I have setup a remote RadiusManager server and have a 750 as a hotspot making a pptp connection back to NOC 450G. The RadiusManager documentation specifies the use of a ppp interface. Following those instructions is simple however there is no pptp interface available when setting up the pppoe service. Should there be?
What NAS settings do I need to use to auth hotspot users over the established pptp link?
Re: Authenticate hotspot users via radius over pptp
PPTP isn't a requirement for RADIUS. I don't know what documentation you're reading, though. RADIUS just passes as UDP traffic. If you want to protect the RADIUS traffic passing between a server and NAS you can pass it through a VPN tunnel, such as PPTP. That doesn't affect RADIUS whatsoever - you just use the IP addressing on either end of the VPN tunnel. The NAS and RADIUS server are entirely unaware of PPTP being involved.
Re: Authenticate hotspot users via radius over pptp
Thanks Fewi
Yes, I am simply trying to tunnel the radius auth traffic through the pptp tunnel that is already established.
Yes, I am simply trying to tunnel the radius auth traffic through the pptp tunnel that is already established.
Re: Authenticate hotspot users via radius over pptp
Then all you need to do is specify a RADIUS server that the NAS knows to reach via the tunnel. That has nothing to do with the RADIUS server configuration on the NAs as such - it's all just in the routing table, like any other packet. Vice versa for the RADIUS server - for it to reply to the NAS via the tunnel the routers transporting the reply just have to push the packet through the tunnel.
Re: Authenticate hotspot users via radius over pptp
Well, I have been jacking with the config for 2.5 hours now. I appear no closer although the steps to getting these two to see each other is straight forward.
I could use some additional eyes on this setup. Below is my exports:
Network is Radius Server-->450G (pptp server)-->DSL<--Interwebs-->DSL-->Router-->750 (pptp client)-->Test PC
I can ping radius machine through tunnel and 750 NAS going the other way. Tunnel is open. There is only 4 fields needed for nas info in radiusmanager-nas name (test), ip (192.168.8.1), type (mikrotik), secret (xxxxxxxx).
750 pptp client
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.8.1/24 192.168.8.0 192.168.8.255 ether2-local-master
1 D 192.168.0.104/24 192.168.0.0 192.168.0.255 ether1-gateway
2 D 192.168.8.1/32 10.0.2.1 0.0.0.0 radius
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 A S 10.0.2.0/24 10.0.2.1 1
2 ADC 10.0.2.1/32 192.168.8.1 radius 0
3 ADC 192.168.0.0/24 192.168.0.104 ether1-gateway 0
4 ADC 192.168.8.0/24 192.168.8.1 ether2-local-ma... 0
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1-gateway ether 1500 1526
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 R ether4-local-slave ether 1500 1524
4 ether5-local-slave ether 1500 1524
5 R radius pptp-out 1460
[admin@MikroTik] >
[admin@MikroTik] > ip firewall export
# jan/09/1970 04:23:33 by RouterOS 4.11
# software id = MASG-KBWU
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1700 in-interface=radius protocol=tcp to-addresses=10.0.2.188 to-ports=\
1700
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8291 in-interface=radius protocol=tcp to-addresses=192.168.8.1 to-ports=\
8291
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.8.198 \
to-ports=443
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=192.168.8.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
450G pptp server and location of radius server
ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.2.1/24 10.0.2.0 10.0.2.255 lan
1 ;;; bridge for user manager
10.0.0.1/32 10.0.0.1 10.0.0.1 bridge1
2 216.x.x.x/x 216.x.x.x 216.x.x.x wan
3 X 10.0.1.1/24 10.0.1.0 10.0.1.255 lan2
4 X ;;; test vlan Users ID 1
10.0.3.1/24 10.0.1.0 10.0.1.255 vlan1
5 D 10.0.2.1/32 192.168.15.1 0.0.0.0 <pptp-scenice>
6 D 10.0.2.1/32 192.168.88.1 0.0.0.0 <pptp-theoaks>
7 D 10.0.2.1/32 192.168.5.1 0.0.0.0 <pptp-scenicd>
8 D 10.0.2.1/32 192.168.3.1 0.0.0.0 <pptp-nb937939>
9 D 10.0.2.1/32 192.168.4.1 0.0.0.0 <pptp-nb782784>
10 D 10.0.2.1/32 192.168.8.1 0.0.0.0 <pptp-radius>
11 D 10.0.2.1/32 10.0.0.1 0.0.0.0 <pptp-lofts>
[admin@MikroTik] > ip firewall export
# may/03/2011 17:56:03 by RouterOS 4.11
# software id = 7JCH-G18A
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
src-address=10.10.10.1
add action=accept chain=input comment="Accept established connections" connection-state=established \
disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment="from my lan" disabled=no in-interface=lan src-address=\
10.0.0.0/24
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=drop chain=forward comment="" connection-state=invalid disabled=yes protocol=tcp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=log chain=input comment="Log everything else" disabled=no log-prefix="Drop Input"
add action=accept chain=input comment=udp disabled=yes protocol=udp
add action=accept chain=input comment="allow limited pings" disabled=yes limit=50,1 protocol=icmp
add action=accept chain=input comment="" disabled=yes in-interface="(unknown)"
add action=drop chain=input comment="drop excessive pings" disabled=yes protocol=icmp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=wan \
src-address=10.0.2.0/24
add action=dst-nat chain=dstnat comment=sysaid disabled=no dst-port=8080 in-interface=wan protocol=tcp \
to-addresses=10.0.2.191 to-ports=8080
add action=dst-nat chain=dstnat comment="ubnt manager" disabled=no dst-port=9443 in-interface=wan \
protocol=tcp to-addresses=10.0.2.191 to-ports=9443
add action=dst-nat chain=dstnat comment="radius server port 22" disabled=no dst-port=8081 in-interface=\
wan protocol=tcp to-addresses=10.0.2.188 to-ports=22
add action=dst-nat chain=dstnat comment="radius server port 10000" disabled=no dst-port=10000 \
in-interface=wan protocol=tcp to-addresses=10.0.2.188 to-ports=10000
add action=dst-nat chain=dstnat comment="radius server forward to port 80" disabled=no dst-port=8082 \
in-interface=wan protocol=tcp to-addresses=10.0.2.188 to-ports=443
add action=dst-nat chain=dstnat comment="Radius accounting" disabled=no dst-port=1812 in-interface=wan \
protocol=udp to-addresses=10.0.2.188 to-ports=1812
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1813 in-interface=wan protocol=udp \
to-addresses=10.0.2.188 to-ports=1813
add action=dst-nat chain=dstnat comment="radius accounting" disabled=yes dst-port=1700 in-interface=\
"(unknown)" protocol=tcp to-addresses=10.0.2.188 to-ports=1700
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 wan 1
1 A S 10.0.0.0/24 10.0.0.1 1
2 ADC 10.0.0.1/32 10.0.0.1 bridge1 0
<pptp-lofts>
3 ADC 10.0.2.0/24 10.0.2.1 lan 0
4 ADC 192.168.3.1/32 10.0.2.1 <pptp-nb937939> 0
5 ADC 192.168.4.1/32 10.0.2.1 <pptp-nb782784> 0
6 ADC 192.168.5.1/32 10.0.2.1 <pptp-scenicd> 0
7 ADC 192.168.8.1/32 10.0.2.1 <pptp-radius> 0
8 ADC 192.168.15.1/32 10.0.2.1 <pptp-scenice> 0
9 ADC 192.168.88.1/32 10.0.2.1 <pptp-theoaks> 0
10 ADC 216.x.x.x/x 216.x.x.x wan 0
I could use some additional eyes on this setup. Below is my exports:
Network is Radius Server-->450G (pptp server)-->DSL<--Interwebs-->DSL-->Router-->750 (pptp client)-->Test PC
I can ping radius machine through tunnel and 750 NAS going the other way. Tunnel is open. There is only 4 fields needed for nas info in radiusmanager-nas name (test), ip (192.168.8.1), type (mikrotik), secret (xxxxxxxx).
750 pptp client
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.8.1/24 192.168.8.0 192.168.8.255 ether2-local-master
1 D 192.168.0.104/24 192.168.0.0 192.168.0.255 ether1-gateway
2 D 192.168.8.1/32 10.0.2.1 0.0.0.0 radius
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 A S 10.0.2.0/24 10.0.2.1 1
2 ADC 10.0.2.1/32 192.168.8.1 radius 0
3 ADC 192.168.0.0/24 192.168.0.104 ether1-gateway 0
4 ADC 192.168.8.0/24 192.168.8.1 ether2-local-ma... 0
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1-gateway ether 1500 1526
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 R ether4-local-slave ether 1500 1524
4 ether5-local-slave ether 1500 1524
5 R radius pptp-out 1460
[admin@MikroTik] >
[admin@MikroTik] > ip firewall export
# jan/09/1970 04:23:33 by RouterOS 4.11
# software id = MASG-KBWU
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1700 in-interface=radius protocol=tcp to-addresses=10.0.2.188 to-ports=\
1700
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8291 in-interface=radius protocol=tcp to-addresses=192.168.8.1 to-ports=\
8291
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.8.198 \
to-ports=443
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=192.168.8.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
450G pptp server and location of radius server
ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.2.1/24 10.0.2.0 10.0.2.255 lan
1 ;;; bridge for user manager
10.0.0.1/32 10.0.0.1 10.0.0.1 bridge1
2 216.x.x.x/x 216.x.x.x 216.x.x.x wan
3 X 10.0.1.1/24 10.0.1.0 10.0.1.255 lan2
4 X ;;; test vlan Users ID 1
10.0.3.1/24 10.0.1.0 10.0.1.255 vlan1
5 D 10.0.2.1/32 192.168.15.1 0.0.0.0 <pptp-scenice>
6 D 10.0.2.1/32 192.168.88.1 0.0.0.0 <pptp-theoaks>
7 D 10.0.2.1/32 192.168.5.1 0.0.0.0 <pptp-scenicd>
8 D 10.0.2.1/32 192.168.3.1 0.0.0.0 <pptp-nb937939>
9 D 10.0.2.1/32 192.168.4.1 0.0.0.0 <pptp-nb782784>
10 D 10.0.2.1/32 192.168.8.1 0.0.0.0 <pptp-radius>
11 D 10.0.2.1/32 10.0.0.1 0.0.0.0 <pptp-lofts>
[admin@MikroTik] > ip firewall export
# may/03/2011 17:56:03 by RouterOS 4.11
# software id = 7JCH-G18A
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
src-address=10.10.10.1
add action=accept chain=input comment="Accept established connections" connection-state=established \
disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment="from my lan" disabled=no in-interface=lan src-address=\
10.0.0.0/24
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=drop chain=forward comment="" connection-state=invalid disabled=yes protocol=tcp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=log chain=input comment="Log everything else" disabled=no log-prefix="Drop Input"
add action=accept chain=input comment=udp disabled=yes protocol=udp
add action=accept chain=input comment="allow limited pings" disabled=yes limit=50,1 protocol=icmp
add action=accept chain=input comment="" disabled=yes in-interface="(unknown)"
add action=drop chain=input comment="drop excessive pings" disabled=yes protocol=icmp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=wan \
src-address=10.0.2.0/24
add action=dst-nat chain=dstnat comment=sysaid disabled=no dst-port=8080 in-interface=wan protocol=tcp \
to-addresses=10.0.2.191 to-ports=8080
add action=dst-nat chain=dstnat comment="ubnt manager" disabled=no dst-port=9443 in-interface=wan \
protocol=tcp to-addresses=10.0.2.191 to-ports=9443
add action=dst-nat chain=dstnat comment="radius server port 22" disabled=no dst-port=8081 in-interface=\
wan protocol=tcp to-addresses=10.0.2.188 to-ports=22
add action=dst-nat chain=dstnat comment="radius server port 10000" disabled=no dst-port=10000 \
in-interface=wan protocol=tcp to-addresses=10.0.2.188 to-ports=10000
add action=dst-nat chain=dstnat comment="radius server forward to port 80" disabled=no dst-port=8082 \
in-interface=wan protocol=tcp to-addresses=10.0.2.188 to-ports=443
add action=dst-nat chain=dstnat comment="Radius accounting" disabled=no dst-port=1812 in-interface=wan \
protocol=udp to-addresses=10.0.2.188 to-ports=1812
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1813 in-interface=wan protocol=udp \
to-addresses=10.0.2.188 to-ports=1813
add action=dst-nat chain=dstnat comment="radius accounting" disabled=yes dst-port=1700 in-interface=\
"(unknown)" protocol=tcp to-addresses=10.0.2.188 to-ports=1700
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 wan 1
1 A S 10.0.0.0/24 10.0.0.1 1
2 ADC 10.0.0.1/32 10.0.0.1 bridge1 0
<pptp-lofts>
3 ADC 10.0.2.0/24 10.0.2.1 lan 0
4 ADC 192.168.3.1/32 10.0.2.1 <pptp-nb937939> 0
5 ADC 192.168.4.1/32 10.0.2.1 <pptp-nb782784> 0
6 ADC 192.168.5.1/32 10.0.2.1 <pptp-scenicd> 0
7 ADC 192.168.8.1/32 10.0.2.1 <pptp-radius> 0
8 ADC 192.168.15.1/32 10.0.2.1 <pptp-scenice> 0
9 ADC 192.168.88.1/32 10.0.2.1 <pptp-theoaks> 0
10 ADC 216.x.x.x/x 216.x.x.x wan 0
Re: Authenticate hotspot users via radius over pptp
On the client the IP addresses on the PPTP interface and one ethernet interface are overlapping. Assign different address space to the PPTP tunnel.
Also you will have to make sure the RADIUS client had the correct source address set so the server can find it via the PPTP tunnel. And I'm assuming you're using the other end as the RADIUS server address. If in doubt post the output of "/radius export", wrapped in
Also you will have to make sure the RADIUS client had the correct source address set so the server can find it via the PPTP tunnel. And I'm assuming you're using the other end as the RADIUS server address. If in doubt post the output of "/radius export", wrapped in
Code: Select all
tags so it stays readable.Re: Authenticate hotspot users via radius over pptp
Thanks Fewi
I will work on this ASAP and update the post.
I will work on this ASAP and update the post.
Re: Authenticate hotspot users via radius over pptp
Well, I just got it working. However, I cannot say for certain what the fix was. I applied the new addresses to the tunnel but that was two days ago. Since then, I have spent 4 hours flipping numerous different switches. Finally, after 5 attempts of "Radius Server Not Responding" I get through.
Going to muck with the settings some more to identify exactly what it was.
Going to muck with the settings some more to identify exactly what it was.
Re: Authenticate hotspot users via radius over pptp
can you share your solution on how you made ramote radius management?