As many of you too, I have a Microsoft Active Directory server environment and I have to authenticate wifi hotspot and internet access users towards this database. I am looking for a solution.


In a test environment I have setup Windows 2008 Radius NPS server, using Mikrotik as Radius client, which authenticates the AD users successful.
The main issue as most might have is that the users profile information or radius directory usage is limited and scripting is not possible as within a 'closed' Microsoft system. For example, if I want a particular user to have a maximum monthly data volume of 1GB, - no show, this is reset each time the user reconnects and reset to 1GB (just can not run script -add used octets and substract equals total left..... the second issue is reporting/billing on Microsoft IAS log files - crappy solutions start at $600+

Therefore - I set up a freeRADIUS server - set same username within Radius user database as within Active Directory, assigned user profile limitations and set user without password (all within freeRADIUS). Result; user gets authenticated on AD and user profile information get attached to user from freeRADIUS. Conclusion -works fine but very complicated to handle as I have no clue of programming, nor having any scripts for freeRADIUS for billing... and how to synchronize AD LDAP with freeRADIUS users database? No clue again.. and all so complicated to setup..

To my question:
It would be very easy to write a script to generate clone of all AD users in Mikrotik local database and keep it kind of in sync with AD (user not exist in AD, disable user in MT if exists ...etc).

The core issue I have, if I create a local user on Mikrotik with blank password, Mikrotik - first issue; Mikrotik ALWAYS looks into local user database first before contacting Radius server for authentication.
Is it possible to change this behavior on Mikrotik OS, look first at Radius server? If this would be possible, I guess as MT would act similar as freeRADIUS - AD authenticates user, then second finds the local username in local user database with profile information and would assign specific profile settings to user and sends this information to Radius Client...

I know, it is complicated, but it is just so easy to generate statistics and billing information with Mikrotik scripts and Mikrotik OS is just amazing powerful!

PS: yes, have tried Userman, but having 200+ users is just not very easy to handle and scripting is a no go..

Thanks lots for any inputs. If such would work, I am willing to write the wiki, including all the billing scripts and examples;-) Mikrotik and Windows 2008 Active Directory user authentication AAA system - how does that sound

Though, I might just have a dream.

M

Anybody from Mirkrotik Support team? Normis?

I just keep trying....

I suggest using microsoft radius-like services (was IAS on 2003, I don't remember the name on 2008) and respond with mikrotik specific attibutes based on user AD group membership
http://wiki.mikrotik.com/wiki/Manual:RA ... ric_Values

... I never tried, but I think you will find what you want to do

Thanks

yes - that's what I tested - I used Windows 2008 Radius server and it works - the issue is that i can not generate MIKROTIK_TOTAL_LIMIT_GIGAWORDS and submit that to the radius client. Every time the radius client connects - it takes the value set in Windows Radius - with means, it does not calculate the MB left.... Freeradus has a batch to calculate left MB from the log files before submit value MIKROTIK_TOTAL_LIMIT_GIGAWORDS to Radius client (which is Mikrotik).

The easiest way would be to combine log files from Mikrotik hotspot with Windows 2008 Radius client.... I mean, authentication is done by Windows 2008 Radius, profile settings as MIKROTIK_TOTAL_LIMIT_GIGAWORDS is calculated by Mikrotik and then all submitted to radius client.

Again, this works with Windows 2008 and freeRADIUS, it is just a bummer freeRADIUS does not have a easy user interface to generate logs/statistics and change profile information for users....

I am wondering if I should try to submit this idea to Mikrotik?

Just an idea:
I'm not an expert on freeradius and don't use it, but someone said me he uses freeradius for managing an hotspot and freeradius authenticates users asking Active Directory: maybe Freeradius can forward just authentication requests and handle authorization and accounting with its magic features

as dtoffo says:

Freeradius can be set up to authenticate/proxy requests against an Active Directory server.

Using now FreeRadius/ Ubuntu / myphpadmin and GUI interface still has to be developed for support team. Support team knows winbox very well.


What a pain! Sure FreeRadius works great! No doubt what I can do with perl scripting! Powerful. And all the options to query radaccts!


My initial idea mentioned was to integrate MT closer with Windows 2008 AD, so I would not have the pain to learn to write perl scripting/development of php interface/ SQL queries etc. as I believe MT Userman is useless and should no longer be supplied!

The issue is FreeRadius requires a certain user size and pain of learning curve to get thru, but Userman is simply NOT the answer to that I think!