Community discussions

MikroTik App
 
User avatar
Volkk
just joined
Topic Author
Posts: 8
Joined: Wed Jan 29, 2020 5:52 pm
Location: Argentina,BuenosAires,Berisso
Contact:

PROBLEM WITH DHCPV6+RADIUS

Fri Feb 18, 2022 5:16 pm

I am trying to implement an access network by DHCPV6 + RADIUS but I find that when trying to authenticate the connection instead of using the MAC of the device it uses something similar to the DUID that I do not understand how it generates it and it changes between connection and disconnection by what I can not set parameters in radius.

According to mikrotik it should work as follows

INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Authentication Type', ':=', 'OK'),

INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'IPv6-prefix-delegate', '=', 'fdb4:4de7:a3f8:418c::/66'),
('000c4200d464', 'Mikrotik-Rate-Limit', '=', '10M');

I try to authenticate a machine with the mac 74:B5:7E:92:CF:10 (74b57e92cf10) and I get the following output in radius -X output

(46) Received Access-Request Id 78 from 192.168.80.35:54598 to 192.168.80.33:1812 length 117
(46) NAS-Port-Type = Ethernet
(46) NAS-Port = 2211448098
(46) Service-Type = Framed-User
(46) Calling-Station-Id = "1579a1fa74b5"
(46) User-Name = "15:79:A1:FA:74:B5"
(46) Called-Station-Id = "TESTDHCPV6"
(46) User-Password = ""
(46) NAS-Identifier = "NAS TWO7"
(46) NAS-IP-Address = 192.168.80.35
(46) # Executing section authorize from file /etc/raddb/sites-enabled/default
(46) authorize {
(46) policy filter_username {
(46) if (&User-Name) {
(46) if (&User-Name) -> TRUE
(46) if (&User-Name) {
(46) if (&User-Name =~ / /) {
(46) if (&User-Name =~ / /) -> FALSE
(46) if (&User-Name =~ /@[^@]*@/ ) {
(46) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(46) if (&User-Name =~ /\.\./ ) {
(46) if (&User-Name =~ /\.\./ ) -> FALSE
(46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(46) if (&User-Name =~ /\.$/) {
(46) if (&User-Name =~ /\.$/) -> FALSE
(46) if (&User-Name =~ /@\./) {
(46) if (&User-Name =~ /@\./) -> FALSE
(46) } # if (&User-Name) = notfound
(46) } # policy filter_username = notfound
(46) [preprocess] = ok
(46) [chap] = noop
(46) [mschap] = noop
(46) [digest] = noop
(46) suffix: Checking for suffix after "@"
(46) suffix: No '@' in User-Name = "15:79:A1:FA:74:B5", looking up realm NULL
(46) suffix: No such realm "NULL"
(46) [suffix] = noop
(46) eap: No EAP-Message, not doing EAP
(46) [eap] = noop
(46) [files] = noop
(46) sql: EXPAND %{User-Name}
(46) sql: --> 15:79:A1:FA:74:B5
(46) sql: SQL-User-Name set to '15:79:A1:FA:74:B5'
rlm_sql (sql): Reserved connection (0)
(46) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(46) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '15:79:A1:FA:74:B5' ORDER BY id
(46) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '15:79:A1:FA:74:B5' ORDER BY id
(46) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(46) sql: --> SELECT groupname FROM radusergroup WHERE username = '15:79:A1:FA:74:B5' ORDER BY priority
(46) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '15:79:A1:FA:74:B5' ORDER BY priority
(46) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(46) [sql] = notfound
(46) [expiration] = noop
(46) [logintime] = noop
(46) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(46) pap: WARNING: Authentication will fail unless a "known good" password is available
(46) [pap] = noop
(46) } # authorize = ok
(46) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(46) Failed to authenticate the user
(46) EXPAND PW INCORRECTA
(46) --> PW INCORRECTA
(46) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [15:79:A1:FA:74:B5/] (from client two7 port 2211448098 cli 1579a1fa74b5) PW INCORRECTA
(46) Using Post-Auth-Type Reject
(46) # Executing group from file /etc/raddb/sites-enabled/default

The user trying to connect is 1579a1fa74b5 if we see well the last 4 digits correspond to the first 4 of the mac but the rest I don't know what it corresponds to and it changes between connection and disconnection.

Mikrotik has not resolved the implementation of DHCPV6-radius yet?
Could someone solve this problem?
Is there a problem in my configuration?
 
MarcosLL
just joined
Posts: 1
Joined: Sun Apr 24, 2022 5:48 pm

Re: PROBLEM WITH DHCPV6+RADIUS

Sun Apr 24, 2022 5:59 pm

According to the following log:

(46) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [15:79:A1:FA:74:B5/] (from client two7 port 2211448098 cli 1579a1fa74b5) PW INCORRECTA

This should work:

INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('15:79:A1:FA:74:B5', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66');
 
User avatar
Volkk
just joined
Topic Author
Posts: 8
Joined: Wed Jan 29, 2020 5:52 pm
Location: Argentina,BuenosAires,Berisso
Contact:

Re: PROBLEM WITH DHCPV6+RADIUS

Mon Apr 25, 2022 8:25 pm

According to the following log:

(46) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [15:79:A1:FA:74:B5/] (from client two7 port 2211448098 cli 1579a1fa74b5) PW INCORRECTA

This should work:

INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('15:79:A1:FA:74:B5', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66');
The problem is that the user "MAC" changes to the same device every time it tries to connect which is impossible and I don't see this behavior in DHCPv4
 
User avatar
Volkk
just joined
Topic Author
Posts: 8
Joined: Wed Jan 29, 2020 5:52 pm
Location: Argentina,BuenosAires,Berisso
Contact:

Re: PROBLEM WITH DHCPV6+RADIUS  [SOLVED]

Mon May 16, 2022 5:20 pm

In contact with mikrotik support they told me to try version 7.2.3 and this problem is fixed in that version.
I do not see that this problem is mentioned in the release notes, so it is not ruled out that it reappears, what we do know is that it is a ROS error, this is good for those who are doing some DHCP+DHCPV6+ implementation RADIUS in your access network.
Hopefully Mikrotik has it figured out soon!

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 72 guests