Community discussions

MikroTik App
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Step by Step tutorial on Enabling Dynamic VLANs using Synology and CAPsMAN on ROS7

Fri Feb 10, 2023 7:09 am

1. Introduction - Preliminary info

NOTE - THIS IS USING SYNOLOGY DSM 7 and their Directory Server Package!!

Synology Server Directory is an implementation of Windows Active Directory (AD.) Both are directory servers (think of LDAP) and are very well known to people that have to admin computers and users in small business(SMB) and enterprises. As far as I am aware CAPsMAN is the only way to implement dynamic VLANs with different users using something like RADIUS that ties into those directory services. I tried finding how to accomplish this but I couldn't find an easy how to since there wasn't a single place where all of the information was up to date, in the same place, or organized well.

This would be the scenario... Someone has been using a NAS for a while now and is in need of expanding and they want an unified way to manage users across the WAN throughout all the services they are providing. They are using Synology Directory Server and they would like to use that Directory Server to authenticate users and depending on the group, assign them into a particular VLAN. That will give their users the ability to manage their own passwords while the admins manage the access those users have to the information and the VLANs.

I am including this here because Synology has made quite an impact on SMB with their NAS. They provided a lot of other interesting services besides their file servers. The most popular being their sync server (something like Dropbox), Active Backup, HyperBackups, Calendars, Contacts, and something like Office 365. Usually Active Directory is something that is harder to implement, but they have plenty of tutorials and videos in YouTube.

Although this is meant to be a tutorial for people with little experience, this has to take place within a context of a lot of complex topics. THIS IS NOT a simple topic and in order to configure this correctly you will need to follow a couple of tutorials and have your configuration started before you even get started on doing this. If you are very new, that will be the best course of action. FIRST get one thing working right, and ONLY THEN move to the next step.

I try to title every section in this tutorial so that you can skip if necessary. But if something is not working right, read the skipped sections.

Understand Mikrotik

I will be using the settings of a previous tutorial I wrote on "how to get Dynamic VLANs using CAPsMAN and the new User Manager on ROS7."

viewtopic.php?t=186420

If you are new, please follow that tutorial until you get it working in your own setup. I will assume that you have that configuration working already. Getting this working in Mikrotik after following the Synology part of this tutorial is super easy.

Understand Active Directory and Synology

Most of the work to get this working needs to take place in Synology.

You may not need to be super familiar with RADIUS, but since this is a tutorial about using Synology's Active Directory, please watch the official Synology Directory Server video tutorial first. It is very basic but goes through an easy configuration example.

https://www.youtube.com/watch?v=azUkol3hSMc

This next tutorial is also useful BUT I COULD GET IT WORKING WITH MAC VERSIONS HIGHER THAN 10.11. I am including the tutorial here for the sake of completion.

https://www.blackvoid.club/dsm-7-direct ... directory/

Information you will need

This are the things you need to know or have setup.

1. Have a working Active Directory in Synology.
2. Have ssh access to your NAS working properly.
3. Have access to an admin account (I know this should be obvious, but you will be surprised!)
4. Know your NAS and Mikrotik router IP.
5. Have created a user and a group (that the user belongs to) in the Synology Directory Server.
6. Know how to edit or modify files in the Synology terminal (either using Vi or nano).
7. Have "Domain users" as a source for user authentication in the Synology RADIUS server package. This can be done by opening the RADIUS server package, go to the settings, and then making sure that the correct option is checked.

This tutorial will not go over any of the topics above. If you need help in those areas, this is not the post to ask those questions, but you can find posts and tutorials using google.

DISCLAIMER - PLEASE KNOW THAT YOU MAY CAUSE SOME DAMAGE TO YOUR SYNOLOGY CONFIGURATION AND LOOSE SOME FUNCTIONALITY AND MAYBE EVEN SOME DATA. DO NOT ATTEMPT UNLESS YOU ARE AWARE AND HAVE A BACKUP.

The following is a lot of background and if you are familiar with Mikrotik and Synology, feel free to skip this. Just know that you may miss something important!

Important synology paths

It will be good to know the following file locations for your Radius router configuration and bin files.
/volume1/@appstore/RadiusServer/etc/raddb/mods-enabled
/usr/local/synoradius/

RADIUS - Stop, start, restart, and start in verbose mode

You will need to restart your RADIUS server after making changes to your configuration. This command is one that you will need to run after every change.
sudo systemctl restart pkgctl-RadiusServer

You can also stop or start the package by substitution the word `restart` with `stop` or `start`

But if you need to run your RADIUS server in diagnose mode to get some logs, this is how you do it.
sudo systemctl stop pkgctl-RadiusServer
sudo /var/packages/RadiusServer/target/sbin/radiusd -X

Just make sure that you quit the diagnose mode and go back to normal after you are doing testing or configuring.

Radtest

This command helps you to test a RADIUS client connection while getting some more information. This is best used in conjunction with the logs you get from your RADIUS server.

User-Manager RADIUS server example

Although this is not a tutorial about the user-manager package in ROS 7, it will be good to know that you can get some logs from your RADIUS server using the following command and observe RADIUS working properly. This is how you add RADIUS to your logs in your MikroTik routers.
/system logging
add topics=radius

Again, I am assuming that you already have dynamic vlans using ROS 7 by following my other tutorial. This below was the information you need to remember to do a quick test using `radtest`
# Add the RADIUS router to your CAPsMAN
/user-manager router
add address=127.0.0.1 name=CAPsMAN shared-secret=1234

# Adding user
/user-manager user
add attributes=Mikrotik-Wireless-VLANIDtype:2,Mikrotik-Wireless-VLANID:300 name=test password=123456789 shared-users=3

And this is how you would test the connection using this command in your Synology NAS assuming your router’s ip is `192.168.1.1` and that your firewall is not blocking your RADIUS requests.
/volume1/@appstore/RadiusServer/bin/radtest -t mschap test 123456789 192.168.1.1 1812 1234

Why it will fail using the Mikrotik RADIUS server?

Here is the clue,

`Reply-Message = "MSCHAP auth not allowed for user"`

In my user-manager tutorial, we did not activate MSCHAPv1. This is how the default auth options were configured.
/user-manager user group
set [ find default-name=default ] inner-auths=peap-mschap2 outer-auths=eap-tls,eap-peap,eap-mschap2

If you want to see what radtest working in your working Mikrotik setup, do the following…

(WARNING THE FOLLOWING WILL BREAK YOUR PREVIOUS WORKING TUTORIAL CONFIGURATION, this is just so you can see `radtest` work using Mikrotik user-manager in what I am assuming is an already working configuration.)
/user-manager user group
set [ find default-name=default ] inner-auths=peap-mschap2 outer-auths=mschap1,mschap2,eap-tls,eap-peap,eap-mschap2

If you want to restore your configuration after you have played around with `radtest`, just run the first config that doesn’t include MSCHAPv1.

Synology Radius server example

This is how you can test your synology radius server assuming the following.

1. YOU HAVE GIVEN ACCESS TO RADIUS IN YOUR SYNOLOGY FIREWALL
2. Your NAS ip is 192.168.1.250
3. All of the above instructions have been followed so far
4. You have added the Radius client with the 1234 shared secret in your Synology Radius server. This can be done by opening the RADIUS server package, go to the client settings, and then adding the ip of the NAS running the command or the whole subnet (ip address: 192.168.1.1, subnet: 255.255.255.0)
/volume1/@appstore/RadiusServer/bin/radtest -t mschap testuser testpassword 192.168.1.250 1812 1234

2. Set up your Synology NAS.

I am assuming the following,

1. YOU HAVE GIVEN ACCESS TO RADIUS IN YOUR SYNOLOGY FIREWALL
2. Have "Domain users" as a source for user authentication in the Synology RADIUS server package. This can be verified by opening the RADIUS server package, go to the settings, and then making sure that the correct option is checked.
3. Your Synology AD is working well already (you should have followed the official Synology Directory Server tutorial)
4. Your NAS ip is 192.168.1.250
5. You have added the Radius client with the 1234 shared secret in your Synology Radius server. This can be done by opening the RADIUS server package, go to the client settings, and then adding the ip of the NAS running the command or the whole subnet (ip address: 192.168.1.1, subnet: 255.255.255.0)
6. You are not trying to do LDAP in your Synology RADIUS too. I am not sure if this will create a conflict, but I haven’t tested that I cannot help you if you have that activated.

Also, for the sake of this example, let's say that your domain is `pain.local` your user is `test` with a password `PasswordOneTwo3` that belongs to the `staff` group.

NOTE: If you are starting this tutorial here and something fails, I will recommend you to read the first part of the tutorial and go through some of the basics you need. But let us get started. First, stop your Radius server
sudo systemctl stop pkgctl-RadiusServer

Modify `/usr/local/synoradius/rad_site_def_local_ad` to look like this,
post-auth {
        exec
        $INCLUDE /usr/local/synoradius/vlan-assignment
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}

Create the `vlan-assignment` in `/usr/local/synoradius/vlan-assignment` with the following contents. Make sure that you have the right permissions on that new file.
if (!(Group == "PAIN\\\\staff")) {
update reply {
Mikrotik-Wireless-VLANID-Type := "2",
Mikrotik-Wireless-VLANID := "100",
Mikrotik-Group := "full",
Service-Type := "Administrative-User",
Reply-Message := "Welcome to the internal WLAN, %{User-Name}"
}
}
elsif (!(Group == "PAIN\\\\othergroup")) {
update reply {
Mikrotik-Wireless-VLANID-Type := "2",
Mikrotik-Wireless-VLANID := "300",
Service-Type := "Guest-User",
Reply-Message := "Welcome to the guest WLAN, %{User-Name}"
}
}
else {
 reject
}

I had mentioned in another tutorial how some people used `Mikrotik-Wireless-VLANID-Type := "0"` instead of what I used in tutorial. This works with me and I don't believe it makes a difference.

Also notice that I added `Mikrotik-Group := "full",` This is necessary if you want to use your Synology AD to also login into your Mikrotik Router. That is used to set up the permissions that particular user has in your router.

Bonus

After getting everything working, you can create a different set of permissions for your mikrotik router. JUST MAKE SURE THAT YOU ADD THOSE GROUPS IN EVERY ROUTER YOU WANT TO CONNECT USING THIS SPECIAL GROUP.

For example, we could use something like for `Mikrotik-Group := “test”,`
/user group
add name=test policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,win\
	box,password,web,sniff,sensitive,api,romon,rest-api"

Enable tunel_reply

Change `/volume1/@appstore/RadiusServer/etc/raddb/mods-enabled/eap` to use tunnel_reply in ttls and peap. It should look like this after your modify that section,
                ttls {
                        tls = tls-common
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = yes
                        virtual_server = "inner-tunnel"
                }

                peap {
                        tls = tls-common
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = yes
                        virtual_server = "inner-tunnel"
                }

Start Radius in verbose mode

This will help you to see if you have a working configuration.
sudo systemctl stop pkgctl-RadiusServer
sudo /var/packages/RadiusServer/target/sbin/radiusd -X

Run radtest

If you are doing this from your synology NAS, you need to open another terminal window and ssh into it. Assuming that the client subnet you added is the same where your synology is located, you should be able to run the following command.
/volume1/@appstore/RadiusServer/bin/radtest -t mschap testuser testpassword 192.168.1.250 1812 1234

If all is working correctly, it should work and return something like,
Sent Access-Request Id 23 from 0.0.0.0:32910 to 192.168.1.250:1812 length 133
        User-Name = "test"
        MS-CHAP-Password = "PasswordOneTwo3"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "PasswordOneTwo3"
        MS-CHAP-Challenge = 0x00000000000000000
        MS-CHAP-Response = 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Received Access-Accept Id 23 from 192.168.1.250:1812 to 192.168.1.250:32910 length 165
        MS-CHAP-MPPE-Keys = 0x00000000000000000000000000000000000
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
        Mikrotik-Wireless-VLANID-Type = 2
        Mikrotik-Wireless-VLANID = 100
        Mikrotik-Group = "full"
        Service-Type = Administrative-User
        Reply-Message = "Welcome to the internal WLAN, test"

Congrats

If that is what you got, congrats, you have this working correctly. Now you need to set up your Mikrotik Router to use this configuration to login into your router and also be able to get dynamic VLANs using CAPsMAN.

Mikrotik

You are practically done.

Connect CAPsMAN to the Synology Radius server

This is how you add a connection. Again, make sure that your synology firewall is allowing radius connections and your mikrotik server has access to your synology NAS. That is a matter of firewalls and will not be something in this tutorial.

Login into the Mikrotik Router that is running CAPsMAN and add your Synology RADIUS
/radius
add address=192.168.1.250 service=login,wireless timeout=700ms secret=1234

See logs

This is something that I mentioned above, but you can check your logs in your mikrotik router by enabling them like this,
/system logging
add topics=radius

TEST - IMPORTANT

If you are connecting to two RADIUS servers, it may not work for you. Let's say that you already have user-manager setup in ROS7 because you followed my previous tutorial and now you want to add the Synology Radius. Then your first RADIUS client will be user-manager and you may get a reject from that server before you get a response from the Synology one. There are a couple of solutions to this situation.

1. The easiest is to just connect to to one RADIUS server. Disable one and enable the one you want to use.
2. The second option is to play with your server timeouts in `/radius`. If that is the case, you can try setting a `timeout=200ms` to the first server and then have the second server with a longer one `timeout=700ms`. Just be aware that a shorter time may not be enough for the first server to accept a valid user.
/radius
add address=127.0.0.1 service=login,wireless secret=1234 timeout=200ms
add address=192.168.1.250 service=login,wireless secret=1234 timeout=700ms

Anyway, forewarned is forearmed.

But this should work.

I will recommend you to first try log in into your router using Winbox. This should have been activated before in EACH router you want to connect into and you have added the RADIUS client like this,
/user aaa
set accounting=yes default-group=read use-radius=yes

If you decided to create some sort of unique user groups as in the bonus section, those should be included in that router too.
Last edited by tuxtlequino on Sat Feb 11, 2023 10:23 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Step by Step tutorial on Enabling Dynamic VLANs using Synology and CAPsMAN on ROS7

Fri Feb 10, 2023 4:12 pm

What is the purpose of radius server at all here?
Why tie in capsman.......
Need the so what overall view.....
No clue what is an active directory or why its needed.........
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using Synology and CAPsMAN on ROS7

Sat Feb 11, 2023 10:16 pm

What is the purpose of radius server at all here?
Why tie in capsman.......
Need the so what overall view.....
No clue what is an active directory or why its needed.........
Hi Anav,

Synology Server Directory is an implementation of Windows Active Directory (AD.) Both are directory servers (think of LDAP) and are very well known to people that have to admin computers and users in small business(SMB) and enterprises. As far as I am aware CAPsMAN is the only way to implement dynamic VLANs with different users using something like RADIUS.

I am including this here because Synology has made quite an impact on SMB with their NAS. They provided a lot of other interesting services besides their file servers. The most popular being their sync server (something like Dropbox), Active Backup, HyperBackups, Calendars, Contacts, and something like Office 365. Usually Active Directory is something that is harder to implement, but they have plenty of tutorials and videos in YouTube.

This would be the scenario... Someone has been using a NAS for a while now and is in need of expanding and they want an unified way to manage users across the WAN throughout all the services they are providing. They are using Synology Directory Server and they would like to use that Directory Server to authenticate users and depending on the group, assign them into a particular VLAN.

Thank you for the feedback. I hope that this is helpful and that this answers your questions and improves the tutorial. I am including this in the tutorial.

Who is online

Users browsing this forum: coffee1978, jlpedrosa and 5 guests