As many of you too, I have a Microsoft Active Directory server environment and I have to authenticate wifi hotspot and internet access users towards this database. I am looking for a solution.
In a test environment I have setup Windows 2008 Radius NPS server, using Mikrotik as Radius client, which authenticates the AD users successful.
The main issue as most might have is that the users profile information or radius directory usage is limited and scripting is not possible as within a 'closed' Microsoft system. For example, if I want a particular user to have a maximum monthly data volume of 1GB, - no show, this is reset each time the user reconnects and reset to 1GB (just can not run script -add used octets and substract equals total left..... the second issue is reporting/billing on Microsoft IAS log files - crappy solutions start at $600+
Therefore - I set up a freeRADIUS server - set same username within Radius user database as within Active Directory, assigned user profile limitations and set user without password (all within freeRADIUS). Result; user gets authenticated on AD and user profile information get attached to user from freeRADIUS. Conclusion -works fine but very complicated to handle as I have no clue of programming, nor having any scripts for freeRADIUS for billing... and how to synchronize AD LDAP with freeRADIUS users database? No clue again.. and all so complicated to setup..
To my question:
It would be very easy to write a script to generate clone of all AD users in Mikrotik local database and keep it kind of in sync with AD (user not exist in AD, disable user in MT if exists ...etc).
The core issue I have, if I create a local user on Mikrotik with blank password, Mikrotik - first issue; Mikrotik ALWAYS looks into local user database first before contacting Radius server for authentication.
Is it possible to change this behavior on Mikrotik OS, look first at Radius server? If this would be possible, I guess as MT would act similar as freeRADIUS - AD authenticates user, then second finds the local username in local user database with profile information and would assign specific profile settings to user and sends this information to Radius Client...
I know, it is complicated, but it is just so easy to generate statistics and billing information with Mikrotik scripts and Mikrotik OS is just amazing powerful!
PS: yes, have tried Userman, but having 200+ users is just not very easy to handle and scripting is a no go..
Thanks lots for any inputs. If such would work, I am willing to write the wiki, including all the billing scripts and examples;-) Mikrotik and Windows 2008 Active Directory user authentication AAA system - how does that sound
Though, I might just have a dream.
M