PPtP server talking to OSX FreeRadius for Authentication - I think I'm not passing the correct group/attribute

RouterOS General
1

Hi there, I’m pulling my hair out trying to solve an issue while setting up my MikroTik 1100 as a PPtP VPN server.

It appears to work perfectly when I set it up using secrets (aka users) defined in “/ppp secret” but if I try to use our OSX OpenDirectory server (running FreeRadius) it authenticates the user OK but then immediately disconnects them.

I think I must be getting tripped up by user groups - which while frustrating at present, is probably really a good thing as I want to be able to put particular users in a group in OpenDirectory to grant them VPN access without just giving it to everyone.

I’ve set up the following on the 1100:

  • A separate local address
  • A pool of remote addresses for users outside the regular DHCP pool
  • A “PPTP Server Binding” (although I don’t really understand why I need this step)
  • Firewall rules to accept PPtP requests
  • A PPP profile that uses the addresses and encryption
  • Enabled the PPtP server and selected the correct profile

I think that this config is largely correct as it works when I add a ppp user and test that way.

I believe that my problem lies in the Radius Server config not telling the MikroTik what it wants to hear.

I’ve done the following in OpenDirectory / FreeRadius:

  • Enabled Radius via the ‘radiusconfig -start’ command
  • Via the ‘raduisconfig -addclient <1100 address> router other’ command, added the appropriate NAS and shared secret (and can see the Radius auth requests seemingly working on the server when the 1100 makes them)
  • Confirmed that the ‘test’ user in OpenDirectory is valid by running:

radtest -x test 127.0.0.1 0

  • Added the MikroTik dictionary to radius

The MikroTik log shows my test connection authenticating, them immediately disconnecting:

TCP connection established from
test logged in, 192.198.0.97
: authenticated
: terminating…
test logged out, 1 0 0 0 0
: disconnected

I imagine I need a config stanza someplace in Radius that says something to the effect of: “Any auth request for a user in the locally defined group “VPN Users” should receive extra MikroTik parameter/attribute: ‘ThisUserCanUsePPP’, in addition to the auth accept”

I have no idea what parameter I need to set, nor how to set this for particular users. Does anyone know how I can get this working?

Many thanks in advance!

My config on the 1100

/radius
    add accounting-backup=yes accounting-port=1813 address=192.168.0.10 \
    authentication-port=1812 called-id="" disabled=no domain="" realm=\
    "" secret=<NAS secret> service=ppp timeout=300ms

/ip pool
    add name=Intranet ranges=192.168.0.100-192.168.0.199
    add name=VPN ranges=192.168.0.51-192.168.0.99

/interface pptp-server
    add disabled=no name="PPTP VPN" user=""
/interface pptp-server server
    set authentication=chap,mschap1,mschap2 default-profile=default-encryption enabled=\
    no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled

/ppp profile
    set 1 local-address=192.168.0.50 remote-address=VPN
/ppp aaa
    set use-radius=yes

/ip firewall filter
    add chain=input comment="PPP requests" dst-port=1723 protocol=tcp
    add chain=input protocol=gre