Community discussions

 
User avatar
Kamaz
newbie
Topic Author
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

WiFi and L2TP authorization via freeradius

Thu Nov 08, 2018 3:33 pm

Hello everyone. I need some help with configuration of VPN(l2tp) and WiFi authorization via freeradius.
My goal is to configure one point for authorizing all connections. There is no Windows server in my company, so I have to use Linux.

Additional information:\
ROS version is 6.42.7
/radius
add address=10.10.0.134 secret=mysupersecret service=ppp,wireless timeout=1s

/interface wireless
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:XX:XX:XX \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3-radius \
    security-profile=radius ssid=test-radius wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled


/interface wireless security-profiles
add authentication-types=wpa2-eap management-protection=allowed mode=\
    dynamic-keys name=radius radius-eap-accounting=yes supplicant-identity=""
Freeradius 3.0 is running on Ubuntu 18 server, all updates are installed. IP 10.10.0.134
Configuration of freeradius:
I added to file /etc/freeradius/3.0/clients.conf

client 10.10.2.1{
ipaddr = 10.10.2.1
secret = mysupersecret
shortname = msk1
proto = *
}

Also we have a l2tp tunnel between router 10.10.2.1 and remote server 10.10.0.134.
There are screenshots from Mikrotik log, created during I was trying to connect
radius1.png
radius2.png

I used this instruction while freeradius configuration https://computingforgeeks.com/how-to-in ... ntu-16-04/
You do not have the required permissions to view the files attached to this post.
 
User avatar
Kamaz
newbie
Topic Author
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: WiFi and L2TP authorization via freeradius

Tue Feb 19, 2019 9:22 am

Additional information:
I've done my task, Freeradius woks as it should, and wifi and pptp auth works fine to.

But now I'm faced with problem when I have to connect every username in Freeradius database with user's IP or pool. I've found such information:
https://wiki.freeradius.org/guide/Ippoo ... %20clients
viewtopic.php?f=10&t=131137&p=704071&hi ... 6a#p704071
http://www.netexpertise.eu/en/networkin ... pools.html

but I can't understand how this schema works in general.
 
ianngrh
newbie
Posts: 26
Joined: Thu Aug 30, 2018 6:53 am

Re: WiFi and L2TP authorization via freeradius

Wed Feb 20, 2019 6:53 am

Additional information:
I've done my task, Freeradius woks as it should, and wifi and pptp auth works fine to.

But now I'm faced with problem when I have to connect every username in Freeradius database with user's IP or pool. I've found such information:
https://wiki.freeradius.org/guide/Ippoo ... %20clients
viewtopic.php?f=10&t=131137&p=704071&hi ... 6a#p704071
http://www.netexpertise.eu/en/networkin ... pools.html

but I can't understand how this schema works in general.
Hi Kamaz,

As far as I know the radius authentication on mikrotik is like this.
  1. Access-request. The mikrotik ask to the radius server if the username & another requirement match with data on radius server. If the data match then radius will reply with the access-accept. If not, it will will reply with access-reject.
  2. Access-accept. The radius send attribute for requested user to the mikrotik such as Framed-Pool, Framed-IP, etc. This placed on Radreply table on database if you are using mysql.
    Mikrotik will configure the ppp/wireless/hotspot/login client based on this data. If this data does not exist, the mikrotik will give it from default configuration.
    For example : PPP will take configuration from /ppp profile default or default-encryption based on server configuration.
    I think this is the schema you are asking about.
For more radius attribute details on mikrotik, please check wiki for radius client mikrotik.
https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client

Hope this help.
Still trying to be better than before
 
User avatar
Kamaz
newbie
Topic Author
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: WiFi and L2TP authorization via freeradius

Wed Feb 20, 2019 9:21 pm

Thank you for your response, my problem becomes more clear!
As far as I understood, the only thing I need is to add record to Radreply table. And that's all? 0_o
 
ianngrh
newbie
Posts: 26
Joined: Thu Aug 30, 2018 6:53 am

Re: WiFi and L2TP authorization via freeradius  [SOLVED]

Thu Feb 21, 2019 5:33 am

That's depend on how far you want to utilize the freeradius features.
For basic feature like just PPP authentication and then give them IP and bandwidth limiter, you have to add record on radcheck table for access-request and add record on radreply for access-accept.
Still trying to be better than before
 
User avatar
Kamaz
newbie
Topic Author
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: WiFi and L2TP authorization via freeradius

Thu Apr 18, 2019 5:42 pm

Thank you so much for help.
But how to assign ip with mask, dns, gateway, and route to client correctly?
I need a schema for remote connection to my network for using inner resources but default route shouldn't be modified. All traffic should flow through user's internet channel except 10.10.5.0/24 network.

When I'm trying to use radreply table
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Framed-IP-Address', ':=', '10.11.1.145');
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Framed-IP-Netmask', ':=', '255.255.255.0');
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Framed-Route', ':=', '"10.10.5.0 10.11.1.1 1"');
client gets only IP address from database while other parameters remain defaults.
Connection with Freeradius:
ppp.png
Connection without Freeradius (correct connection):
ppp2.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: WiFi and L2TP authorization via freeradius

Fri Apr 19, 2019 9:53 pm

 
User avatar
Kamaz
newbie
Topic Author
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: WiFi and L2TP authorization via freeradius

Thu May 02, 2019 5:03 pm

Previous question was resolved by configuring Default gateway on client side, so everything fine.

Next problem is how to assign PPTP user's IP or name (user1 = 10.11.1.145 in my case) with Mikrotik's firewall group ?
Because Firewall groups helps to deal with rules.

I've tried to add record to radreply table but without result:
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Mikrotik-Address-List', ':=', 'remote_managers');

After user1 connected to Mikrotik:
MT.jpg

there is a record in Log that MT-Address-List="remote_managers" but it doesn't appear in Firewall>Address List.

Topics that didn't help:
viewtopic.php?t=48713
https://wiki.mikrotik.com/wiki/Manual:R ... ric_Values
https://www.youtube.com/watch?v=P47D5Z6fkeI
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 41 guests