I have followed the tutorial to setup Mikrotik to use freeradius. I am having some success, but am getting an error when attempting to add the necessary info, per the tutorial.
This causes freeradius to err out with the following:
Fri May 28 13:23:17 2010 : Error: Errors reading dictionary: dict_init: /etc/freeradius/dictionary[37]: dict_addattr: Duplicate attribute name Group
Fri May 28 13:23:17 2010 : Error: Errors reading /var/log/freeradius/radiusd.conf: For more information, please read the tail end of /var/log/freeradius/radius.log
If I comment out “ATTRIBUTE Group 3 string Mikrotik”, Freeradius starts up fine, but both users only have read access.
I cannot find another entry for “Group” in dictionary, so not sure what to make of the error.
Use only the pre-supplied FreeRADIUS dictionary that comes with the install. The one Mikrotik supplies on their website does not work, as per the comments in the stock FreeRADIUS one.
For what it is worth the stock one works fine for me.
All my Mikrotik dictionary entries in FreeRADIUS start with “Mikrotik-”.
Attribute Mikrotik-Recv-Limit 1
Attribute Mikrotik-Xmit-Limit 2
Attribute Mikrotik-Group 3
etc.
Ok… I made the dictionary changes and do not get the “Group” error any longer, but both users (ex and ex2) still only have read access. It seems the Group attribute in their user name is not being implemented. I have it entered in “users” exactly as I have it in my original posts. Is there more to getting groups to work than what I have listed?
I use this on my hotspots. I add another profile in “/ip hotspot user profile” named ‘managers’. Then in FreeRADIUS MySQL database I enter once:
insert into radgroupreply (GroupName,Attribute,op,Value) values (‘managers’,‘Mikrotik-Group’,‘=’,‘managers’);
then for each user:
insert into usergroup (UserName,GroupName) values (‘newuser’,‘managers’);
Check with radtest. From a shell on the FreeRADIUS server:
radtest newuser password 127.0.0.1 0 radiussecret
It should show the ‘Mikrotik-Group’ value sent.
I hadn’t originally setup freeradius with mysql. I found a doc and got it done. Do I need to comment out all the info I had previously put in the clients.conf and user file? I see freeradius is walking through radius.conf and ultimately authenticating local unix users, not just what is in the user file (fine with me). Ultimately, my goal is to implement LDAP once I get more familiar.
SurferTim I was able to get things working as you instructed (yeah). Users in the database that belong to the managers group now have full permissions in winbox.
Not sure why, put the same users are rejected from the command line though:
root@relay-1:/etc/freeradius# radtest raymond password 127.0.0.1 0 testing123
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = “raymond”
User-Password = “password”
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=177, length=20
I know this is boring to most, but I finally got freeradius and Open LDAP working to authenticate local unix users (exported to an .ldif). Now I just need to figure out how to configure Mikrotik to use it for wireless client access.
I used the following docs and this forum to find the answers I needed to get things running:
Well i know im 8 years late, but for anyone else who still have this problem:
I just gave the attribute " Group" at “/etc/raddb/directionary” an other name, e.g. “Mikrotik_Group” and also changed in the “users” file from Group → Mikrotik_Group. Then it worked fine. (:
Well i know im 8 years late, but for anyone else who still have this problem:
I just gave the attribute " Group" at “/etc/raddb/directionary” an other name, e.g. “Mikrotik_Group” and also changed in the “users” file from Group → Mikrotik_Group. Then it worked fine. (: