Radius
Radius
Radius
cd /etc/raddb
vi clients
Add the IP address of the Mikrotik box and the IP address of the windows computer you have NTRadPing installed
on and pick a secret key for each.
Example:
optional step
This step is not crucial and may be skipped, it simply adds functionaility for you to use the two attributes:
Mikrotik-Recv-Limit and Mikrotik-Xmit-Limit for limiting how much data a user can use before being knocked
offline (ie. once they transfer say 200MB they are kicked offline). I don’t use this, but you may wish to:
We now need to ‘install’ the dictionary file for the Mikrotik:
• NOTE: if anyone knows anything about this step, ie) if I’m doing it wrong Wink please let me know, my email
address is at the top of the page:
cd /usr/local/share/freeradius
wget http://www.mikrotik.com/Documentation/manual_2.9/dictionary.mikrotik
vi dictionary
$INCLUDE dictionary.mikrotik
How to setup up RADIUS for use with MikroTik - By Ramona 2
naslist
Add the same IP addresses for your test computer and Mikrotik box into this file and select the type of NAS.
Example:
radiusd.conf
Find the Unix section of the file and ensure that the lines
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
are NOT commented out (ie. do not have a # sign in front of them).
Congratulations!!! You now have a fully functional RADIUS server that will uses the local Unix accounts as its
authentication base.
radiusd –x
• Note: You must be logged in as root (su or real login) to start the server, otherwise you will get a “command not
found” error.
If you receive no error messages you have configured the server properly, now on the MS Windows machine open
NTRadPing. Enter the following:
MySQL Database
If the above tests came back in good order we can go ahead and setup FreeRadius to use the MySQL database.
Stop the RADIUS server by pressing CTRL-C
First of all we will need to setup a database schema for the RADIUS server to use, fortunately FreeRADIUS ships
with a SQL script to create the database for us. In this step when I refer to root and the respective root password, I
am referring to the root user for the MySQL database, not root of the entire system.
cd /usr/bin
mysql –uroot –p{root password}
You are now in the MySQL shell, all SQL commands end with a semicolon (Wink
We need to create a database before we can create tables within it:
exit
Now execute the script included with FreeRADIUS to create the database tables:
Verify the user was added by viewing the rows of the usergroup table:
We will configure a quick test response here as well (not to be used in the final implementation, you will have to
configure that depending on what you want, this will work however):
Configuration Files
We finally need to change a few configuration files:
cd /etc/raddb
radiusd.conf
Find the “authorize” section (near the bottom) and add “sql” (no quotes) between “suffix” and “files”. Comment out
“files” by putting a # in front of it. Do the same to “suffix”.
Find the “accounting” section (a bit underneath the authorize section) and place the word “sql” (without quotes”
between “unix” and radutmp”
sql.conf
Find And modify the following fields:
#connect info
server = "localhost"
login = "root"
password = "rootpass" ß {change this to the root password of the MySQL DB}
.
.
.
# Print all SQL statements when in debug mode (-x)
sqltrace = no ß {change this to yes, not necessary but useful for debugging}
Let’s test the RADIUS server using NTRadPing as before but use the username and password of the test user listed
in the SQL database. You should receive an “Access-Accept” response and assuming you correctly entered the
entries into the radgroupreply table you should also see the following in the Attribute Dump portion of the response
in NTRadPing:
Framed-Compression=VJ-TCP/IP-Header
Framed Protocol=PPP
Framed-MTU=1500
Service-Type=Framed
Congratulations you now have a fully functional RADIUS server authenticating against a MySQL database, and
storing the accounting data in the MySQL database!!!
How to setup up RADIUS for use with MikroTik - By Ramona 5
Getting the Mikrotik RouterOS Box to Work with the RADIUS Server
Log into the Mikrotik box and execute these simple commands:
For simplicities’ sake later ensure you can ping the radius server from the Mikrotik box:
If you can not ping your server you must fix that first before continuing
/radius
add service=hotspot address={ip address of your RADIUS server} secret={secret key you defined in the clients file of the RADIUS server}
You should now, as a hotspot client, be able to request any page and be directed to the login page as normal, if you
login as an entry in the SQL database (username: radiustest, password: testpassword) you shold be authenticated no
problem Wink Enjoy.
This section on RADIUS Applications in Mikrotik added by N. Bright
There are many ways to use RADIUS with Mikrotik, the common applications are authorizing associations based on
MAC address, and PPP(oE/TP) user authorization. Both of these are very simple to do, but can cause some
frustration as they are not well documented in the manual. Keep in mind that you will need to add definitions for
RADIUS servers in the RADIUS table. Each definition in the RADIUS table (click the RADIUS menu in winbox) is
for a specific server, and you can have each specific server authenticate for different types of services, such as
HotSpot, PPP[oE/TP], and Wireless.
To authorize associations on an AP interface, first set up a RADIUS server with "Wireless" enabled, then you simply
need to set "radius-mac-authentication=yes" in the security profile for the AP. You can do this through winbox by
going to the Wireless->Security Profiles tab, double clicking your profile and ticking the "RADIUS MAC
Authentication" box. Mikrotik will submit the MAC address as the username in the format 00:11:22:33:44:55 with a
blank password. Since Mikrotik submits a blank password, you will need to keep this in mind when developing
your security systems.
To authorize PPP[oE/TP] sessions, first set up a RADIUS server with "PPP" enabled, then on the PPP menu click
"Secrets" and "AAA", then check radius (At the console, /ppp aaa use-radius=yes). There are many supported
attributes that allow you to do many useful things with PPP/RADIUS, such as individual client WEP keys, and
per-user queue limits. Read more about the available radius attributes on the Radius manual page [1]
Accounting
To view the Accounting database table for a user:
References
[1] http:/ / www. mikrotik. com/ docs/ ros/ 2. 9/ guide/ aaa_radius#13. 4. 5
Article Sources and Contributors 7