I need to build a secured Hotel network using mikrotik devices.
For now, I am testing the setup on an HexPOE. I had it working until I enabled 'Use profiles' in user manager. Since then, I have the 'Radius server is not responding' message. I tried disabling 'Use profiles', I tried to reset. BTW, after each reset, I also need to uninstall and reinstall UserManager, and delete all Um5files. If I don't, all attempts to add a setting (from UI or CLI) to UserManager times out.
That said, here is the full config export for which I get "Radius server is not responding" when a hotspot user tried to authenticate using UserManager credentials. I am stuck and this is driving me crazy.
Code: Select all
# jan/11/2023 11:10:40 by RouterOS 7.6
# software id = B03Z-9A05
#
# model = RB960PGS
/interface bridge
add admin-mac=08:55:31:78:2A:0D auto-mac=no comment=defconf name=bridge \
protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] poe-out=off
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=10
add interface=bridge name=CUSTOMERS_VLAN vlan-id=40
add interface=bridge name=OFFICE_VLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
add name=OFFICE
add name=CUSTOMERS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
add dns-name=hostspot.mydomain.com hotspot-address=10.40.40.1 html-directory=\
flash/hotspot-customers login-by=cookie,http-chap,https name=Customers \
rate-limit=100M/100M ssl-certificate=hotspot-cert use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=OFFICE_POOL ranges=10.40.20.20-10.40.20.254
add name=CUSTOMERS_POOL ranges=10.40.40.20-10.40.41.254
add name=BASE_POOL ranges=10.40.10.10-10.40.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=OFFICE_POOL interface=OFFICE_VLAN name=OFFICE_DHCP
add address-pool=CUSTOMERS_POOL interface=CUSTOMERS_VLAN name=CUSTOMERS_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/ip hotspot
add address-pool=CUSTOMERS_POOL disabled=no interface=CUSTOMERS_VLAN name=\
Customers profile=Customers
/ip hotspot user profile
add address-pool=CUSTOMERS_POOL advertise=yes name=Customers rate-limit=\
70M/70M shared-users=3 transparent-proxy=yes
/user-manager limitation
add name=Customers-20M rate-limit-burst-rx=30000000B \
rate-limit-burst-threshold-rx=20000000B rate-limit-burst-threshold-tx=\
20000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=10s \
rate-limit-burst-tx=30000000B rate-limit-rx=20000000B rate-limit-tx=\
20000000B
/user-manager profile
add name=Customers-Free name-for-users=Free override-shared-users=5 \
starts-when=first-auth validity=20m
/user-manager user group
add inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 \
name=Customers outer-auths=\
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=40
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=OFFICE_VLAN list=VLAN
add interface=CUSTOMERS_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=OFFICE_VLAN list=OFFICE
add interface=CUSTOMERS_VLAN list=CUSTOMERS
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.40.10.1/24 interface=BASE_VLAN network=10.40.10.0
add address=10.40.20.1/24 interface=OFFICE_VLAN network=10.40.20.0
add address=10.40.40.1/23 interface=CUSTOMERS_VLAN network=10.40.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.40.10.0/24 dns-server=10.40.10.1 gateway=10.40.10.1
add address=10.40.20.0/24 dns-server=10.40.10.1 gateway=10.40.20.1
add address=10.40.40.0/23 dns-server=10.40.10.1 gateway=10.40.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow WinBox" dst-port=8291 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow WebFig" dst-port=80 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
in-interface-list=VLAN protocol=udp src-port=68
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip hotspot user
add name=testuser password=user profile=Customers
/ip hotspot walled-garden
add dst-host=download.mikrotik.com
add dst-host=upgrade.mikrotik.com
/ip service
set www-ssl certificate=https-cert disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/radius
add address=127.0.0.1 comment="Customers HotSpot" secret=\
Olj8XHcCtPAShPQF8Z7se service=hotspot
/system clock
set time-zone-name=Pacific/Noumea
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/user-manager
set certificate=*0 enabled=yes
/user-manager profile-limitation
add limitation=Customers-20M profile=Customers-Free
/user-manager router
add address=127.0.0.1 name=Customers shared-secret=Olj8XHcCtPAShPQF8Z7se
/user-manager user
add group=*66 name=user1
add group=*66 name=user2
add comment=test group=*66 name=ntr shared-users=5
add comment=test group=*66 name=law shared-users=5
add comment=test group=*66 name=tzx shared-users=5
add comment=test group=*66 name=lnu shared-users=5
add comment=test group=*66 name=wrw shared-users=5
add comment=test group=*66 name=b1f shared-users=5
add comment=test group=*66 name=zqs shared-users=5
add comment=test group=*66 name=tdg shared-users=5
add comment=test group=*66 name=axy shared-users=5
add comment=test group=*66 name=q4r shared-users=5
/user-manager user-profile
add profile=Customers-Free user=ntr
add profile=Customers-Free user=law
add profile=Customers-Free user=tzx
add profile=Customers-Free user=lnu
add profile=Customers-Free user=wrw
add profile=Customers-Free user=b1f
add profile=Customers-Free user=zqs
add profile=Customers-Free user=tdg
add profile=Customers-Free user=axy
add profile=Customers-Free user=q4r
To get to this config I start with default configuration and send those CLI commands:
Code: Select all
# Start with hEX PoE reseted to default config
# allow winbox and webfig access from wan (for testing)
/ip firewall filter add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp place-before=[find comment="defconf: drop all not coming from LAN"] comment="Allow WinBox"
/ip firewall filter add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp place-before=[find comment="defconf: drop all not coming from LAN"] comment="Allow WebFig"
# Unset protocol-mode on default bridge
/interface bridge set bridge protocol-mode=none vlan-filtering=no
# POE OFF
/interface ethernet set [ find default-name=ether2 ] poe-out=off
/interface ethernet set [ find default-name=ether4 ] poe-out=off
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
# BASE_VLAN (managment)
/interface bridge port set pvid=10 [find interface=ether2]
# Office VLAN
/interface bridge port set pvid=20 [find interface=ether3]
# Customers VLAN
/interface bridge port set pvid=40 [find interface=ether4]
/interface bridge port set pvid=40 [find interface=ether5]
# egress behavior, handled automatically
# L3 switching so Bridge must be a tagged member
# This are from https://forum.mikrotik.com/viewtopic.php?t=143620#p706999
# and didn't work (nothing gets created)
#
# /interface bridge vlan set bridge=bridge tagged=bridge [find vlan-ids=10]
# /interface bridge vlan set bridge=bridge tagged=bridge [find vlan-ids=20]
# /interface bridge vlan set bridge=bridge tagged=bridge [find vlan-ids=40]
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=20
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40
#######################################
# IP Services
#######################################
# Management VLAN
/interface vlan add interface=bridge name=BASE_VLAN vlan-id=10
/ip address add address=10.40.10.1/24 interface=BASE_VLAN
# OFFICE VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=OFFICE_VLAN vlan-id=20
/ip address add interface=OFFICE_VLAN address=10.40.20.1/24
/ip pool add name=OFFICE_POOL ranges=10.40.20.20-10.40.20.254
/ip dhcp-server add address-pool=OFFICE_POOL interface=OFFICE_VLAN name=OFFICE_DHCP disabled=no
/ip dhcp-server network add address=10.40.20.0/24 dns-server=10.40.10.1 gateway=10.40.20.1
# CUSTOMERS VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=CUSTOMERS_VLAN vlan-id=40
/ip address add interface=CUSTOMERS_VLAN address=10.40.40.1/23
/ip pool add name=CUSTOMERS_POOL ranges=10.40.40.20-10.40.41.254
/ip dhcp-server add address-pool=CUSTOMERS_POOL interface=CUSTOMERS_VLAN name=CUSTOMERS_DHCP disabled=no
/ip dhcp-server network add address=10.40.40.0/23 dns-server=10.40.10.1 gateway=10.40.40.1
# Create a DHCP instance for BASE_VLAN.
/ip pool add name=BASE_POOL ranges=10.40.10.10-10.40.10.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=10.40.10.0/24 dns-server=10.40.10.1 gateway=10.40.10.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list add name=OFFICE
/interface list add name=CUSTOMERS
/interface list member add interface=ether1 list=WAN
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=OFFICE_VLAN list=VLAN
/interface list member add interface=CUSTOMERS_VLAN list=VLAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=OFFICE_VLAN list=OFFICE
/interface list member add interface=CUSTOMERS_VLAN list=CUSTOMERS
# VLAN aware firewall. Order is important.
##################
# INPUT CHAIN
##################
# Allow VLANs to access router services DNS and DHCP.
/ip firewall filter add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 in-interface-list=VLAN protocol=udp place-before=[find comment="defconf: drop all not coming from LAN"]
/ip firewall filter add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp src-port=68 place-before=[find comment="defconf: drop all not coming from LAN"]
# Allow BASE_VLAN full access.
/ip firewall filter add chain=input action=accept in-interface=BASE_VLAN place-before=[find comment="defconf: drop all not coming from LAN"] comment="Allow Base_Vlan Full Access"
##################
# FORWARD CHAIN
##################
# Allow all VLANs to access the Internet only, NOT each other
/ip firewall filter add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN place-before=[find chain=forward comment="defconf: drop invalid"] comment="VLAN Internet Access only"
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
# /interface bridge port
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge vlan-filtering=yes
#######################################
# Create Certificates
#######################################
/certificate
add name=root-cert common-name=HotelName days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=router.mydomain.com days-valid=3650
sign ca=root-cert https-cert
add name=hotspot-cert common-name=hostspot.mydomain.com days-valid=3650
sign ca=root-cert hotspot-cert
#######################################
# Services
#######################################
/ip service
set www-ssl certificate=https-cert disabled=no
# set www disabled=yes
#######################################
# Radius Server
#######################################
/radius
add address=127.0.0.1 comment="Customers HotSpot" secret=Olj8XHcCtPAShPQF8Z7se service=hotspot
#######################################
# User manager
#######################################
# Customers limitations
/user-manager limitation
add name=Customers-20M rate-limit-burst-rx=30000000B rate-limit-burst-threshold-rx=20000000B \
rate-limit-burst-threshold-tx=20000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=\
10s rate-limit-burst-tx=30000000B rate-limit-rx=20000000B rate-limit-tx=20000000B
# Customers profile
/user-manager profile
add name=Customers-Free name-for-users=Free override-shared-users=5 starts-when=first-auth validity=20m
# Apply limitations to profile
/user-manager profile-limitation
add limitation=Customers-20M profile=Customers-Free
# Customers group
/user-manager user group
add inner-auths=\
ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=Customers outer-auths=\
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
# User manager router
/user-manager router
add address=127.0.0.1 name=Customers shared-secret=Olj8XHcCtPAShPQF8Z7se
#Enable
/user-manager
set certificate=*0 enabled=yes
# add a few users
/user-manager user
add group=*66 name=user1
add group=*66 name=user2
add comment=test group=*66 name=ntr shared-users=5
add comment=test group=*66 name=law shared-users=5
add comment=test group=*66 name=tzx shared-users=5
add comment=test group=*66 name=lnu shared-users=5
add comment=test group=*66 name=wrw shared-users=5
add comment=test group=*66 name=b1f shared-users=5
add comment=test group=*66 name=zqs shared-users=5
add comment=test group=*66 name=tdg shared-users=5
add comment=test group=*66 name=axy shared-users=5
add comment=test group=*66 name=q4r shared-users=5
# assign profiles
/user-manager user-profile
add profile=Customers user=ntr
add profile=Customers user=law
add profile=Customers user=tzx
add profile=Customers user=lnu
add profile=Customers user=wrw
add profile=Customers user=b1f
add profile=Customers user=zqs
add profile=Customers user=tdg
add profile=Customers user=axy
add profile=Customers user=q4r
#######################################
# Hot Spot
#######################################
# hostspot profile for customers
/ip hotspot profile
add dns-name=hostspot.mydomain.com hotspot-address=10.40.40.1 html-directory=\
flash/hotspot-customers login-by=cookie,http-chap,https name=Customers rate-limit=100M/100M \
ssl-certificate=hotspot-cert use-radius=yes
# hotspot server
/ip hotspot
add address-pool=CUSTOMERS_POOL disabled=no interface=CUSTOMERS_VLAN name=Customers profile=Customers
# user profile for customers
/ip hotspot user profile
add address-pool=CUSTOMERS_POOL advertise=yes name=Customers rate-limit=70M/70M shared-users=3 \
transparent-proxy=yes
# walled-garden foo CAPs updates
/ip hotspot walled-garden
add dst-host=download.mikrotik.com
add dst-host=upgrade.mikrotik.com
# add test user
/ip hotspot user
add name=testuser password=user profile=Customers
Router can ping itself on 127.0.0.1 :
Code: Select all
ping 127.0.0.1
SEQ HOST SIZE TTL TIME STATUS
0 127.0.0.1 56 64 324us
1 127.0.0.1 56 64 298us
2 127.0.0.1 56 64 303us
3 127.0.0.1 56 64 300us
4 127.0.0.1 56 64 299us
sent=5 received=5 packet-loss=0% min-rtt=298us avg-rtt=304us max-rtt=324us