Page 1 of 1

Hotspot Radius problem

Posted: Wed Jun 13, 2007 2:19 am
by transporter_ii
Might be something easy, but I have read every document I can find and feel I'm doing exactly as they say.

I have a simple freeradius server running on FreeBSD and its working perfectly for PAP authentication, and I have used NtRadPing to verify it.

On RouterOS Radius menu: Radius information is configured exactly as documents say, with IP of freebsd freeradius server and secret phrase (service "hotspot" is checked).
On Hotspot: I went to Hotspot -> Servers tab -> Profiles -> Choose your Profile for your hotspot and checked: "Use Radius" and "Accounting"...and I did do it for the correct profile (and the default profile just in case).

On profile for login, the only thing checked is: HTTP PAP.

The problem is, I added a user that is in the FreeRadius server. However, I put in a wrong password for the user in the hotspot just as a test, and when I login to the hotspot and put in this username and password, it lets me right on and I can start browsing the Internet.

If I put in the wrong password in NtRadPing, I get "Access-Reject," just as it should, so it seems to me that RouterOS is the problem, not my freeradius server. In fact, it isn't even hitting the freeradius server at all, just accepting the user's name and password and letting it surf, even though I have it set it to use radius on the hotspot.

I've rebooted the AP and and relogged in and deleted the user from the hotspot repeatedly. Pretty much worked on this all day long.

Anyone have any ideas?

Re: Hotspot Radius problem

Posted: Wed Jun 13, 2007 7:28 pm
by transporter_ii
Ok, once again will answer my own question. At least I put some useful information into the system for people to search for. :) Hey, this isn't documented very well and I have to figure it out by trial and error.

If you have a radius server, don't add the user to the hotspot!. The radius server will work and the hotspot authentication will work too.

Am I correct in thinking that an AP hotspot with a Radius server will not work for MAC authentication?

From what I see in the how-to, for MAC authentication with Radius, it is for wireless and not a Hotspot:
To authorize associations on an AP interface, first set up a RADIUS server with "Wireless" enabled, then you simply need to set "radius-mac-authentication=yes" in the security profile for the AP. You can do this through winbox by going to the Wireless->Security Profiles tab, double clicking your profile and ticking the "RADIUS MAC Authentication" box. Mikrotik will submit the MAC address as the username in the format 00:11:22:33:44:55 with a blank password. Since Mikrotik submits a blank password, you will need to keep this in mind when developing your security systems.
All my attempts to make this work for a Hotspot have failed. I would be interested to know if you can authorize by MAC on a hotspot, and how you do it.


Re: Hotspot Radius problem

Posted: Wed Jun 13, 2007 9:37 pm
by ofasa
Just use the MAC Address as the user name. And enable login by MAC in the hotspot server profile. It should work.

Re: Hotspot Radius problem

Posted: Sun Jun 17, 2007 7:46 pm
by transporter_ii
Just use the MAC Address as the user name. And enable login by MAC in the hotspot server profile. It should work.
I'm probably going to just figure this out by trial and error, as I finally got my freeradius server working...but when you enable login by MAC on a hotspot without a radius server, it is MAC address as user name and password as the same MAC address. However, with wireless authentication to a radius server (not on a Hotspot), it is user name as MAC address only, because MikroTik passes no password to the radius server. So, for MAC authentication in a Hotspot to a radius server, does it pass a password or not? I e-mailed support for this but got no answer, and I can tell you the documentation on this for wireless is pretty clear (no password), but for a hotspot, it doesn't say.

I'll go to work today and do a trial and error on this and see which way works. It would be nice if it was just documented, though. And this shouldn't be a tough question, a Hotspot either passes a password or it doesn't, so I'm not sure why support didn't answer the question, as I'm still in my support period for a level 4 license...

Thanks for the reply.