Multiple hotspots question

Osricson · January 21, 2009, 3:11am

Hi All,
We’ve got a RB493 with an existing hotspot configured to use “usermanager” for authentication (currently used for visitors).
Is it possible to add another hotspot to a different interface BUT doing a Raduis check to a Windows 2003 radius server?
Steps taken so far (that doesn’t work for the remote radius):

ip hotspot setup for ether2
radius add service=hotspot address=127.0.0.1 secret=****
ip hotspot profile set hsprof1 use-radius=yes
tool user-manager customer add login=hotspot password=**** permissions=owner
tool user-manager router add subscriber=hotspot ip-address=127.0.0.1 shared-secret= **** (all ok up to this point & can log onto http://public IP/usermanager)

Additions:

ip hotspot setup for ether4
radius add service=hotspot1 address=192.168.61.2 secret=****
ip hotspot profile set hsprof2 use-radius=yes
Added 192.168.1.1 (IP attached to ether4) as allowed to talk to radius server

The hotspot has been running succesfully for visitors but the boss wants the internal users to now authenticate against the RB493 & AD..
Any suggestions where I’m going wrong?
Cheers
Steve

ashish · January 21, 2009, 7:50am

Ip address 127.0.0.1 WON’T work as its a loop-Back IP and work ONLY if you use Hotspot and Radius in a Single Router. You have to add Windows 2003 Radius IP in Mikrotik Router and Vice Versa.

SurferTim · January 21, 2009, 9:32am

Two hotspots with separate radius servers is what you want?

On each hotspot, set the “radius-default-domain” in each /ip hotspot profile.

/ip hotspot profile
set X radius-default domain=test1
set Y radius-default-domain=test2

Change X and Y to the correct line numbers for the profiles. Then:

/radius
add service=hotspot domain=test1 address=xxx.xxx.xxx.xxx secret=radiussecret1
add service=hotspot domain=test2 address=yyy.yyy.yyy.yyy secret=radiussecret2

Osricson · January 21, 2009, 9:46am

Thanks guys,
I shall hopefully clarify -the first setup worked and did what we wanted for visitors i.e. a hotspot that we could easily add/delete users, web interface & was easy for users to use etc..
Then because it was easy to use the boss wants the student radios to go through the same (currently they connect via a RoamAD gateway & have proxies etc to configure which can be confusing for some of tech’s let alone the customers!)
So basically we want to keep the ease of the Hotspot/Usermanager and add a second that calls to the Windows radius & checks AD for the students (currently have VPN connections doing this).
Currently I’m not at work so don’t have access to the test network but I will try the suggestions. Just one query -is it possible to setup the usermanager to go to the ether2 interface IP (all the doc’s I’ve read say use the loopback)?
Cheers
Steve

SurferTim · January 21, 2009, 9:50am

If usermanager is on that RB493, then I think the 127.0.0.1 address should work for the radius IP. I have not used it. I use all remote radius servers.

Osricson · January 21, 2009, 10:01am

Yip, usermanager is indeed on the RB493. As it is 11pm here I shall post tomorrow once I’ve tried your suggestions

ashish · January 21, 2009, 10:30am

Yeah That is what i am Telling, If it is on the same Board, It will Work.

Osricson · January 29, 2009, 10:45pm

Ok, after a week from hell with our phone systems I’ve been able to get back to this. I can get eth4 with remote radius server OR I can get eth2 with local radius & usermanager working but not both together..
Current config (which only has eth4 with remote radius server working) :
/ip hotspot profile
set default dns-name=“” hotspot-address=0.0.0.0 html-directory=hotspot
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap
name=default rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no
use-radius=no
add dns-name=hotspot02.eit.campus hotspot-address=192.168.54.1
html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0
login-by=cookie,http-chap name=hsprof1 nas-port-type=wireless-802.11
radius-accounting=yes radius-default-domain=eit.conference
radius-interim-update=received radius-location-id=“”
radius-location-name=“” rate-limit=“” smtp-server=0.0.0.0
split-user-domain=no use-radius=yes
add dns-name=hotspot01.eit.student hotspot-address=192.168.61.1
html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-chap name=
hsprof2 nas-port-type=wireless-802.11 radius-accounting=yes
radius-default-domain=eit.student radius-interim-update=received
radius-location-id=“” radius-location-name=“” rate-limit=“” smtp-server=
0.0.0.0 split-user-domain=no use-radius=yes

/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=
1 status-autorefresh=1m transparent-proxy=no

/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=2 disabled=no idle-timeout=5m
interface=ether2 keepalive-timeout=none name=hotspot1 profile=hsprof1
add address-pool=dhcp_pool2 addresses-per-mac=2 disabled=no idle-timeout=5m
interface=ether4 keepalive-timeout=none name=hotspot2 profile=hsprof2

/ip address
add address=xxx.xxx.xxx.xx/28 broadcast=xxx.xxx.xxx.xxx comment=“” disabled=no
interface=ether1 network=xxx.xxx.xxx.xxx
add address=192.168.54.1/24 broadcast=192.168.54.255 comment=“” disabled=no
interface=ether2 network=192.168.54.0
add address=10.0.0.155/8 broadcast=10.255.255.255 comment=“” disabled=no
interface=ether3 network=10.0.0.0
add address=192.168.61.1/24 broadcast=192.168.61.255 comment=“” disabled=no
interface=ether4 network=192.168.61.0

/radius
add accounting-backup=no accounting-port=1813 address=192.168.54.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.conference realm=“” secret=“Usermanager password” service=hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=10.0.1.86 authentication-port=1812 called-id=“” comment=“”
disabled=no domain=eit.student realm=“” secret=“IAS password” service=ppp,hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=192.168.54.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.conference realm=“” secret=“Usermanager password” service=hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=192.168.61.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.student realm=“” secret=“IAS password” service=hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=192.168.61.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.student realm=“” secret=“IAS password” service=hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=192.168.54.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.conference realm=“” secret=“Usermanager password” service=hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=192.168.54.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.conference realm=“” secret=“Usermanager password” service=hotspot timeout=300ms
add accounting-backup=no accounting-port=1813 address=192.168.61.1 authentication-port=1812 called-id=“” comment=
“” disabled=no domain=eit.student realm=“” secret=“IAS password” service=hotspot timeout=300ms

/tool user-manager customer
add comment=“” disabled=no login=hotspot parent=hotspot password=“Hotspot password” paypal-accept-pending=no
paypal-allowed=no paypal-secure-response=no permissions=owner signup-allowed=no subscriber=hotspot time-zone=
+00:00
/tool user-manager router
add comment=“” disabled=no ip-address=192.168.54.1 log=auth-ok,auth-fail,acct-fail name=router1 shared-secret=
“Usermanager password” subscriber=hotspot
/tool user-manager user
add comment=“” disabled=no name=ttpkm password=fmd2e subscriber=hotspot
NOTE: I’ve tried the “tool user-manager router ip-address=” to both 127.0.0.1 & 192.168.54.1 with its coresponding radius entry changed as well

SurferTim · January 29, 2009, 10:56pm

I think you are probably using one radius server or the other by the looks of your setup. Correct?

/ip hotspot profile
set hsprof1 radius-default-domain=domain1
set hsprof2 radius-default-domain=domain2

/radius
add service=hotspot domain=domain1 address=xxx.xxx.xxx.xxx secret=radiussecret1
add service=hotspot domain=domain2 address=yyy.yyy.yyy.yyy secret=radiussecret2

Osricson · January 29, 2009, 11:09pm

Sort of…
hsprof1 should be talking to the local Radius i.e. Usermanager -I’ve tried this on 127.0.0.1 & 192.168.54.1 (the IP of eth2) and both work only if radius for hsprof2 is disabled.
hsprof2 is talking to a remote IAS Radius server (10.0.1.86). Enabling this seems to break usermanager functionality.
DOes this make sense?

SurferTim · January 29, 2009, 11:17pm

Yes. Perfect sense.
The code above takes care of that.
Set the ip for the first radius entry to 127.0.0.1
Set the ip for the second entry to 10.0.1.86

Each hotspot will then deal only with that radius server.

Osricson · January 29, 2009, 11:20pm

Thanks for the clarification,
Just in the process of re-doing that (after disabling all the radius entries I didn’t notice till posting the conf!)

Osricson · February 1, 2009, 11:09pm

Yay! All working,
Thanks for the help SurferTim & ashish, after reimaging the RB493 and adding your snippets of info I can now run both remote Active Directory authentication & local Usermanger authentication on different interfaces. I also used http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory which I discovered after the original post (didn’t appear in a search for Radius)
Happy to post my config if anyone wants to see
Note: I had to reimage via netinstall as I found a setup r or a system reset-configuration would not remove the Radius or Hotspot confs