Community discussions

MUM Europe 2020
 
alinux
just joined
Topic Author
Posts: 12
Joined: Thu Feb 01, 2007 1:30 am

Only allow registered mac adresses to authenicate PPPOE

Thu Feb 01, 2007 1:40 am

Hi
I would like to limit the computers I want to allow to authenicate through PPPOE to the PCs whose MAC address I register.
Therefore I would like to ask, how do I block all authenication requests except those that I would like to allow.
I have noticed the "Access List" Entry in the Web-box interface and I think it is the solution to allowing certain mac addresses, but how do I disable all other mac addresses.
And where can I find the same as "Access List" in the win-box program

Another question would be, what is the regtable in the web-box used for ?

And if you guys dont mind I would like to ask if I could set the state of pppoe connections to "sticky" so that once a user tries to authenicate for the first time through pppoe his mac address get registered automatically.

I hope that Idid not ask to much..thx for any help
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Thu Feb 01, 2007 1:50 pm

set ip arp to reply-only and register mac adresses you want to authenticate with your PPPoE service
 
alinux
just joined
Topic Author
Posts: 12
Joined: Thu Feb 01, 2007 1:30 am

Thu Feb 01, 2007 11:21 pm

Hi
Thx for your help..Ive used winbox and navigated to menu IP -> ARP but I could not find a setting there to set IP-ARP to reply-only
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Thu Feb 01, 2007 11:37 pm

set ip arp to reply-only and register mac adresses you want to authenticate with your PPPoE service
Setting ARP to 'reply-only' will probably not help in this case. The functionality of ARP is only relevant for the IP protocol (as is provides a mapping of MAC addresses to IP addresses) but the MAC layer protocol in this case will be PPPoE and not IP, therefore ARP will not be used anyway (PPPoE itself does not need nor use any ARP requests, and IP, which would need them, will be flowing over PPPoE, which will provide Point-to-Point interfaces to the IP layer, and a Point-to-Point interfaces does not require ARP either).

If Radius is used then the MAC address of the connecting client might be available as an Access-Request attribute (probably Calling-Station-Id or something like that) and it could be used as a Radius Check-Item to either permit or deny a connection for that client.

--Tom
 
alinux
just joined
Topic Author
Posts: 12
Joined: Thu Feb 01, 2007 1:30 am

Thu Feb 01, 2007 11:42 pm

Well cant I create a firewall rule rejecting all traffic on the input chain of the pppoe-server interface and allowing only traffic that matches the mac addresses I specify (of course in the correct order)
That should work since dialup works on the input chain and IPTABLES is capable of filtering per mac.
So check mac if listed allow authenication ..else drop..
What do you think ?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Fri Feb 02, 2007 1:27 am

Going back to your initial question where you talked about access-list and registation-table, it appears that you're trying to run PPPoE on wireless interfaces, right? Because the features you mention (access list, registration table) are only relevant for wireless.

Well, the access-list is meant to give you control over which wireless clients may associate with your access point. The list refers to the client's MAC address, but as I said its for the association only and once a wireless client did in fact associate with your AP the access list has no influence on traffic from MAC addresses of other clients that comes in via that associated client router (maybe the wireless client is a router with WDS in station mode, where you'd transparently see all MAC addresses of users 'behind' the client router).

Ok, back to your current question. I don't think that you can use a firewall filter rule for that, at least not from /ip firewall filter, because these only apply to incoming IP packets, but you would like to filter PPPoE packets, which themselves are never subject to IP filtering (they can't, as they are not IP packets).

It might work to create some bridge filter rules for the input chain under /interface filter bridge that generally deny PPPoE PADI packets and only allow them from a list of source MAC addresses of clients that you want to be able to establish a PPPoE session. For that to work you might need to create a bridge and add your physical port as a member to the bridge (even if it will be the only port of the bridge) and then run the PPPoE server on the bridge interface, as I'm not sure if the bridge filters are run at all when the incoming traffic is not entering a bridge but just any physical interface. You'd have to experiment. But I don't like that solution much.

--Tom
 
ravin
Member Candidate
Member Candidate
Posts: 173
Joined: Mon Jan 29, 2007 3:59 pm
Location: mym

Wed Feb 07, 2007 10:40 am

set arp to reply-only for local interface. you can do this from winbox click on interface -> local interface -> arp=reply-only. if you are using radius put username and mac id in radreply table.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Feb 07, 2007 10:55 am

alinux
Probably, HotSpot could help you to resolve the current issue.
HotSpot provides local network clients with authorization and accounting.
Different login methods are designed, one of them is MAC authentication method. User's MAC-address is used as HotSpot username and user is immediately authenticated, if mac-address from 'ip hotspot user' is present on 'ip hotspot host' list (in other words, when user is switched on the computer and router received data from it).[/b]
 
alinux
just joined
Topic Author
Posts: 12
Joined: Thu Feb 01, 2007 1:30 am

Wed Feb 07, 2007 1:07 pm

Let's suppose I use radius...what type of RADIUS server do you guys use ??.. Ive used freeradius before but I need a RADIUS server with a simple GUI or Web Interface ..so that the operator can use the RADIUS server to add or remove users. Because I can in no possible way convince him to use putty to add users and the bandwidth limitations.
 
alinux
just joined
Topic Author
Posts: 12
Joined: Thu Feb 01, 2007 1:30 am

Wed Feb 07, 2007 1:13 pm

Adding to what was previously stated ... I would like to point of that I ve solved the issue by using ppp secrets..and then enabling the callerID input box. And put the mac address of the computer in question in the callerID input box. In that way only the computer in question can authenicate using the created secret and password. But I would like to switch to Radius for accounting purposes.
Another question would be..Ive enabled IP Accounting where can I see the results of the accounting ?
 
virtualmystic
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Jan 19, 2007 7:09 pm
Location: Lahore, pakistan

Wed Feb 07, 2007 8:42 pm

alinux,

i can provide you with a professional radius/billing server + support,dealer module, user access level privilidges with accounting and reporting features, if intrested. or else you can use dialupadmin with freeradius its got nice gui as you need

regds,
Asad
 
monaro
newbie
Posts: 33
Joined: Wed Feb 07, 2007 10:05 pm

Dlink AP

Wed Feb 07, 2007 10:22 pm

We had the same problem. It is something with the AP. For Dlink AP, i enable client security where user cannot scan other user even the hacker is on the same AP. So, any user who want to scan for other people AP, they will be unable to do so.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Feb 08, 2007 7:52 am

alinux,
you can try User Manager - RADIUS based management system, that is integrated to RouterOS package,
http://wiki.mikrotik.com/wiki/User_Manager
 
alinux
just joined
Topic Author
Posts: 12
Joined: Thu Feb 01, 2007 1:30 am

Thu Feb 08, 2007 3:22 pm

I think I will go for usermanager..Ive installed it..but how do I access the manager??
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Feb 08, 2007 3:25 pm

Documentation provides explanation, how you can access the manager,
first of all create at least one subscriber to get access to Web Interface of User Manager,
http://wiki.mikrotik.com/wiki/User_Mana ... ng_started

Who is online

Users browsing this forum: MSN [Bot], vortex and 83 guests