Hi,
I have set up IKEv2 server running on my Mikrotik 6.40.1 with authentication done by EAP passthrough to a RADIUS server which works fine except that no RADIUS Accounting records are ever sent from the Mikrotik to the RADIUS server; I only see the Auth requests.
I know accounting works because it works fine for my Wireless clients.
Does anyone have any suggestions? Has anyone ever got RADIUS accounting with IKEv2 EAP passthrough working on their Mikrotik?
Regards,
Achelon
Re: IKEv2 and EAP Radius - No accounting records
it is likely that accounting records are only written for protocols where a dynamic interface is created for the traffic (PPP based)
Re: IKEv2 and EAP Radius - No accounting records
OK, understood. That is a shame.
Regards,
Achelon
Regards,
Achelon
Re: IKEv2 and EAP Radius - No accounting records
Well, EAP on WiFi also does accounting, so maybe it is only an issue with IKEv2.
Of course you can always do a feature request via the mail address...
Of course you can always do a feature request via the mail address...
Re: IKEv2 and EAP Radius - No accounting records
Accounting for IKEv2 currently is not implemented.
-
-
eifLZ9D8zSwW
just joined
- Posts: 10
- Joined:
Re: IKEv2 and EAP Radius - No accounting records
Hi achelon,Hi,
I have set up IKEv2 server running on my Mikrotik 6.40.1 with authentication done by EAP passthrough to a RADIUS server which works fine except that no RADIUS Accounting records are ever sent from the Mikrotik to the RADIUS server; I only see the Auth requests.
I know accounting works because it works fine for my Wireless clients.
Does anyone have any suggestions? Has anyone ever got RADIUS accounting with IKEv2 EAP passthrough working on their Mikrotik?
Regards,
Achelon
would you be so kind and share config for IKEv2 eap radius?
What client do yu use? W10 / Android with Strongswan?
thanks a lot
-
-
vmarkovsky
just joined
- Posts: 8
- Joined:
Re: IKEv2 and EAP Radius - No accounting records
Hi achelon, would you be so kind and share config for IKEv2 eap radius?I have set up IKEv2 server running on my Mikrotik 6.40.1 with authentication done by EAP passthrough to a RADIUS server which works fine
Regards,
Achelon
Re: IKEv2 and EAP Radius - No accounting records
Hi,
As requested. though I don't think there is anything special about my config. The IKEv2 accounting thing is still not fixed as well after all this time. Here is it.
Regards,
Achelon
As requested. though I don't think there is anything special about my config. The IKEv2 accounting thing is still not fixed as well after all this time. Here is it.
Regards,
Achelon
Code: Select all
/radius
add address=<radius server IP> secret=Password service=ppp,login,hotspot,wireless,dhcp,ipsec timeout=3s
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no
add name=cfg_priv split-include=0.0.0.0/0,<LAN SUBNET> static-dns="" system-dns=yes
/ip ipsec peer proposal
set [ find default=yes ] dh-group=modp2048,modp1024 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default proposal-check=obey
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1d name=proposal_1 proposal-check=obey
/ip ipsec policy group
set [ find default=yes ] name=default
add name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=no enc-algorithms=aes-256-cbc lifetime=1d name=default pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=<cert filename> comment=IKEv2 disabled=no dpd-interval=2m exchange-mode=ike2 \
generate-policy=port-strict local-address=<WAN IP> mode-config=cfg_priv my-id=fqdn:<WAN FQDN> passive=yes policy-template-group=\
default proposal=proposal_1 send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=yesRe: IKEv2 and EAP Radius - No accounting records
This thread is about one year old. Still not implemented?
I would really really love to see this implemented.
I'm running 6.42.3 and no accounting records are issued by Mikrotik.
I would really really love to see this implemented.
I'm running 6.42.3 and no accounting records are issued by Mikrotik.
Re: IKEv2 and EAP Radius - No accounting records
I know, this is so frustrating. I thought it might be fixed after a year.
Re: IKEv2 and EAP Radius - No accounting records
RADIUS accounting has been implemented. Please let us know if you have any feedback or issues with it.What's new in 6.45beta16 (2019-Mar-18 07:49):
Changes in this release:
*) ipsec - added support for RADIUS accounting;
Re: IKEv2 and EAP Radius - No accounting records
I have just tested this and to be fair, it seems to work. Thanks for listening, i had given up hope.
Achelon
Achelon
Re: IKEv2 and EAP Radius - No accounting records
Does anyone know what the value passed in NAS-Port-Id means for IPSEC sessions? The documentation doesn't (yet?) cover IPSEC:
NAS-Port-Id - async PPP - serial port name; PPPoE - ethernet interface name on which server is running; HotSpot - name of the physical HotSpot interface (if bridged, the bridge port name is showed here); not present for ISDN, PPTP and L2TP
NAS-Port-Id - async PPP - serial port name; PPPoE - ethernet interface name on which server is running; HotSpot - name of the physical HotSpot interface (if bridged, the bridge port name is showed here); not present for ISDN, PPTP and L2TP
Re: IKEv2 and EAP Radius - No accounting records
Do you have any specific needs or ideas what might be a good value to pass in NAS-Port-Id? Currently a hex value of the remote peer's ID is written there and as far as we can see, RFC is not very specific what should be written there. Perhaps, the specific Identity ID could be written there?
Re: IKEv2 and EAP Radius - No accounting records
Hi,
As requested. though I don't think there is anything special about my config. The IKEv2 accounting thing is still not fixed as well after all this time. Here is it.
I'm trying to setup something like this. But I'm pretty much stuck on the radius setup.
Does anyone have some pointer to a document where this is described.
Thanks
Ekkehard
Re: IKEv2 and EAP Radius - No accounting records
There are many tutorials on the Internet about how to set up EAP RADIUS server. You can also take a look at this wiki article which describes how to set up Freeradius EAP authentication for wireless, that has pretty much the same configuration for IKEv2.
https://wiki.mikrotik.com/wiki/Manual:W ... FreeRADIUS
https://wiki.mikrotik.com/wiki/Manual:W ... FreeRADIUS
Re: IKEv2 and EAP Radius - No accounting records
The current approach is fine, I was just curious.Do you have any specific needs or ideas what might be a good value to pass in NAS-Port-Id? Currently a hex value of the remote peer's ID is written there and as far as we can see, RFC is not very specific what should be written there. Perhaps, the specific Identity ID could be written there?
One other question I have - although I receive the start and stop accounting records, I never receive any interim records - is this by design or a bug?
Regards,
Achelon
Re: IKEv2 and EAP Radius - No accounting records
Make sure you specify "interim-update" parameter under '/ip ipsec settings'. This setting currently is CLI only.
Re: IKEv2 and EAP Radius - No accounting records
You are correct, works fine when this is set to a non-zero value.Make sure you specify "interim-update" parameter under '/ip ipsec settings'. This setting currently is CLI only.
Sent from my iPad using Tapatalk
Who is online
Users browsing this forum: No registered users and 83 guests