Rewrite Radius-Request username with Circuit-ID DHCP-Option82 or PPPoE+

RouterOS Forwarding Protocols
1

On scenario of a BNG / B-RAS of an ISP, the authentication processes are always a pain.

This pain is highly mitigated if you can use the Option82(or PPPoE+) sub-options to authenticate the subscribers (access-users).

On platforms like Cisco, Juniper, Huawei, Accell, you can rewrite the username that the radius-cliente of NAS (BNG / B-RAS) will send to the radius on an authentication request.

Depending on the platform, this can be done with extremely limited flexibility (just replace), or it can be done with regex, or even calling scripts to that.

I suggest / request to MikroTik that include this possibility also on Router-OS.

The basic idea is that on DHCP Radius Request, instead of sending the mac-address as username, radius client would replace that username field on radius-auth-request with the information that comes on circuit-id | remote-id | subscriber-id.

Of course, it would need to include some extra logic like “what if this request does not come with Option82 as it is expected?”
But I think RouterOS engineers could think of a satisfactory solution to that.

Alternatively, if engineers are short on time, maybe just giving the possibility of a hook to a script, after the DHCP session been initiated and before it goes to the radius-client part of the system, would be enough.

P.S.: I also created a feature request for that on MikroTik servicedesk. SUP-122259.
I’m creating a topic here also, so that other users could suggest improvements to that.

V7.20beta [testing] is released!
2

That would be a great enhancement to RouterOS to give the option to authenticate users other than standard PPPoE removing all the extras involved in PPPoE tunnels.

One thing not to forget is also the ability to get the necessary bandwidth control information from Radius in order to create the necessary queues for each authenticated user in this way.

3

Yes, please! RouterOS is the only platform I know that does not allow this. As you mentioned, Cisco, Juniper, Huawei, and Accell already do this.

I don’t know about other countries, but in my country, finding an authentication system that goes beyond the basic user-pass authentication is a rarity.

Being able to customize with a script would be ideal, but I think simply being able to fill in a ‘mapping’ to replace various attributes with another attribute or variable would already cover most scenarios.

For example, in a PPPoE+ scenario, where the username attribute is replaced by the CircuitID and the password attribute by a standard string.

First modification:

Attribute to be modified or added: Type 1 (Username)
Where the value will be taken from: RADIUS Attribute

  • Type: 26 (Vendor-Specific)


  • Vendor-ID: 3561 (ADSL-Forum)


  • Vendor-Type: 1 (ADSL-Agent-Circuit-Id)

Second modification:

Attribute to be modified or added: Type 2 (Password)
Where the value will be taken from: String

  • Value: ‘pppoe’

Once processed, these modifications must be cached for the accounting packets.

Implementing this functionality would make RouterOS much more flexible and aligned with other major platforms in the market. Let’s hope that the MikroTik engineers consider this suggestion!