Community discussions

MikroTik App
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Mar 31, 2022 2:39 pm

Hello,
I just have upgraded my RB450Gx4 to ROS 7.1.5
...and for couple of days trying to figure out why plain and simple aut with user/pass for wifi Ent (PEAP) is not working...

router has multiple vlans ( my case vlan 80 [192.168.80.3] has direct connection to unifi AP)
[admin@core-router] > /user-manager/export 
# model = RB450Gx4
/user-manager profile
add name=prof1 name-for-users=prof1 starts-when=first-auth
/user-manager user group
add inner-auths=peap-mschap2 name=tsa outer-auths=pap,chap,mschap1,eap-peap,eap-mschap2
/user-manager user
add group=tsa name=test1
add group=tsa name=test2 shared-users=2
/user-manager
set enabled=yes
/user-manager router
add address=192.168.80.4 name=UAP-AC-LR
/user-manager user-profile
add profile=prof1 user=test1
add profile=prof1 user=test2
I have a UNIFI AP that has managemnt IP: 192.168.80.4 , connects by cable vlan80 directly to router.

router log:
 13:36:58 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 117
 13:36:58 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 117
 13:36:58 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 118
 13:36:58 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 118
 13:36:58 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 119
 13:36:58 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 119
 13:37:02 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 120
 13:37:02 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 120
 13:37:02 manager,debug >>> rx Access-Request from [192.168.80.4]:56227, id: 121
 13:37:02 manager,debug <<< tx Access-Challenge to [192.168.80.4]:56227, id: 121

I have a Synology NAS with radius enabled, now, if I configure unifi AP to use Synology, everything is working flawless...
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Tue Apr 05, 2022 2:28 pm

Has anyone been able to install and use this?
user manager is in the extra package if that's implanted for your device.
2022-04-05_15-58-07.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: UserManger on ROS 7 +WiFi Ent (user/pass)  [SOLVED]

Tue Apr 05, 2022 2:35 pm

Hello,
I just have upgraded my RB450Gx4 to ROS 7.1.5
...and for couple of days trying to figure out why plain and simple aut with user/pass for wifi Ent (PEAP) is not working...
It's working fine.
You should check this Document.
https://help.mikrotik.com/docs/display/ ... Manager+v5
2022-04-05_16-01-48.png
You do not have the required permissions to view the files attached to this post.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Tue Apr 05, 2022 3:15 pm

Hello,
I just have upgraded my RB450Gx4 to ROS 7.1.5
...and for couple of days trying to figure out why plain and simple aut with user/pass for wifi Ent (PEAP) is not working...
It's working fine.
You should check this Document.
https://help.mikrotik.com/docs/display/ ... Manager+v5

Hi @own3r1138

Oki, I've figured out in fact how system works :)
Meantime, can you point out how do you use lets encrypt certificates ?

++ side node, clients CAN now auth, however usermanager sessions shows no session ?!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Apr 07, 2022 12:11 pm

Hello,
https://help.mikrotik.com/docs/display/ ... rtificates

Did you use passthrough or PEAP? honestly, I was trying to replicate your config "MSCHAPv2" and I was unsuccessful.
For the active session log that will work if you use user-man as radius, are you?
This is what I found and did not work it's an old post.
2022-04-05_17-49-34.png
You do not have the required permissions to view the files attached to this post.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Apr 07, 2022 1:16 pm

Hello,
https://help.mikrotik.com/docs/display/ ... rtificates

Did you use passthrough or PEAP? honestly, I was trying to replicate your config "MSCHAPv2" and I was unsuccessful.
For the active session log that will work if you use user-man as radius, are you?
This is what I found and did not work it's an old post.
2022-04-05_17-49-34.png

So, here it's what I have:

1. core router where userman is installed
- cert generated for radius: CA + tls_server+tls_client
- cert activated for userman

/user-manager/user group/pr
name="cert_auth" outer-auths=eap-tls,eap-peap,eap-mschap2 inner-auths=peap-mschap2 attributes=""


2. AP:
name="EAP-PEAP_TLS" mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm
wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="" eap-methods=passthrough tls-mode=verify-certificate
tls-certificate=EAP_TLS mschapv2-username="" mschapv2-password="" disable-pmkid=no static-algo-0=none static-key-0=""
static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no
radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX-XX-XX-XX-XX-XX
radius-mac-mode=as-username-and-password radius-called-format=mac:ssid radius-mac-caching=disabled group-key-update=10m
management-protection=disabled management-protection-key=""


3. cert imported on android + windows machines

NOW, ALL clients can auth but, usermanager doesn't show any active sessions ?!!?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Apr 07, 2022 1:55 pm

radius-eap-accounting=no
This should be set to "yes".
----------------------------------------------------
2022-04-07_15-23-08.png
do you use profiles in user-man?
2022-04-07_15-22-23.png
You do not have the required permissions to view the files attached to this post.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Apr 07, 2022 3:16 pm

radius-eap-accounting=no
This should be set to "yes".
----------------------------------------------------
2022-04-07_15-23-08.png
do you use profiles in user-man?
2022-04-07_15-22-23.png
Flawless :)
Everything is working: radius, win, android, linux

However, have any idea how to force close sessions with "not active" status as it seems that sessions now is flooded by this type of sessions( can't close them)
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Apr 07, 2022 7:25 pm

I'm no expert and all of these are assumptions.
To me looks like the user-man is not aware of the latest status of the connection.
You have a different AP so maybe you should use CAPsMAN. (Does the main router have a Wifi interface? so that you can test and find out if the problem with the session is still there "NO AP" involved, everything runs locally.)
/ip firewall address-list
add address=127.0.0.1 list=RAS
/ip firewall filter
add action=accept chain=input comment=RAS dst-address-list=RAS dst-port=1812,1813,3799 protocol=udp src-address-list=RAS
2022-04-07_19-49-41.png
2022-04-07_19-49-27.png
Any log/config export may help.
You do not have the required permissions to view the files attached to this post.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Thu Apr 07, 2022 11:40 pm

Ye, so far I am quite satisfied by the new updated userman.
Some minor issues, but now I can fully use for wireless auth, also for some network switches.
 
acriollo
just joined
Posts: 5
Joined: Fri Jan 27, 2012 9:48 pm

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Fri Apr 29, 2022 6:34 pm

Hi guys, thanks for the information.
In my case, authenticating is working fine, but i have nothing about accounting , I am receiving a timeout when the usermanager try to send a accounting update.
Also I have no session listed on the session window.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: UserManger on ROS 7 +WiFi Ent (user/pass)

Fri Apr 29, 2022 7:34 pm

Hi guys, thanks for the information.
In my case, authenticating is working fine, but i have nothing about accounting , I am receiving a timeout when the usermanager try to send a accounting update.
Also I have no session listed on the session window.
share log entries
/system logging
add disabled=yes prefix=RAS-----> topics=radius
share config
/radius> print
/user-manager/router export
/ip firewall filter export
/ip firewall raw export   (if you have any)
2022-04-29_20-57-38.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 30 guests