Usermanager v7 + Radius + Mikrotik Login

dima1002 · July 10, 2022, 3:16pm

I have the Radius server and user manager on the router.
I would to loggin on a Mikrotik access point.
Unfortunately that does not work. does anyone know why?

Router:

Client:

Winbox:

rextended · July 10, 2022, 5:04pm

Better see exports than picture that can not talk…

You allow 127.0.0.1 on firewall???

You add 2nd router (the client) on user manager?

dima1002 · July 10, 2022, 5:39pm

You allow 127.0.0.1 on firewall???
Isn’t 127.0.0.1 always allowed? I changed it to 192.168.155.254. Still doesn’t work

Client

/user
add comment="system default user" group=full name=admin
/user aaa
set default-group=full interim-update=10m use-radius=yes
/radius
add accounting-backup=no accounting-port=1813 address=192.168.155.254 authentication-port=1812 called-id="" certificate=none disabled=no domain="" protocol=udp realm="" service=ppp,login,hotspot,wireless,dhcp,ipsec,dot1x timeout=300ms
/radius incoming
set accept=yes port=3799

Server

/user-manager limitation
add name=lim1
/user-manager profile
add name=prof1 name-for-users=test
/user-manager user group
set [ find default-name=default ] attributes=Mikrotik-Group:test.lan
add attributes=Mikrotik-Group: name=MikrotikLogin outer-auths=pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
/user-manager user
add group=MikrotikLogin name=test
/user-manager
set certificate=*0 enabled=yes
/user-manager profile-limitation
add limitation=lim1 profile=prof1
/user-manager router
add address=192.168.155.254 name=router
add address=192.168.155.161 name=client
/user-manager user-profile
add profile=prof1 user=test
/radius
add address=192.168.155.254 service=ppp,login,hotspot,wireless,dhcp,ipsec,dot1x
/radius incoming
set accept=yes

dima1002 · July 11, 2022, 11:40am

is that better? Anyone have an idea why that doesn’t work?

rextended · July 11, 2022, 3:29pm

On Client:
/radius
add […] certificate=none […]

On Server:
/user-manager
set certificate=*0 enabled=yes

Where is gone the certificate?

dima1002 · July 11, 2022, 4:48pm

Is so ok?

Server:
/user-manager/print
enabled: yes
authentication-port: 1812
accounting-port: 1813
certificate: *0
use-profiles: no

Client:
/radius
add accounting-backup=no accounting-port=1813 address=192.168.155.254 authentication-port=1812 called-id=“” certificate=none disabled=no domain=“” protocol=udp realm=“” service=ppp,login,hotspot,wireless,dhcp,ipsec,dot1x timeout=300ms
/radius incoming
set accept=yes port=3799

rextended · July 11, 2022, 5:28pm

On Client certificate=none

On Server certificate=*0

Can you see the difference?

dima1002 · July 11, 2022, 7:41pm

Oh, yes is see the difference

Is so better?

Client:
/radius
add accounting-backup=no accounting-port=1813 address=192.168.155.254 authentication-port=1812 called-id=“” certificate=none disabled=no domain=“” protocol=udp realm=“” service=
ppp,login,hotspot,wireless,dhcp,ipsec,dot1x timeout=300ms
/radius incoming
set accept=yes port=3799

Server:
/user-manager/print
nabled: yes
authentication-port: 1812
accounting-port: 1813
certificate: none
use-profiles: no

but it still doesn’t work. Or is a certificate mandatory?

rextended · July 11, 2022, 9:11pm

Ok, is the last time I write on this topic,
post the export of both device.
Is useless you post only some lines (probably with errors now solved)
without posting all the others.
Simply all CAN be blocked by firewall rules or just guessing because you do not reveal all,
(included a schema that reveal how both devices are connected)

Have a nice day and a good fortune.