winbox using the setup button, Only whay that I can log in using the accoun that’s stored in mikrotik.

This is a reall pain…

I tried connecting the machines with cross over cable, to a switch… and nothing… I have doubled chequed the shared secret… they are ok… I have started from scratch many times over… I have updated the Dictionary file for Mikrotik in radius manager… by the way it was written by our friend lastguru here… Wealll… that is my guess…

Radius server is working fine… THe only thing configured in the firewall is the masquerade for the hotspot… PLEASEEEE… HELLLPPP ME!!!

‘It doesn’t work’ posts won’t get you anywhere.

Post your radius configuration on the MT, post your hotspot configuration on the MT, post the debug output from your radius server…

Hi, I solved my problem… My Radius server is a Fedora core 6 running freeradius+mysql and some php scripts.

If I try to use the freeradius server … you know… I run radiusd -x or radiusd and and then from another computer connected in the network try to login the hotspot with an account that is stored in the radius server… The only whay I could get it to work is to first log the radius server (open a web browser in the fedora core 6 server and log in) in to the mikrotik hostpot with one of the internal accounts like the username: admin and password: somepasword.

and the… MAGIC¡¡¡ IT WORKS… WEALL… IT WORKED FOR ME