Hello everyone. I need some help with configuration of VPN(l2tp) and WiFi authorization via freeradius.
My goal is to configure one point for authorizing all connections. There is no Windows server in my company, so I have to use Linux.
Freeradius 3.0 is running on Ubuntu 18 server, all updates are installed. IP 10.10.0.134
Configuration of freeradius:
I added to file /etc/freeradius/3.0/clients.conf
As far as I know the radius authentication on mikrotik is like this.
Access-request. The mikrotik ask to the radius server if the username & another requirement match with data on radius server. If the data match then radius will reply with the access-accept. If not, it will will reply with access-reject.
Access-accept. The radius send attribute for requested user to the mikrotik such as Framed-Pool, Framed-IP, etc. This placed on Radreply table on database if you are using mysql.
Mikrotik will configure the ppp/wireless/hotspot/login client based on this data. If this data does not exist, the mikrotik will give it from default configuration.
For example : PPP will take configuration from /ppp profile default or default-encryption based on server configuration.
I think this is the schema you are asking about.
Thank you for your response, my problem becomes more clear!
As far as I understood, the only thing I need is to add record to Radreply table. And that’s all? 0_o
That’s depend on how far you want to utilize the freeradius features.
For basic feature like just PPP authentication and then give them IP and bandwidth limiter, you have to add record on radcheck table for access-request and add record on radreply for access-accept.
Thank you so much for help.
But how to assign ip with mask, dns, gateway, and route to client correctly?
I need a schema for remote connection to my network for using inner resources but default route shouldn’t be modified. All traffic should flow through user’s internet channel except 10.10.5.0/24 network.
client gets only IP address from database while other parameters remain defaults.
Connection with Freeradius:
Connection without Freeradius (correct connection):
Previous question was resolved by configuring Default gateway on client side, so everything fine.
Next problem is how to assign PPTP user’s IP or name (user1 = 10.11.1.145 in my case) with Mikrotik’s firewall group ?
Because Firewall groups helps to deal with rules.
I’ve tried to add record to radreply table but without result:
INSERT INTO radius.radreply (username, attribute, op, value) VALUES (‘user1’, ‘Mikrotik-Address-List’, ‘:=’, ‘remote_managers’);
After user1 connected to Mikrotik:
there is a record in Log that MT-Address-List=“remote_managers” but it doesn’t appear in Firewall>Address List.
This is a problem with ONLY ONE profile for VPN Engine… still this is a big problem to divide Radius users into sub-group’s.
My way is to use script inside PROFILE who check new users logins and if assign to internal list then Add they VPN-IP into Firewall Address List as base to have own ACL at them.
Many OK/Apply doing changes inside profile not do disconnect of users, you can edit this scripts and save that changes safe.
This is only one work a round I found at that problem by years of searching.
Example
PPP Profile \ Scripts \ on-up:
local userlist sib1,sib2,sib3
foreach x in=$userlist do={
if ($x = $user) do={
local userip [/ip pool used get [find where info=$user ] address ]
ip firewall address-list add list=vpn-radius-list1 address=$userip comment=$user
}
}
PPP Profile \ Scripts \ down-up:
ip firewall address-list remove [find list=vpn-radius-list1 comment=$user ]
This is not perfect way, special when you want use many usernames as sub-group.
Maybe someone have other way… maybe ros7 have/give new way …
