PROBLEM WITH DHCPV6+RADIUS

Volkk · February 18, 2022, 3:16pm

I am trying to implement an access network by DHCPV6 + RADIUS but I find that when trying to authenticate the connection instead of using the MAC of the device it uses something similar to the DUID that I do not understand how it generates it and it changes between connection and disconnection by what I can not set parameters in radius.

According to mikrotik it should work as follows

INSERT INTO radcheck (username, attribute, op, value) VALUES
(‘000c4200d464’, ‘Authentication Type’, ‘:=’, ‘OK’),

INSERT INTO radreply (username, attribute, op, value) VALUES
(‘000c4200d464’, ‘IPv6-prefix-delegate’, ‘=’, ‘fdb4:4de7:a3f8:418c::/66’),
(‘000c4200d464’, ‘Mikrotik-Rate-Limit’, ‘=’, ‘10M’);

I try to authenticate a machine with the mac 74:B5:7E:92:CF:10 (74b57e92cf10) and I get the following output in radius -X output

(46) Received Access-Request Id 78 from 192.168.80.35:54598 to 192.168.80.33:1812 length 117
(46) NAS-Port-Type = Ethernet
(46) NAS-Port = 2211448098
(46) Service-Type = Framed-User
(46) Calling-Station-Id = “1579a1fa74b5”
(46) User-Name = “15:79:A1:FA:74:B5”
(46) Called-Station-Id = “TESTDHCPV6”
(46) User-Password = “”
(46) NAS-Identifier = “NAS TWO7”
(46) NAS-IP-Address = 192.168.80.35
(46) # Executing section authorize from file /etc/raddb/sites-enabled/default
(46) authorize {
(46) policy filter_username {
(46) if (&User-Name) {
(46) if (&User-Name) → TRUE
(46) if (&User-Name) {
(46) if (&User-Name =~ / /) {
(46) if (&User-Name =~ / /) → FALSE
(46) if (&User-Name =~ /@[^@]@/ ) {
(46) if (&User-Name =~ /@[^@]@/ ) → FALSE
(46) if (&User-Name =~ /../ ) {
(46) if (&User-Name =~ /../ ) → FALSE
(46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) → FALSE
(46) if (&User-Name =~ /.$/) {
(46) if (&User-Name =~ /.$/) → FALSE
(46) if (&User-Name =~ /@./) {
(46) if (&User-Name =~ /@./) → FALSE
(46) } # if (&User-Name) = notfound
(46) } # policy filter_username = notfound
(46) [preprocess] = ok
(46) [chap] = noop
(46) [mschap] = noop
(46) [digest] = noop
(46) suffix: Checking for suffix after “@”
(46) suffix: No ‘@’ in User-Name = “15:79:A1:FA:74:B5”, looking up realm NULL
(46) suffix: No such realm “NULL”
(46) [suffix] = noop
(46) eap: No EAP-Message, not doing EAP
(46) [eap] = noop
(46) [files] = noop
(46) sql: EXPAND %{User-Name}
(46) sql: → 15:79:A1:FA:74:B5
(46) sql: SQL-User-Name set to ‘15:79:A1:FA:74:B5’
rlm_sql (sql): Reserved connection (0)
(46) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘%{SQL-User-Name}’ ORDER BY id
(46) sql: → SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘15:79:A1:FA:74:B5’ ORDER BY id
(46) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘15:79:A1:FA:74:B5’ ORDER BY id
(46) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = ‘%{SQL-User-Name}’ ORDER BY priority
(46) sql: → SELECT groupname FROM radusergroup WHERE username = ‘15:79:A1:FA:74:B5’ ORDER BY priority
(46) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = ‘15:79:A1:FA:74:B5’ ORDER BY priority
(46) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(46) [sql] = notfound
(46) [expiration] = noop
(46) [logintime] = noop
(46) pap: WARNING: No “known good” password found for the user. Not setting Auth-Type
(46) pap: WARNING: Authentication will fail unless a “known good” password is available
(46) [pap] = noop
(46) } # authorize = ok
(46) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(46) Failed to authenticate the user
(46) EXPAND PW INCORRECTA
(46) → PW INCORRECTA
(46) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [15:79:A1:FA:74:B5/] (from client two7 port 2211448098 cli 1579a1fa74b5) PW INCORRECTA
(46) Using Post-Auth-Type Reject
(46) # Executing group from file /etc/raddb/sites-enabled/default

The user trying to connect is 1579a1fa74b5 if we see well the last 4 digits correspond to the first 4 of the mac but the rest I don’t know what it corresponds to and it changes between connection and disconnection.

Mikrotik has not resolved the implementation of DHCPV6-radius yet?
Could someone solve this problem?
Is there a problem in my configuration?

MarcosLL · April 24, 2022, 2:59pm

According to the following log:

(46) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [15:79:A1:FA:74:B5/] (from client two7 port 2211448098 cli 1579a1fa74b5) PW INCORRECTA

This should work:

INSERT INTO radreply (username, attribute, op, value) VALUES
(‘15:79:A1:FA:74:B5’, ‘Delegated-IPv6-Prefix’, ‘=’, ‘fdb4:4de7:a3f8:418c::/66’);

Volkk · April 25, 2022, 5:25pm

The problem is that the user “MAC” changes to the same device every time it tries to connect which is impossible and I don’t see this behavior in DHCPv4

Volkk · May 16, 2022, 2:20pm

In contact with mikrotik support they told me to try version 7.2.3 and this problem is fixed in that version.
I do not see that this problem is mentioned in the release notes, so it is not ruled out that it reappears, what we do know is that it is a ROS error, this is good for those who are doing some DHCP+DHCPV6+ implementation RADIUS in your access network.
Hopefully Mikrotik has it figured out soon!