Hello all,
I’m just starting working with mikrotik and I have an authentication problem, because a I have configured two users with the same configuration but only one is being authenticated.
I’ve created two users in radius to login into mikrotik.
Follow the configuration of both users.
User 1 - Mik
root@Ubuntu-Service-Server-1:~# radtest mik teste localhost 0 testing123
Sending Access-Request of id 183 to 127.0.0.1 port 1812
User-Name = “mik”
User-Password = “teste”
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=183, length=32
Mikrotik-Group = “full”
root@Ubuntu-Service-Server-1:~#
User 2 - Mikro
root@Ubuntu-Service-Server-1:~# radtest mikro teste localhost 0 testing123
Sending Access-Request of id 196 to 127.0.0.1 port 1812
User-Name = “mikro”
User-Password = “teste”
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=196, length=63
Service-Type = NAS-Prompt-User
Cisco-AVPair = “shell:priv-lvl=15”
Mikrotik-Group = “full”
root@Ubuntu-Service-Server-1:~#
follow mikrotik radius configuration
[mikro@MikroTik] > radius print detail
Flags: X - disabled
0 service=login called-id=“” domain=“” address=172.16.1.253 secret=“network”
authentication-port=1812 accounting-port=1813 timeout=300ms
accounting-backup=no realm=“”
[mikro@MikroTik] >
[mikro@MikroTik] > user aaa print
use-radius: yes
accounting: yes
interim-update: 0s
default-group: read
exclude-groups:
[mikro@MikroTik] >
Even though both users have the same configuration, only user 2, Mikro, can login to mikrotik.
Login erro form mik
root@Ubuntu-Service-Server-1:~# ssh mik@172.16.1.111
mik@172.16.1.111’s password:
Permission denied, please try again.
mik@172.16.1.111’s password:
Login on ok from mikro
jan/20/2016 12:45:12 system,error,critical login failure for user mik from 192.16
8.0.253 via ssh
[mikro@MikroTik] >
[mikro@MikroTik] > user active print detail
Flags: R - radius, M - by-romon
0 when=jan/20/2016 10:29:33 name=“admin” via=console group=full
1 when=jan/20/2016 12:45:31 name=“mikro” address=192.168.0.253 via=ssh
group=write
[mikro@MikroTik] >
Other question:
I radius is sending that mikro should be placed in the full access group, why is it place in the write group? Why isn’t mikrotik placing it in the full access group?