RADIUS and DHCP PASSWORD

spire2z · Wed Oct 03, 2012 3:45 am

Hi, We use freeradius sql with mt hotspot and have no problems. Just recently we had a need to specify a different IP pool for certain mac addresses. With these certain users we hope to just add the extra field into the sql database framed-pool

This works with hotspot and to-address is using an ip from specified pool.

However when enabling radius in dhcp server we get auth failed on radius dhcp requests.

1/ Does user-password need a blank password to auth with dhcp and can't be anything else?

spire2z · Thu Oct 04, 2012 4:23 pm

Does password file in database need to be blank for dhcp to auth with RADIUS?

blake · Sat Oct 06, 2012 7:15 am

Yes, MikroTik's DHCP server does not send the User-Password attribute. If your configurations requires a password then you can easily set it in the RADIUS server. Here's how to do it if you're using FreeRADIUS:

authorize {
  update request {
    User-Password = "%{User-Name}"
  }
}

EMOziko · Sat Oct 06, 2012 1:42 pm

Hi, We use freeradius sql with mt hotspot and have no problems. Just recently we had a need to specify a different IP pool for certain mac addresses. With these certain users we hope to just add the extra field into the sql database framed-pool

This works with hotspot and to-address is using an ip from specified pool.

However when enabling radius in dhcp server we get auth failed on radius dhcp requests.

1/ Does user-password need a blank password to auth with dhcp and can't be anything else?

You can use access-accept attribute for dhcp users, it will be authorise only with mac address.

spire2z · Tue Oct 09, 2012 1:26 am

Thanks that makes sense. Were using same database for hotspot auth so the database needs to remain with the password for it's primary use. The username is already a mac.

So can I just clarify that your saying Freeradius can be setup to send access-accept when getting a dhcp request even if NAS is not sending password?

Can I just be clear what your saying can be setup only to authorize a DHCP request as it's important the hotspot continues to have same auth method and will not auth any password.

Sorry if i'm being thick but I have read the freeradius docs but can't seem to find exactly the right info your talking about?

blake · Wed Oct 10, 2012 8:15 am

So can I just clarify that your saying Freeradius can be setup to send access-accept when getting a dhcp request even if NAS is not sending password?

Can I just be clear what your saying can be setup only to authorize a DHCP request as it's important the hotspot continues to have same auth method and will not auth any password.

Sorry if i'm being thick but I have read the freeradius docs but can't seem to find exactly the right info your talking about?

You need to setup your own policy within FreeRADIUS to handle authenticating DHCP users, and make up for the fact that the MikroTik DHCP server sends a blank User-Password attribute in Access-Requests for DHCP Discover packets. Here's a more detailed way of how you can handle it, and still not allow hotspot logins containing random passwords.

The Access-Requests for DHCP packets come in like this:

NAS-Port-Type = Ethernet
NAS-Port = 2198977383
Framed-IP-Address = 192.0.2.2
Called-Station-Id = "dhcp1"
User-Name = "01:23:45:67:AB:CD"
User-Password = ""
NAS-Identifier = "myrouter.domain.tld

You can create the following policy so that FreeRADIUS will still allocate IP's to DHCP users even though the User-Password attribute is blank. This policy should not match hotspot users because hotspot requests contain the 'Service-Type' attribute which this policy explicitly requires be absent.

authorize {
  if(NAS-Port-Type == Ethernet && NAS-Port && !Service-Type && Called-Station-Id =~ /^dhcp[0-9]+$/){
    # Username is a MAC address and password is blank
    if(User-Name =~ /^([0-9A-F]{2}:?){6}$/ && User-Password == ''){

      # Set password to 'User-Name' to facilitate proper lookup in 'users' file or SQL radcheck table
      update request {
        User-Password = "%{User-Name}"
      }
    }
  }

  files
  sql
  chap
  pap
  …etc
}

spire2z · Wed Oct 10, 2012 5:51 pm

Thank you very much. You saved me alot of time.

spire2z · Fri Oct 19, 2012 4:11 pm

Hi, sorry but I think I need a little more help! I tried this but it's still failing to auth dhcp. The logs do show that this rule is matching DHCP requests but it still fails to auth.

Can I just check something?

# Set password to 'User-Name' to facilitate proper lookup in 'users' file or SQL radcheck table
update request {
User-Password = "%{User-Name}"

This looks like its telling the server to replace blank password with the username when it queries database. I don't really get that because it wouldn't auth with the username as password would it? Or have I misunderstood?

spire2z · Fri Oct 19, 2012 4:39 pm

Actually dont worry I figured out a rule that worked:

if(NAS-Port-Type == Ethernet && NAS-Port && !Service-Type && Called-Station-Id =~ /^dhcp[0-9]+$/){
# Username is a MAC address and password is blank
if(User-Name =~ /^([0-9A-F]{2}:?){6}$/ && User-Password == ''){

update control {
Auth-Type := Accept
}
}
}

spire2z · Fri Oct 19, 2012 5:50 pm

Hi,

Got one more slight problem. DHCp is authing and assigning correct pool fine. But when the hotspot authenticates however because it sees Framed-Pool it assigns another IP on hotspot to-address so two IPs are used!!

Do you know if there is a rule like above that can omit the radreply Framed-Pool when a hotspot auth request comes in?

I just can't find the right syntax to omit that?

blake · Sun Oct 21, 2012 11:28 pm

Got one more slight problem. DHCp is authing and assigning correct pool fine. But when the hotspot authenticates however because it sees Framed-Pool it assigns another IP on hotspot to-address so two IPs are used!!

Do you know if there is a rule like above that can omit the radreply Framed-Pool when a hotspot auth request comes in?

http://freeradius.org/radiusd/man/unlang.html

I haven't tested this, but I think it would work something like this.

post-auth {
  if(reply:Framed-Pool){
    update reply {
      Framed-Pool !* 0
    }
  }
}

spire2z · Mon Oct 22, 2012 1:44 am

Thanks

jgzt26 · Tue Mar 06, 2018 2:46 pm

Hi, im facing the same problem. I want also to authenticate my dhcp client on mikrotik using radiusdesk (freeradius). But i dont know where to put the script on freeradius policy.

Can someone help me step by step how to do it Specially on pointing the directories where i will edit/add the scripts.

Username will be the modems mac address, and the password should be the same.

Thanks so much

jgzt26 · Tue Mar 06, 2018 2:53 pm

Hi im facing also the same problem, i wanted to authenticate my mikrotik dhcp clients on radiusdesk (freeradius) but i dont know where to start or how to make it happen. I saw in this thread a script where password=%usrname, something like that. But i dont know where to put it.

Can someone help me step by step how to do it?

My username will be the mac address of the computer and the password should be the same

Thanks for the help.

RADIUS and DHCP PASSWORD

RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Re: RADIUS and DHCP PASSWORD

Who is online