Radius and Capsman

yaggii · August 20, 2015, 1:17pm

Hello, i have cenrat routerboard (rb 450C)—switch-----AP1 and AP2 and i want to authenticate users via RADIUS, which goes to my linux server. Can you tell me, what can i do? I tried different configurations and I do not know what to do next. Can you help me? Please. Thank you.

uldis · August 20, 2015, 2:54pm

If you just want to check and authenticate by MAC address then you only need add a CAPsMAN Access List rule with action=query-radius.

yaggii · August 20, 2015, 5:00pm

I wrote the wrong information. Radius server is not linux radius (freeradius), but Cisco radius. I am sorry.

I want authentificate by username and password:

for example

username: yaggii@seznam.cz
password: yaggii

This authenticate works in a wireless, but not in capsman.

yaggii · August 26, 2015, 12:40pm

Hello,

when i configured routerboard without vlan, everything works OK (see below).

/interface bridge
add name=bridge_capsman protocol-mode=none
/caps-man interface

add arp=enabled channel.frequency=2412 configuration.country=“czech republic”
configuration.mode=ap configuration.ssid=eduroam1 datapath.bridge=
bridge_capsman disabled=no l2mtu=1600 mac-address=E4:8D:8C:F2:C1:31
master-interface=none mtu=1500 name=cap1 radio-mac=E4:8D:8C:F2:C1:31
security.authentication-types=wpa2-eap security.eap-methods=passthrough

add arp=enabled channel.frequency=2452 configuration.country=“czech republic”
configuration.mode=ap configuration.ssid=eduroam2 datapath.bridge=
bridge_capsman disabled=no l2mtu=1600 mac-address=E4:8D:8C:F1:DD:04
master-interface=none mtu=1500 name=cap2 radio-mac=E4:8D:8C:F1:DD:04
security.authentication-types=wpa2-eap security.eap-methods=passthrough
/ip neighbor discovery
set ether1-gateway discover=no
/caps-man security
add eap-methods=passthrough name=security1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge_capsman lease-time=
1h name=dhcp1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge_capsman interface=cap1
add bridge=bridge_capsman interface=cap2
/ip address
add address=195.113.99.56/26 interface=ether1-gateway network=195.113.99.0
add address=192.168.1.1/24 interface=ether3-slave-local network=192.168.1.0
add address=192.168.2.1/24 interface=bridge_capsman network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=195.113.99.56 dst-port=9999
protocol=tcp to-addresses=192.168.1.2 to-ports=8291
/ip route
add distance=1 gateway=195.113.99.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/radius
add address=195.178.88.100 secret=secretXXX service=login,wireless,dhcp

If I want to use VLAN, I have a problem getting an IP address from the DHCP of VLAN 133. Can you help me, where my mistake (see picture)? Thank you.
capsman.png