[solved] freeradius + aaa + assign users to groups

RouterOS General
1

hi

i have installed freeradius and set up mikrotik to use accounts in radius to login via telnet ssh. default group is read. i can not find any info how to set up radius to assign some users to group full. i am using freeradius + postgres backend.

have any 1 tried it ?

radreply table (i have tried changing Mikrotik-Group to Group and operator to = and == with no effect)

id | username |   attribute    | op | value 
----+----------+----------------+----+-------
  2 | kostek   | Mikrotik-Group | := | 1

from dictionary.mikrotik (shipped with freeradius)

# this attribute is unused
ATTRIBUTE	Mikrotik-Group				3	string

radusergroup table

username | groupname | priority 
----------+-----------+----------
 kostek   | full      |        1

please help.

CapsMan Dynamic vlan
CAPSMan + freeradius + VLAN per User
2

I checked with User Manager.

In Users/Edit, in the “Group” entry:
full
write
read

In FreeRADIUS radreply table:
UserName “user”
Attribute “Mikrotik-Group”
op “=”
Value “full/write/read”

Use only one of those in the Value tho.

3

thx for info but:

  • freeradius says that Mikrotik-Group is no longer used (confusing)
  • in witch table should i input this value (radreply, radgroupcheck, radgroupreply) and how it should look like (operator)?

maybe you could post me some debug infor from mikrotik user manager and mikrotik device that speaks with user manager. maybe then i would figure out something

4

AH HA!! I knew there was something up with the User Manager response! Try
Attribute “MT-Group”

What RouterOS version are you using?

5

The ‘radusergroup’ table is only used inside FreeRADIUS for assigning RADIUS users to ‘RADIUS groups’, and then returning a set of replies to said group. ie:

radcheck

  id |     username      |   attribute   | op |       value    
 ----+-------------------+---------------+----+-------------------
  67 | 00:15:6D:33:0B:48 | User-Password | == | 00:15:6D:33:0B:48

radusergroup

     username      |     groupname     | priority 
-------------------+-------------------+----------
 00:15:6D:33:0B:48 | mikrotik-wireless |        0

radgroupreply

 id |     groupname     |          attribute           | op | value 
----+-------------------+------------------------------+----+-------
  1 | mikrotik-wireless | Mikrotik-Wireless-Forward    | := | 0
  2 | mikrotik-wireless | Mikrotik-Wireless-Skip-Dot1x | := | 1

For your issue, you need this in ‘radreply’.

 id  |     username      |      attribute      | op |       value       
----+-------------------+---------------------+----+-------------------
 65  | test              | Mikrotik-Group      | =  | full
6 
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'ukasz'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'ukasz'           ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string "full" for attribute name "Mikrotik-Group"
rlm_sql (sql): Error getting data from database

i have also tried with MT-Group and same error
do i need to have anything in radusergroup table ?

7

I used the above config with ROS 4.x. Haven’t tried it with 5.x. Is that what you are using?

do i need to have anything in radusergroup table ?

You don’t need anything. It’s optional based on your return params.

8 
 #   NAME                                                                                                   VERSION                                                                                                  SCHEDULED              
 0   system                                                                                                 4.10                                                                                                                            
 1   dhcp                                                                                                   4.10                                                                                                                            
 2   hotspot                                                                                                4.10                                                                                                                            
 3   calea                                                                                                  4.10                                                                                                                            
 4   gps                                                                                                    4.10                                                                                                                            
 5   advanced-tools                                                                                         4.10                                                                                                                            
 6   mpls                                                                                                   4.10                                                                                                                            
 7   ipv6                                                                                                   4.10                                                                                                                            
 8   multicast                                                                                              4.10                                                                                                                            
 9   routerboard                                                                                            4.10                                                                                                                            
10   ups                                                                                                    4.10                                                                                                                            
11   security                                                                                               4.10                                                                                                                            
12   ntp                                                                                                    4.10                                                                                                                            
13   user-manager                                                                                           4.10                                                                                                                            
14   routing                                                                                                4.10                                                                                                                            
15   ppp                                                                                                    4.10                                                                                                                            
16   wireless                                                                                               4.10




ii  freeradius                           2.1.10+dfsg-2                     a high-performance and highly configurable RADIUS server
ii  freeradius-common                    2.1.10+dfsg-2                     FreeRADIUS common files
ii  freeradius-mysql                     2.1.10+dfsg-2                     MySQL module for FreeRADIUS server
ii  freeradius-utils                     2.1.10+dfsg-2                     FreeRADIUS client utilities
ii  libfreeradius2                       2.1.10+dfsg-2                     FreeRADIUS shared library
ii  libradius1                           0.3.2-13                          /bin/login replacement with RADIUS. Shared lib to used by programs
ii  radiusclient1                        0.3.2-13                          /bin/login replacement which uses the RADIUS protocol for authentication
9

Here is mine with user ‘test’.

mysql> insert into radreply (username,attribute,op,value) values (‘test’,‘Mikrotik-Group’,‘=’,‘read’);
Query OK, 1 row affected (0.00 sec)

mysql>

10

OMG it is so SICK. i have found that in debian not all dictionaries are included in directory /usr/share/freeradius/dictionary file (witch holds $INCLUDE lines per vendor dictionary)
i was missing $INCLUDE dictionary.mikrotik line


any way thx for your quick response. much apicieated. :smiley: