Greetings all! I’m trying to setup new authentication for end users on our wisp using mikrotiks. Following various walkthroughs I have the mpls/vpls network setup in my lab. Currently I am just masquerading the final route out but eventually the pppoe users will receive routable public ip addresses after authenticating. In the lab I am able to setup pppoe-server on the head mikrotik and have an end client connect over the tunnel and authenticate to get out on multiple profiles. My problem is when I try to get the mikrotik to use AAA to talk to the freeradius server that I have setup on ubuntu 14.04 using mysql. I have verified the freeradius server works using radtest, And i see the mikrotik connect, but the radius server never gives back an accept-accept packet. I’ll paste in the responses I get from mysql -X if that helps and cut down versions of mysql configs. I’m going to stuff as much info into this as possible so sorry for the long post.
i’m sure its probably a simple issue but my inexperience with mikrotik is preventing me from seeing it.
Any help would be appreciated! thanks.
mpls/vpls reference: http://mum.mikrotik.com/presentations/US13/kirnak.pdf
severel radius/sql/ppoe walkthroughs here is one of them: http://wiki.mikrotik.com/wiki/RouterOs_MySql_Freeradius#SettingUp_Mysql
mysql-X response when i try to connect through the mikrotik local authentication works, and radcheck works on the radius server
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host 10.2.0.2 port 37228, id=23, length=188
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15728676
NAS-Port-Type = Ethernet
User-Name = "test2"
Calling-Station-Id = "EC:F4:BB:12:08:8C"
Called-Station-Id = "PPP1"
NAS-Port-Id = "r1tor6"
Acct-Session-Id = "81700024"
Framed-IP-Address = 0.0.0.0
Acct-Authentic = RADIUS
Event-Timestamp = "Oct 16 2014 12:26:31 CDT"
Acct-Session-Time = 1
Acct-Input-Octets = 0
Acct-Input-Gigawords = 0
Acct-Input-Packets = 0
Acct-Output-Octets = 0
Acct-Output-Gigawords = 0
Acct-Output-Packets = 0
Acct-Status-Type = Stop
Acct-Terminate-Cause = NAS-Request
NAS-Identifier = "MikroTik"
Acct-Delay-Time = 0
NAS-IP-Address = 10.2.0.2
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 15728676,Client-IP-Address = 10.2.0.2,NAS-IP-Address = 10.2.0.2,Acct-Session-Id = "81700024",User-Name = "test2"'
[acct_unique] Acct-Unique-Session-ID = "8b8c659fdd61bf28".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.2.0.2
[detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.2.0.2/detail-20141016
[detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.2.0.2/detail-20141016
[detail] expand: %t -> Thu Oct 16 12:26:35 2014
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> test2
++[radutmp] returns ok
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
[sql] expand: %{Acct-Input-Gigawords} -> 0
[sql] expand: %{Acct-Input-Octets} -> 0
[sql] expand: %{Acct-Output-Gigawords} -> 0
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2014-10-16 12:26:35', acctsessiontime = '1', acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> test2
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 23 to 10.2.0.2 port 37228
Finished request 22.
Cleaning up request 22 ID 23 with timestamp +577
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 20 ID 21 with timestamp +577
Ready to process requests.
configs:
radiusd:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
log_file = ${logdir}/radius.log
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_content = no
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
usercollide = no
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
Sql conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "root"
password = "thisisacoolpasswordlength"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
Clients conf file
client localhost {
ipaddr = 127.0.0.1
secret = heymanigottapassword4u
require_message_authenticator = no
}
client 10.0.0.1 {
secret =thisisalongpassword4areason
shortname =mikrotik
}
client 192.168.1.25 {
secret = ntradping
shortname = ntradtestingthing
}
database with test entries:
mysql> select * from radacct; select * from radcheck; select * from radgroupcheck; select * from radgroupreply; select * from radpostauth; select * from radreply; select * from radusergroup; select * from nas;
+-----------+---------------+------------------+----------+-----------+-------+--------------+-----------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+-------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+----------------------+
| radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay | xascendsessionsvrkey |
+-----------+---------------+------------------+----------+-----------+-------+--------------+-----------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+-------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+----------------------+
| 1 | 81700021 | cb6c3afe13cac298 | test2 | | | 10.2.0.2 | 15728673 | Ethernet | 2014-10-16 12:22:15 | 2014-10-16 12:22:15 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 2 | 81700022 | cd05bf01a45f3dfb | test2 | | | 10.2.0.2 | 15728674 | Ethernet | 2014-10-16 12:22:23 | 2014-10-16 12:22:23 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 3 | 81700023 | df93b995e6fe57c8 | test2 | | | 10.2.0.2 | 15728675 | Ethernet | 2014-10-16 12:25:34 | 2014-10-16 12:25:34 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 4 | 81700024 | 8b8c659fdd61bf28 | test2 | | | 10.2.0.2 | 15728676 | Ethernet | 2014-10-16 12:26:35 | 2014-10-16 12:26:35 | 1 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 5 | 81700025 | b73a9ab1a25512a6 | test2 | | | 10.2.0.2 | 15728677 | Ethernet | 2014-10-16 12:27:36 | 2014-10-16 12:27:36 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 6 | 8170002a | fb5db15782f99d61 | test2 | | | 10.0.0.1 | 15728682 | Ethernet | 2014-10-16 12:29:30 | 2014-10-16 12:29:30 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 7 | 8170002b | cb067dc167ebeca1 | test2 | | | 10.0.0.1 | 15728683 | Ethernet | 2014-10-16 12:30:31 | 2014-10-16 12:30:31 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 8 | 8170002c | 9de6470a6d49fc53 | test2 | | | 10.0.0.1 | 15728684 | Ethernet | 2014-10-16 12:31:32 | 2014-10-16 12:31:32 | 0 | RADIUS | | | 0 | 0 | PPP1 | EC:F4:BB:12:08:8C | NAS-Request | Framed-User | PPP | 0.0.0.0 | 0 | 0 | |
| 9 | 8170002d | 6cb3cdc04db3f7e9 | test2 | | | 10.0.0.1 | 15728685 | Ethernet | 2014-10-16 13:18:26 | 2014-10-16 13:18:27 | 0 | RADIUS | | | 1363 | 121 | PPP1 | EC:F4:BB:12:08:8C | NAS-Error | Framed-User | PPP | 10.3.0.3 | 0 | 0 | |
| 10 | 8170002e | 199ca9eec9376a74 | test2 | | | 10.0.0.1 | 15728686 | Ethernet | 2014-10-16 13:19:18 | 2014-10-16 13:19:18 | 0 | RADIUS | | | 1461 | 121 | PPP1 | EC:F4:BB:12:08:8C | NAS-Error | Framed-User | PPP | 10.3.0.3 | 0 | 0 | |
+-----------+---------------+------------------+----------+-----------+-------+--------------+-----------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+-------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+----------------------+
10 rows in set (0.01 sec)
+----+----------+--------------------+----+-----------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-----------+
| 4 | test1 | Cleartext-Password | := | custpassw |
| 5 | test2 | Cleartext-Password | := | custpassw |
| 6 | test3 | Crypt-Password | := | custpassw |
+----+----------+--------------------+----+-----------+
3 rows in set (0.00 sec)
Empty set (0.00 sec)
+----+-----------+--------------------+----+---------------------+
| id | groupname | attribute | op | value |
+----+-----------+--------------------+----+---------------------+
| 1 | static256 | Framed-Protocol | := | PPP |
| 2 | static256 | Service-Type | := | Framed-User |
| 3 | static256 | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+----+-----------+--------------------+----+---------------------+
3 rows in set (0.00 sec)
+----+----------+------+---------------+---------------------+
| id | username | pass | reply | authdate |
+----+----------+------+---------------+---------------------+
| 1 | abc | 123 | Access-Accept | 2014-10-15 16:38:52 |
+----+----------+------+---------------+---------------------+
1 row in set (0.00 sec)
+----+----------+-------------------+----+---------------+
| id | username | attribute | op | value |
+----+----------+-------------------+----+---------------+
| 1 | test1 | Framed-IP-Address | := | 192.168.1.102 |
| 2 | test2 | Framed-IP-Address | := | 10.3.0.3 |
+----+----------+-------------------+----+---------------+
2 rows in set (0.00 sec)
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| user2 | static256 | 1 |
+----------+-----------+----------+
1 row in set (0.00 sec)
Empty set (0.00 sec)
Mikrotik PPPOE config
# oct/16/2014 14:50:06 by RouterOS 6.20
# software id = FSQH-A2P6
#
/interface bridge
add mtu=1500 name=loopback protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290 \
wireless-protocol=unspecified
/interface ethernet
set [ find default-name=ether1 ] l2mtu=4074 mtu=1600
set [ find default-name=ether2 ] l2mtu=4074 mtu=1600
set [ find default-name=ether3 ] l2mtu=4074 mtu=1600
set [ find default-name=ether4 ] l2mtu=4074 mtu=1600
set [ find default-name=ether5 ] l2mtu=4074 mtu=1600
/interface vpls
add advertised-l2mtu=1548 disabled=no l2mtu=1548 mac-address=\
02:08:3D:99:64:19 name=r1tor6 remote-peer=10.0.0.6 vpls-id=1:0a
/ip neighbor discovery
set wlan1 discover=no
set r1tor6 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys wpa-pre-shared-key=469A02BF9A35 wpa2-pre-shared-key=\
469A02BF9A35
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=pppoe-1 ranges=10.3.0.2-10.3.15.254
/ppp profile
add dns-server=67.66.97.5,204.251.219.1 local-address=10.3.0.1 name=Basic-RES \
rate-limit=512k/1536k remote-address=pppoe-1 use-encryption=yes
add dns-server=67.66.97.5,204.251.219.1 name=Preferred-RES rate-limit=1m/3m \
use-encryption=yes
add name=Premium-RES rate-limit=1m/4m use-encryption=yes
add dns-server=67.66.97.5,204.251.219.1 name=Basic-CORP rate-limit=512k/2048k \
use-encryption=yes
add dns-server=67.66.97.5,204.251.219.1 name=Preferred-CORP rate-limit=\
1024k/3584k use-encryption=yes
add dns-server=67.66.97.5,204.251.219.1 name=Premium-CORP rate-limit=1m/5m \
use-encryption=yes
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1 \
mpls-te-area=backbone mpls-te-router-id=loopback redistribute-connected=\
as-type-1 redistribute-other-ospf=as-type-1 router-id=10.0.0.1
/system logging action
set 0 memory-lines=100
set 1 disk-file-name=log disk-lines-per-file=100
set 2 remember=yes
set 3 src-address=0.0.0.0
/interface pppoe-server server
add authentication=chap,mschap1,mschap2 disabled=no interface=r1tor6 max-mru=\
1500 max-mtu=1500 mrru=1600 service-name=PPP1
add authentication=chap,mschap1,mschap2 disabled=no interface=ether2 max-mru=\
1500 max-mtu=1500 mrru=1600 service-name=PPP2
/ip address
add address=10.0.0.1/32 interface=loopback network=10.0.0.1
add address=10.0.1.1/32 interface=ether1 network=10.0.1.2
add address=10.0.1.1/32 interface=ether2 network=10.0.1.3
add address=10.0.1.1/32 interface=ether5 network=10.0.1.10
add address=10.2.0.2/30 interface=ether3 network=10.2.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether4
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/mpls interface
set [ find default=yes ] mpls-mtu=1550
/mpls ldp
set enabled=yes lsr-id=10.0.0.1 transport-address=10.0.0.1
/mpls ldp interface
add interface=ether1
add interface=ether2
add interface=ether5
/ppp aaa
set interim-update=5m use-radius=yes
/ppp secret
add disabled=yes local-address=10.254.0.1 name=preferredres password=password \
profile=Preferred-RES remote-address=10.254.0.2 service=pppoe
add disabled=yes local-address=10.254.0.1 name=basiccorp password=password \
profile=Basic-CORP remote-address=10.254.0.3 service=pppoe
add disabled=yes local-address=10.254.0.1 name=premiumres password=password \
profile=Premium-RES remote-address=10.254.0.4 service=pppoe
add disabled=yes local-address=10.254.0.1 name=basicres password=password \
profile=Basic-RES remote-address=10.254.0.5 service=pppoe
add disabled=yes local-address=10.254.0.1 name=preferredcorp password=\
password profile=Preferred-CORP remote-address=10.254.0.6 service=pppoe
add disabled=yes local-address=10.254.0.1 name=premiumcorp password=password \
profile=Premium-CORP remote-address=10.254.0.7 service=pppoe
/radius
add address=10.2.0.1 secret=thisisalongpassword4areason service=ppp \
src-address=10.0.0.1
/routing ospf interface
add authentication=simple authentication-key=dsvj46a3 interface=ether1 \
network-type=ptmp
add authentication=simple authentication-key=dsvj46a3 interface=ether2 \
network-type=ptmp
add authentication=simple authentication-key=dsvj46a3 interface=ether5 \
network-type=point-to-point
/routing ospf network
add area=backbone network=10.0.0.1/32
add area=backbone network=10.1.0.0/30
add area=backbone network=10.0.1.0/24
/snmp
set trap-community=public
/system clock
set time-zone-name=America/Chicago
/system leds
set 0 interface=wlan1
/system logging
add action=echo topics=ospf,ldp
/system ntp client
set enabled=yes primary-ntp=129.250.35.250 secondary-ntp=208.53.158.34
/system ntp server
set enabled=yes
/tool traffic-generator packet-template
add header-stack=ip interface=loopback name=packet-template1