Community discussions

MUM Europe 2020
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Hotspot AAA Microsoft IAS RADIUS - By Rodney Yeo

Fri Nov 17, 2006 10:10 am

How to setup Hotspot AAA Microsoft IAS RADIUS for use with MikroTik – By Rodney Yeo


Part A - Setup IAS RADIUS on Active Directory Services

1. Setup IAS on a server acting as Active Directory Services Domain Controller and register it’s services. (Ref: IAS-Setup1.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup1.JPG

2. Give a meaningful description and enable logging for authentication status. (Ref: IAS-Setup2.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup2.JPG

3. User respective 1812 for Authentication and 1813 for Accounting port only. (Ref: IAS-Setup3.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup3.JPG

4. Create a Realms profile, find “User-Name” replace it with “DOMAIN\User-Name” variables into IAS. (Ref: IAS-Setup4.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup4.JPG

5. Create a “hotspot.com” client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Vendor to RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box. (Ref: IAS-Setup5.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup5.JPG

6. Enable Remote Access Logging check box for all properties. (Ref: IAS-Setup6.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup6.JPG

7. Select IAS Format and set Log Time Period to Daily. (Ref: IAS-Setup7.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup7.JPG

8. Create Remote Access Policies profile to “hotspot.com”. Add “Windows-Groups” matches “DOMAIN\Username” profile. Enable Grant remote access permission. (Ref: IAS-Setup8.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup8.JPG

9. At Authentication tab Enable check box for “MS-CHAP v2, MS-CHAP, CHAP and PAP” method. Note HotSpot only uses PAP method. (Ref: IAS-Setup9.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup9.JPG

10. At Encryption tab Enable all the check box allowed by this profile. (Ref: IAS-Setup10.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup10.JPG

11. At Advance tab do not add any additional connection attributes. (Ref: IAS-Setup11.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup11.JPG


Part B - Setup IAS RADIUS with MikroTik

1. Add a RADIUS server profile and enable service for “hotspot”. Enter IP Address of IAS RADIUS server. Enter the same password created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms. (Ref: IAS-MT-Config1.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-MT-Config1.JPG

2. At “Hotspot Server Profiles” Login By check “HTTP PAP” only. (Ref: IAS-MT-Config2.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-MT-Config2.JPG

3. At “Hotspot Server Profiles” check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or change to 15 (Ethernet) mode. (Ref: IAS-MT-Config3.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-MT-Config3.JPG


Part C – Testing IAS RADIUS with PC

1. Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/

2. Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test.

3. Enter the IAS RADIUS server IP Address and port “1812” for Request Type “Authentication Request” mode followed by the RADIUS Secret Key. (Ref: IAS-Test1.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Test1.JPG

4. Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply will be “Access-Accepted”.

5. Next change port to “1813” for Request Type “Accounting Start” click send and reply should be “Accounting-Response” if the RADIUS server is working. (Ref: IAS-Test2.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Test2.JPG


Part D – Activating Domain Users for IAS RADIUS

1. Check for respective User properties if they are member of “RAS and IAS Server” groups, if not add them as group members. (Ref: AD-User_IAS1.JPG) http://wiki.mikrotik.com/wiki/Image:AD-User_IAS1.JPG

2. Next check the Dial-in tab and enable Allow access for Remote Access Permission. (Ref: AD-User_IAS2.JPG) http://wiki.mikrotik.com/wiki/Image:AD-User_IAS2.JPG


Part E – Using CHAP Authentication method

1. To use CHAP authentication method for Hotspot kindly go to the respective users in the Active Directory user properties.

2. At Account tab just below Password never expire check box, enable “Store password using reversible encryption” option. Note: This is required for CHAP to work in IAS (Ref: CHAP-Test-1.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-1.JPG

3. Next Reset the respective user password for the encryption function to take place. Exit Active Directory Users and Computers mmc console. (Ref: CHAP-Test-2.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-2.JPG

4. Go to Hotspot Server Profile, click Login By tab and ensure HTTP CHAP is enable. You can leave HTTP PAP just incase users cannot login using CHAP it will use PAP method. (Ref: CHAP-Test-3.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-3.JPG

5. Finally test if the CHAP authentication is working using NTRadPing and it should show “Access-Accepted” which means it is working! (Ref: CHAP-Test-4.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-4.JPG


Note: Please see attached setup image files for illustrations.

P.S. Many Thanks to Mat Dawam mda@landasan.com.my and Hamidi Yaacob hamidi@landasan.com.my of Landasan Teknologi (M) Sdn Bhd for Technical Support of MikroTik RouterOS deployment in Malaysia for Metropolitan College Malaysia.


*** The End ***

Could also Refer to Wiki Pages...
http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Last edited by rodyeo on Sun Dec 10, 2006 11:00 am, edited 9 times in total.
Rodney Yeo
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6618
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Fri Nov 17, 2006 7:59 pm

You can post the same configuration to the MikroTik wiki,
http://wiki.mikrotik.com
 
arashi
just joined
Posts: 4
Joined: Fri Jul 21, 2006 10:10 am

Mon Nov 20, 2006 6:17 am

Sorry, but where are the attached setup image files?
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Mon Nov 20, 2006 6:36 am

You can post the same configuration to the MikroTik wiki,
http://wiki.mikrotik.com
Okay, thanks... will contribute as suggested but I wonder if I could upload the sample configuration files to the server?

Rodney
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Mon Nov 20, 2006 6:38 am

Sorry, but where are the attached setup image files?
Sorry about that... I can't seems to upload any file into this forum? Any other way to upload files?

Thanks

Rodney
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Mon Nov 20, 2006 6:50 am

Sorry, but where are the attached setup image files?
Sorry about that... I can't seems to upload any file into this forum? Any other way to upload files?

Thanks

Rodney
---
put all images to other host server and linked to this post..please..!!!!

regards
Hasbullah.com
---
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Mon Nov 20, 2006 8:13 am

Thanks for the tips! How silly, my ignorance.... still new to this forum thing... Good Luck in trying... It only works with PAP! I can't seem to get it to work with CHAP and MAC authentication via IAS RADIUS... Still on R&D...

Regards,

Rodney

Sorry, but where are the attached setup image files?
Sorry about that... I can't seems to upload any file into this forum? Any other way to upload files?

Thanks

Rodney
---
put all images to other host server and linked to this post..please..!!!!

regards
Hasbullah.com
---
 
arashi
just joined
Posts: 4
Joined: Fri Jul 21, 2006 10:10 am

Mon Nov 20, 2006 9:01 am

Thanx a lot for the tips and the updates bro :)
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Mon Nov 20, 2006 1:55 pm

No worries... thanks to you guys for the encouragement and support....

Thanx a lot for the tips and the updates bro :)
Rodney Yeo
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Re: Hotspot AAA Microsoft IAS RADIUS - By Rodney Yeo

Wed Nov 22, 2006 9:55 am

Dear All,

I have just modified this main thread with the addition of my previous query of CHAP authentication via IAS for Hotspot solution is now resolved!

With the great help from guys from Landasan Teknologi (M) Sdn Bhd namely Mat Dawam and Hamidi.

Thanks

Rodney
Rodney Yeo
 
squintr
newbie
Posts: 28
Joined: Tue Nov 22, 2005 12:39 am

Thu Mar 22, 2007 5:37 pm

These instructions/screenshots seem to apply to Windows 2000. Our Windows 2003 Server is displaying different screens (eg. missing the "realms" tab). Is the setup for Server 2003 much different?

I can't seem to get it working -- works from my desktop (on the same subnet as the RADIUS server) but doesn't work with the test utility from the desktop on the Hotspot interface (different subnet) even though I can ping the RADIUS server.
 
squintr
newbie
Posts: 28
Joined: Tue Nov 22, 2005 12:39 am

Sat Mar 24, 2007 5:00 pm

Actually I figured it out..

On the IAS server I was putting the IP address of the Hotspot gateway forgetting that it was masquerading itself so I changed it to the LAN Gateway and it worked.
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

IAS Radius with MikroTik

Sun Mar 25, 2007 12:14 pm

Actually I figured it out..

On the IAS server I was putting the IP address of the Hotspot gateway forgetting that it was masquerading itself so I changed it to the LAN Gateway and it worked.
Sorry, I was away on another project and forgot to check in this forum for quite some time now.

I am glad you got it working... It was my Malaysian MikroTik distributor namely Mr. Mat Dawam of Landasan Teknologi company got it figured out base on the similar test done on FreeRadius.

Best Regards,

Rodney Yeo
IT System Support
IT Department
Metropolitan College Malaysia
http://www.metropolitan.edu.my/
 
User avatar
MForooghii
just joined
Posts: 15
Joined: Thu Mar 01, 2012 6:57 am

PDF file

Thu Jun 14, 2012 9:56 am

hi
there is the pdf document of this post

thanks to Rodney Yeo
You do not have the required permissions to view the files attached to this post.
 
rodyeo
newbie
Topic Author
Posts: 31
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia

Re: PDF file

Thu Jun 14, 2012 2:09 pm

hi
there is the pdf document of this post

thanks to Rodney Yeo
Thanks for the PDF compilation... :-)
Rodney Yeo
 
rebel2234
newbie
Posts: 41
Joined: Sat May 20, 2006 6:23 am

Re: Hotspot AAA Microsoft IAS RADIUS - By Rodney Yeo

Thu Sep 05, 2013 1:18 am

Has anyone done this with Windows Server 2008 R2? I am having difficulty trying to replicate this in Server 2008. Anybody have a guide on how to do it? Or make a guide on the WIKI on how to do Hotspot AAA with Microsoft Server 2008 "Network Policy Server (NPS)".
 
jemp
just joined
Posts: 13
Joined: Fri Aug 16, 2013 1:50 pm

Re: Hotspot AAA Microsoft IAS RADIUS - By Rodney Yeo

Fri Nov 08, 2013 4:24 pm

Also I am searching for this for 2008R2 NPS

Any Usefull Guide

Did anybody succeed ?

I can reach the Server, but get Always rejects on the user aacount or passwords

JP
 
vrosic
just joined
Posts: 1
Joined: Fri Nov 15, 2013 2:29 pm

Re: Hotspot AAA Microsoft IAS RADIUS - By Rodney Yeo

Fri Nov 15, 2013 2:31 pm

It is because hotspot can handle only PAP auth. so, in network policies, constrains, authentication methods disable everything except "Unencrypted authentication (PAP, SPAP)"
 
onowojemma
Member Candidate
Member Candidate
Posts: 129
Joined: Sun Sep 11, 2005 5:27 pm
Location: Nigeria

Re:

Fri Jun 27, 2014 1:20 pm

Actually I figured it out..

On the IAS server I was putting the IP address of the Hotspot gateway forgetting that it was masquerading itself so I changed it to the LAN Gateway and it worked.
Mikrotik! making networking easy
 
onowojemma
Member Candidate
Member Candidate
Posts: 129
Joined: Sun Sep 11, 2005 5:27 pm
Location: Nigeria

Re:

Fri Jun 27, 2014 1:23 pm

Actually I figured it out..

On the IAS server I was putting the IP address of the Hotspot gateway forgetting that it was masquerading itself so I changed it to the LAN Gateway and it worked.
Actually I figured it out..

On the IAS server I was putting the IP address of the Hotspot gateway forgetting that it was masquerading itself so I changed it to the LAN Gateway and it worked.
Hi sorry for boarding you, you follow the example above what of the realm thing am also using server 2003 and there is no realm
Kind regard.
Mikrotik! making networking easy
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Hotspot AAA Microsoft IAS RADIUS - By Rodney Yeo

Thu Mar 26, 2015 3:53 am

Hi Rodney,

Thank you for your great post. Very useful. How about DHCP with AAA on MT and AAA is active directory without hotspot or ppp.
----------------------------
Want to learn more and more...

Who is online

Users browsing this forum: Google [Bot] and 94 guests