Hi,
I'm new to RoterOS and MikroTik equipment in general, so please excuse if I make some silly mistakes.
I am trying to work up a specific config for a RouterBoard 500 (three ethernet interfaces and one wireless interface) that involves an arbitrary type of connection for the internet facing interface (ethe1)... sometimes this will be a pppoe client, sometimes it will have a static IP address and sometimes it will on the back end of some other device doing NAT.
The RouterBoard will NAT between whatever address it gets on ether1 and the subnets configured for wlan1 and wlan2 (virtual).
On the wireless side, the private address networks behind wlan1 and wlan2 (virtual) will do the following:
wlan1: no encryption, SSID boradcasts enabled, DHCP will provide a private IP address and all port 80 (non-SSL) web traffic will terminate single web page regardless of the intended destination.
wlan2 (virtual): PPPoE server will reference an external RADIUS server using a particular realm to authenticate users and provide them with a dynamic private IP address and unfettered internet connectivity. (I'm still mulling over the concept of using PPPoE's MSSE for the wireless session security... the mikrotik "require-security" option... would be interested in knowing other people's opinion on this subject)
I have the preliminary "hard parts" working, with ether1 preforming address translation for the wlan1 side, but I can't seem to get wlan2 running the way it should. I have the radius server configured correctly (I believe):
===== begin config dump
interface> print (doing an export here will dump entire config)
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R ether3 ether 0 0 1500
3 wlan1 wlan 0 0 1500
4 wlan2 wlan 0 0 1500
ip address> export
#
/ ip address
add address=192.168.0.10/24 network=192.168.0.0 \
broadcast=192.168.0.255 interface=ether1 comment="" disabled=no
add address=172.16.16.1/24 network=172.16.16.0 \
broadcast=172.16.16.255 interface=wlan1 comment="" disabled=no
add address=172.16.17.1/24 network=172.16.17.0 \
broadcast=172.16.17.255 interface=wlan2 comment="" disabled=no
ip firewall nat> export
#
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="" \
disabled=no
radius> export
add service=ppp called-id="" domain=""
address=an.external.radius.server
secret="sekritsquril" authentication-port=1645 \
accounting-port=1646 timeout=300ms accounting-backup=no
realm="wireless.ether.com" comment="" disabled=no
ppp aaa> print (btw, if you do an export here, it dumps everything)
use-radius: yes
accounting: yes
interim-update: 0s
interface pppoe-server> server
<server> export
#
/ interface pppoe-server server
add service-name="GenericWISP" interface=wlan2 max-mtu=1454 \
max-mru=1454 \ authentication=pap,chap,mschap1,mschap2 \
keepalive-timeout=disabled one-session-per-host=yes \
max-sessions=0 default-profile=wlan-pppoe-profile \
disabled=no
ppp profile> export
#
/ ppp profile
set default name="default" local-address=0.0.0.0 \
remote-address=0.0.0.0 use-compression=yes \
use-vj-compression=yes use-encryption=yes \
only-one=default change-tcp-mss=yes comment=""
add name="wlan-pppoe-profile" local-address=172.16.17.1 \
remote-address=wlan2-pppoe-pool use-compression=yes
use-vj-compression=yes use-encryption=no only-one=default \
change-tcp-mss=default dns-server=a.dns.server.somewhere \
comment=""
set default-encryption name="default-encryption"
use-compression=default use-vj-compression=default \
use-encryption=yes only-one=default change-tcp-mss=yes \
comment=""
===== end config dump
What I'm seeing is failed RADIUS authentications (probably due to the fact that I have no locally defined radius user accounts conbined with the reality that radius authentications are not making it to the external radius server... I was watching that as well):
/radius monitor
numbers: 0
pending: 0
requests: 39
accepts: 0
rejects: 39
resends: 0
timeouts: 0
bad-replies: 0
last-request-rtt: 80ms
Any suggestions or example configurations would be greatly appreciated.
-
-
willywonka
just joined
- Posts: 22
- Joined:
PPPoE authenications failing
[quote="willywonka"]Hi,
the configuration on the RB seems correct but trough radius monitor I don't understand what are the problems...... please try to do a request at the radius after this:
system logging
set (number of service) action=echo
this shows you what are the problems...[/quote]
Here's the extended logging:
echo: pppoe,info PPPoE connection established from A0:MA:C0:AD:DR:ES
echo: pppoe,ppp,info <pppoe-0>: waiting for call...
echo: pppoe,ppp,info <pppoe-testuser@wl.realm.com>: terminating... - user testuser@wl.realm.com authentication failed (6)
echo: pppoe,ppp,info <pppoe-testuser@wl.realm.com>: disconnected
Watching the tcpdump at the radius server, I see the RADIUS Access Request (1) come in and RADIUS Access Reject (3) go out. I use NTRadPing on the same network as the external mikrotik interface to make sure that nothing is wrong on the radius server. There are no start and stop records for the user in the RADIUS logs which leads me to believe that my RADIUS server just doesn't like the way the mikrotik's packets smell.
The weird thing is I can get a variation of this config working on a box that doesn't include on-board (mini-PCI) wireless cards.
I even tried changing the config around a little by reducing the number of interfaces to the bare minimum (no virtual wireless interfaces).
I'm beginning to become quite frustrated with the routerboard mikrotik gear.
the configuration on the RB seems correct but trough radius monitor I don't understand what are the problems...... please try to do a request at the radius after this:
system logging
set (number of service) action=echo
this shows you what are the problems...[/quote]
Here's the extended logging:
echo: pppoe,info PPPoE connection established from A0:MA:C0:AD:DR:ES
echo: pppoe,ppp,info <pppoe-0>: waiting for call...
echo: pppoe,ppp,info <pppoe-testuser@wl.realm.com>: terminating... - user testuser@wl.realm.com authentication failed (6)
echo: pppoe,ppp,info <pppoe-testuser@wl.realm.com>: disconnected
Watching the tcpdump at the radius server, I see the RADIUS Access Request (1) come in and RADIUS Access Reject (3) go out. I use NTRadPing on the same network as the external mikrotik interface to make sure that nothing is wrong on the radius server. There are no start and stop records for the user in the RADIUS logs which leads me to believe that my RADIUS server just doesn't like the way the mikrotik's packets smell.
The weird thing is I can get a variation of this config working on a box that doesn't include on-board (mini-PCI) wireless cards.
I even tried changing the config around a little by reducing the number of interfaces to the bare minimum (no virtual wireless interfaces).
I'm beginning to become quite frustrated with the routerboard mikrotik gear.
Just as an FYI for the group,
I ended up reading the following post:
http://forum.mikrotik.com/viewtopic.php ... gn+address
(RouterOS is v2.9.39)
This got me past the rejected authentication reponses at the radius server...
...and then my client started reporting that the server didn't assign it an IP address (that was an easy one... forgot to point the pppoe server interface at the right pppoe profile).
I owe sighup a beer.
I ended up reading the following post:
http://forum.mikrotik.com/viewtopic.php ... gn+address
(RouterOS is v2.9.39)
This got me past the rejected authentication reponses at the radius server...
...and then my client started reporting that the server didn't assign it an IP address (that was an easy one... forgot to point the pppoe server interface at the right pppoe profile).
I owe sighup a beer.
Who is online
Users browsing this forum: No registered users and 86 guests