RADIUS works with local users not with DHCP

gog · October 15, 2006, 12:59pm

Hi,
I’m running MT 2.9.27 and I have a freeradius server that uses mysql on another box. Users can log in to MT usin RADIUS, so that part of the setup works.

The problem is that when I try to authenticate DHCP users MT requests always get rejected, I believe the reason is that u password field is empty. This is the output of the Freeradius server:

rad_recv: Access-Request packet from host 10.29.5.250:1026, id=39, length=115
Sending Access-Reject of id 39 to 10.29.5.250:1026
rad_recv: Access-Request packet from host 10.29.5.250:1026, id=40, length=115
        NAS-Port-Type = Ethernet
        NAS-Port = 2204106851
        Calling-Station-Id = "1:0:1:4a:f1:6c:c7"
        Called-Station-Id = "DHCP - Zone5"
        User-Name = "00:01:4A:F1:6C:C7"
        User-Password = ""
        NAS-Identifier = "Zona5"
        NAS-IP-Address = 10.29.5.250
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
Login incorrect: [00:01:4A:F1:6C:C7/] (from client radius1 port 2204106851 cli 1:0:1:4a:f1:6c:c7)
rad_recv: Access-Request packet from host 10.29.5.250:1026, id=40, length=115
Sending Access-Reject of id 40 to 10.29.5.250:1026

I’ve added a row in radcheck database with this info:

 	00:01:4A:F1:6C:C7  	NAS-IP-Address  	==  	10.29.5.250

But for some reason my request is always rejected. Any ideas?

ktw-matt · October 16, 2006, 5:39pm

Hi gog,

We run a similar configuration with FreeRADIUS and MySQL. We use only the nas, radgroupcheck, radgroupreply, and usergroup tables.

Our radgroupcheck table might look like:
id, GroupName, Attribute, op, Value
1, default, Auth-Type, :=, Local
2, default, Password, ==, (blank)
3, bizpackage2, Auth-Type, :=, Local
4, bizpackage2, Password, ==, (blank)

And then our usergroup table might look like:
UserName, GroupName, priority, desc
66:55:44:33:22:11, default, 1, BigCo’s Tranzeo
11:22:33:44:55:66, bizpackage2, 1, BigCo’s Router

Then when “BigCo’s” antenna connects on the wireless, the MAC address of the antenna gets sent to FreeRADIUS with no password, and get authenticated to connect. Same thing for when their router requests an IP via DHCP – their MAC gets sent to FreeRADIUS and once accepted, MikroTik hands out an IP.

If it still doesn’t work, double-check your FreeRADIUS log file and make sure the IP of the Mikrotik that’s coming in is the same one you have in the nas table of FreeRADIUS.

I hope this helps..

gog · October 16, 2006, 5:54pm

Hi, thank you for your time.

Currently I am only testing so I’m using only radcheck & radreply table. Yesterday I’ve changed the default behavior in ldap to accept everybody and the RADIUS sends back to MT the IP addres via Framed-IP-Address value in radreply.

But that still doesnt solve my problem, what could be the reason I get rejected if I have a row in radcheck with the correct MAC addres, and the value of User-Password set to “”? Is your Value field in radcheck maybe NULL or just empty?

ktw-matt · October 16, 2006, 9:21pm

LDAP shouldn’t have anything to do with it, I wouldn’t think. Are you essentially trying to give out static IP addresses via DHCP (Framed-IP-Address)?

The Value for Password we’re using is just empty, its not set to NULL.

The only other thing I can think of, is to check that you’re using the correct MAC form (ie: 000000-000000 vs 00:00:00:00:00:00) and uppercase vs lowercase.

In current MikroTik, the latter form is always used (this will changable in future versions, I believe) and I’m pretty sure MikroTik always sends MAC addresses with capital letters… but I also have our FreeRADIUS setup to convert to uppercase, and then we always use uppercase MAC addresses in MySQL.

If this is the same RADIUS server you use for MikroTik Router users, then you’d probably have to change those usernames to uppercase as well…if you enabled the uppercase usernames option.

Edit: For now, we just use RADIUS for MAC authentication on the wireless and DHCP (currently we’re not giving out static addresses via DHCP either, but we’re considering doing so for customer’s antenna, so we always know what IP their equipment should have.)

datanet · November 13, 2006, 10:27pm

I got exactly the same problem.

I put a client MAC address as UserName in radcheck table with empty password field but I always get rejected.

Could someone can help me in this matter?

cmit · November 14, 2006, 8:58am

datanet,

do you have a empty password field (i.e. “”) or a NULL value in the password field?

Best regards,
Christian Meis

acim · November 14, 2006, 9:51pm

Try to run freeradius in debug mode and then check what is going on.

datanet · November 15, 2006, 10:21am

Thanks for your reply.
Run freeradius in debug mode was very useful, also set sqltrace=yes in sql.conf. I have two workstation in my lab, and I made a mistake in MAC address in radcheck table…

DHCP works fine with FreeRadius now. But I found on page:
http://www.mikrotik.com/docs/ros/2.9/ip/dhcp that I must use Rate-Limit parameter in radius table, but it doesn’t work (Failed to create the pair: Unknown attribute “Rate-Limit”). After change to Mikrotik-Rate-Limit I saw on MT logs: MT-Rate-Limit=“128k/64k”

I’m going to use radius on wireless (check MAC), DHCP leases (provide IP on eth and radio interface based on client MAC address and set rate-limit) and Hotspot (authentication based on login name, password, MAC addres and client IP, and set Rate-limit). The only trouble for now I have with automatically activate a firewall chain for authenticated users in hotspot.

Regards,
Piotr Reda

acim · November 15, 2006, 10:31am

To limit bandwidth, you can use another four attributes instead of Mikrotik-Rate-Limit:

WISPr-Bandwidth-Min-Up Guaranteed upload speed
WISPr-Bandwidth-Max-Up Maximal upload speed
WISPr-Bandwidth-Min-Down Guaranteed download speed
WISPr-Bandwidth-Max-Down Maximal download speed