RouterOS Freeradius pb

mwolff · February 27, 2009, 10:27am

Hello,

I have a problem with routerOS and freeradius.

I have followed the wiki for setting up the good configuration.
I have tested with success freeradius.

When CPE sen a request to mikrotik. The radius request arrive well but routeros say that is a bad request. (When i do the request directly on freeradius, it is working.
I do not see any exchange between routeros and freeradius.

What more test can i do the find the mistake ?

I use a r1000 with the 3.20 firmware.

I have done some research on google too without success. There is a lot of informations about hotspot but less about ppp .

Thanks for your help.

regards

Matt

gmsmstr · February 27, 2009, 2:18pm

Should post the radius debug from the MT>.

mwolff · February 27, 2009, 3:13pm

This is what i have :

/radius incoming> monitor
requests : 0
bad-requests : 1386
acks : 0
nacks : 0

How can i have more debug traces ?

Thanks for your help

gmsmstr · February 27, 2009, 3:16pm

Enable radius debuging. And post that. Otherwise, you will need to contact a consultant.

mwolff · February 27, 2009, 5:57pm

Thanks for your help.

“signature = bad xxxxxxxxxxxxxxxxxx”
received bad Access-Request with id 112 from xxx.xx.xx.xx "
received remote request from xxxxx with bad signature, dropping"

Chupaka · February 28, 2009, 8:26am

wrong RADIUS secret configured?

mwolff · February 28, 2009, 9:44am

This is why I thought. I have changed for 1234 (very simple). But without success.

SurferTim · February 28, 2009, 9:55am

Greetings!

Did you set up the RADIUS server clients.conf file with this client?

There should be a default client for local requests and one for each remote:

client 127.0.0.1 {
    secret = radiussecret
    shortname = local
    nastype = other
}

client xxx.xxx.xxx.xxx {
    secret = radiussecret2
    shortname = router1
    nastype = other
}

xxx.xxx.xxx.xxx is the ip of the router with the hotspot/radius client.

mwolff · March 1, 2009, 4:55pm

Yes, i verified it. The nas is OK.
When i try to log directly it is oK.
Perhaps there is a mistake in mikrotik parameters.
The set up semms very simple.

I don’t see any communications between mikrotik and freeradius. is this normal ?

SurferTim · March 1, 2009, 5:35pm

What do you mean you don’t see any communication? Have you run the radius server in debug mode?
Stop the radiusd service and from a command line:
radiusd -X
The output should help.

mwolff · March 1, 2009, 6:18pm

I don’t see everything.
In debug mode, in mikrotik i see the message describe above (bad signature). But I don’t see anything in freeradius screen, and no communication between mikrotik and freeradius.

For my understanding, the client communicate with freeradius that forward to freeradius without any control ?
I don’t see any rule in firewall that can block exchange.
I do not have log about in (i log everything that is blocked).

Matt

SurferTim · March 1, 2009, 7:45pm

I don’t think it is the MikroTik box blocking the requests. Have you opened ports 1812 and 1813 on your RADIUS server firewall? I presume you have a firewall or iptables protecting your server.

mwolff · March 2, 2009, 8:25am

That is right, but i can authentificate directly.
I have open the ports for all IP for testing purpose without success.

SurferTim · March 2, 2009, 9:15am

There must be something blocking the requests. I recommend going to www.grc.com and use the Shields Up program to test if port 1812 is really open.

heruan · March 17, 2009, 3:35pm

I have the same problem, mwolff did you resolved it?

mwolff · March 17, 2009, 3:50pm

Hello,

Sorry i do not solve it. Mikrotik registers well on my radius, but when a client try, i do not see any exchange between mikrotik and my radius. In my mikrotik log, i see the radius error (bad signature).
I do not have any rule blocking. (I have activated also the log for the firewall).

When my client try directly on the radius, it is ok, but via mikrotik, it is not working.

I do not understand. It seems very simple but i can’t do it working well.

I will try on an other mikrotik box without anything on.

regards

Mathias

heruan · March 17, 2009, 4:14pm

Even if you don’t see any packet exchange, there is. On the RADIUS machine try with:

# tcpdump -i any port radius

RADIUS sends Access-Accept packets, but RouterOS doesn’t accept them claiming on the logs for a “BAD signature” on the Access-Accept packet.
Really can’t exaplain why, Cisco access-points are working well with the same RADIUS server (FreeRADIUS 2.1.4).

mwolff · March 17, 2009, 5:37pm

Oh, exactly.
I see Access Request but i do not see Access Accept from radius on radius server.

19:40:27.644504 IP auth1.1028 > 1xx.xx.xx.xx.radius: RADIUS, Access Request (1), id: 0x2e length: 76

I do not understand.

When i look in debug mode “freeradius -X” i do not see any request coming.

It is very strange.

My users and clients.conf files are OK.

sameerkale · April 2, 2009, 5:58pm

Hey guys i have samer pronlem. My access point is not forwarding authentication request to freeRADIUS. Pls Help me guys…

chimaster · May 16, 2009, 7:54am

Hey everyone, might be a bit late, but I had the same issue.

If your RADIUS server is in a DMZ or someplace else then the incoming request must be coming from the same IP as your outbound radius request. I.E. If your radius server is 192.168.2.10, then the reply needs to come from 192.168.2.10, not some other network or translated IP.

Hope that helps, worked for me

Now I’m just trying to make the status.html fill out correctly…