RADIUS and DHCP PASSWORD

spire2z · October 3, 2012, 12:45am

Hi, We use freeradius sql with mt hotspot and have no problems. Just recently we had a need to specify a different IP pool for certain mac addresses. With these certain users we hope to just add the extra field into the sql database framed-pool

This works with hotspot and to-address is using an ip from specified pool.

However when enabling radius in dhcp server we get auth failed on radius dhcp requests.

1/ Does user-password need a blank password to auth with dhcp and can’t be anything else?

spire2z · October 4, 2012, 1:23pm

Does password file in database need to be blank for dhcp to auth with RADIUS?

blake · October 6, 2012, 4:15am

Yes, MikroTik’s DHCP server does not send the User-Password attribute. If your configurations requires a password then you can easily set it in the RADIUS server. Here’s how to do it if you’re using FreeRADIUS:

authorize {
  update request {
    User-Password = "%{User-Name}"
  }
}

EMOziko · October 6, 2012, 10:42am

You can use access-accept attribute for dhcp users, it will be authorise only with mac address.

spire2z · October 8, 2012, 10:26pm

Thanks that makes sense. Were using same database for hotspot auth so the database needs to remain with the password for it’s primary use. The username is already a mac.

So can I just clarify that your saying Freeradius can be setup to send access-accept when getting a dhcp request even if NAS is not sending password?

Can I just be clear what your saying can be setup only to authorize a DHCP request as it’s important the hotspot continues to have same auth method and will not auth any password.

Sorry if i’m being thick but I have read the freeradius docs but can’t seem to find exactly the right info your talking about?

blake · October 10, 2012, 5:15am

You need to setup your own policy within FreeRADIUS to handle authenticating DHCP users, and make up for the fact that the MikroTik DHCP server sends a blank User-Password attribute in Access-Requests for DHCP Discover packets. Here’s a more detailed way of how you can handle it, and still not allow hotspot logins containing random passwords.

The Access-Requests for DHCP packets come in like this:

NAS-Port-Type = Ethernet
NAS-Port = 2198977383
Framed-IP-Address = 192.0.2.2
Called-Station-Id = "dhcp1"
User-Name = "01:23:45:67:AB:CD"
User-Password = ""
NAS-Identifier = "myrouter.domain.tld

You can create the following policy so that FreeRADIUS will still allocate IP’s to DHCP users even though the User-Password attribute is blank. This policy should not match hotspot users because hotspot requests contain the ‘Service-Type’ attribute which this policy explicitly requires be absent.

authorize {
  if(NAS-Port-Type == Ethernet && NAS-Port && !Service-Type && Called-Station-Id =~ /^dhcp[0-9]+$/){
    # Username is a MAC address and password is blank
    if(User-Name =~ /^([0-9A-F]{2}:?){6}$/ && User-Password == ''){

      # Set password to 'User-Name' to facilitate proper lookup in 'users' file or SQL radcheck table
      update request {
        User-Password = "%{User-Name}"
      }
    }
  }

  files
  sql
  chap
  pap
  …etc
}

spire2z · October 10, 2012, 2:51pm

Thank you very much. You saved me alot of time.

spire2z · October 19, 2012, 1:11pm

Hi, sorry but I think I need a little more help! I tried this but it’s still failing to auth dhcp. The logs do show that this rule is matching DHCP requests but it still fails to auth.

Can I just check something?

Set password to ‘User-Name’ to facilitate proper lookup in ‘users’ file or SQL radcheck table

update request {
User-Password = “%{User-Name}”

This looks like its telling the server to replace blank password with the username when it queries database. I don’t really get that because it wouldn’t auth with the username as password would it? Or have I misunderstood?

spire2z · October 19, 2012, 1:39pm

Actually dont worry I figured out a rule that worked:

if(NAS-Port-Type == Ethernet && NAS-Port && !Service-Type && Called-Station-Id =~ /^dhcp[0-9]+$/){

Username is a MAC address and password is blank

if(User-Name =~ /^([0-9A-F]{2}:?){6}$/ && User-Password == ‘’){

update control {
Auth-Type := Accept
}
}
}

spire2z · October 19, 2012, 2:50pm

Hi,

Got one more slight problem. DHCp is authing and assigning correct pool fine. But when the hotspot authenticates however because it sees Framed-Pool it assigns another IP on hotspot to-address so two IPs are used!!

Do you know if there is a rule like above that can omit the radreply Framed-Pool when a hotspot auth request comes in?

I just can’t find the right syntax to omit that?

blake · October 21, 2012, 8:28pm

http://freeradius.org/radiusd/man/unlang.html

I haven’t tested this, but I think it would work something like this.

post-auth {
  if(reply:Framed-Pool){
    update reply {
      Framed-Pool !* 0
    }
  }
}

spire2z · October 21, 2012, 10:44pm

Thanks

jgzt26 · March 6, 2018, 12:46pm

Hi, im facing the same problem. I want also to authenticate my dhcp client on mikrotik using radiusdesk (freeradius). But i dont know where to put the script on freeradius policy.

Can someone help me step by step how to do it Specially on pointing the directories where i will edit/add the scripts.

Username will be the modems mac address, and the password should be the same.

Thanks so much

jgzt26 · March 6, 2018, 12:53pm

Hi im facing also the same problem, i wanted to authenticate my mikrotik dhcp clients on radiusdesk (freeradius) but i dont know where to start or how to make it happen. I saw in this thread a script where password=%usrname, something like that. But i dont know where to put it.

Can someone help me step by step how to do it?

My username will be the mac address of the computer and the password should be the same

Thanks for the help.