FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s Click here to read more on FR tutorials …
Disclaimer! This is important!
Every Network is different , so one solution cannot be applied to all. Therefore try to understand the logic & create your own solution as per your network scenario. Just dont follow copy paste.
If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.
~ FreeRADIUS is a Dark Art ~
Scenario:
We have a Mikrotik routerboard working as a HOTSPOT server for local guests. Freeradius is configured as billing system.
Requirements:
We want to allow user auto login by his mac address. We can do this in mikrotik itself by using bypassed but we want to authenticate user by billing system so his usage, expiry, package etc should be determined by Freeradius according to his assigned package !
Solution:
We assume that hotspot is already in working condition along with freeradius ,
Please note that this is just an example, in real production environment you should consider more better approach with safety controls. I personally never recommend HOTSPOT dueto its security weaknesses.
1# Mikrotik Side Configuration
- Goto
IP
>HOTSPOT
>SERVER PROFILE
- Select working profile,
- Goto
LOGIN
, & selectLOGIN BY MAC, In MAC AUTH. MODE
, - Also select
MAC AS USERNAME AND PASSWORD
2# FREERADIUS POST-AUTH Configuration
Edit `/etc/freeradius/sites-enabled/default` file
1 | nano /etc/freeradius/sites-enabled/default |
Goto `post-auth` section, & add following sql Query,
[as an example i am pasting full post-auth section]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | ### ZAIB radpost-auth section Starts from here ## post-auth { exec Post-Auth-Type REJECT { update reply { Reply-Message = 'Wrong Password' } # This is our query to check if MAC address found in username section, you can make your own table , zaib sql if("%{sql:SELECT COUNT(username) FROM users WHERE username ='%{User-Name}'}" > 0){ ok } else{ reject } attr_filter.access_reject } } ### ZAIB radpost-auth section ENDS Here ## |
Insert USER record in RADCHECK & USERS TABLE
[you can modify following section or above sql query to match your need,
Login to MYSQL and select RADIUS DB,
Now insert a Test user in USERS & RADCHECK table (replace mac address with your own test device mac address]
1 2 3 4 5 | INSERT INTO 'radcheck' ('id', 'username', 'attribute', 'op', 'value') VALUES (1, '2C:44:FD:68:C0:18', 'Cleartext-Password', ':=', '2C:44:FD:68:C0:18'); INSERT INTO 'users' ('id', 'username', 'password', 'firstname', 'lastname', 'email', 'mobile', 'cnic', 'srvname', 'srvid', 'expiration', 'mac', 'macvendor', 'bwpkg', 'pool', 'is_enabled', 'is_days_expired', 'is_qt_expired', 'is_uptime_expired', 'qt_total', 'qt_used', 'uptime_limit', 'uptime_used', 'owner', 'vlanid', 'nas_id', 'createdon') VALUES (1, '2C:44:FD:68:C0:18', '2C:44:FD:68:C0:18', 'firstname', 'lastname', 'aacable@hotmail.com', '345345345', '242342420424-42-2', '2mb', 0, '2017-01-06', '2C:44:FD:68:C0:18', 'Hewlett Packard', '2048k/2048k', 'private-pool', 1, 1, 0, 0, '200', '12121613', '', '', 'zaib', '', NULL, '2018-07-24 05:30:21'); |
Test Ride …
Now connect your test device and you will see something like
in Freeradius DEBUG, we will be seeing …
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | rad_recv: Access-Request packet from host 101.11.50.50 port 40624, id=58, length=218 NAS-Port-Type = Ethernet Calling-Station-Id = "2C:44:FD:68:C0:18" Called-Station-Id = "hotspot1" NAS-Port-Id = "ether10-lan" User-Name = "2C:44:FD:68:C0:18" NAS-Port = 2159017996 Acct-Session-Id = "80b0000c" Framed-IP-Address = 192.168.88.2 Mikrotik-Host-IP = 192.168.88.2 User-Password = "2C:44:FD:68:C0:18" Service-Type = Login-User WISPr-Logoff-URL = "http://192.168.88.1/logout" NAS-Identifier = "XYZ_RB3011_TEST" NAS-IP-Address = 101.11.50.50 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { [sql] expand: %{User-Name} -> 2C:44:FD:68:C0:18 [sql] sql_set_user escaped user --> '2C:44:FD:68:C0:18' rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:44:FD:68:C0:18' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:44:FD:68:C0:18' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '2C:44:FD:68:C0:18' ORDER BY priority rlm_sql (sql): Released sql socket id: 30 ++[sql] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop ++[logintime] = noop ++? if (reject) ? Evaluating (reject) -> FALSE ++? if (reject) -> FALSE ++[expiration] = noop ++? if (userlock) ? Evaluating (userlock) -> FALSE ++? if (userlock) -> FALSE +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 58 to 101.11.50.50 port 40624 Finished request 0. Going to the next request Waking up in 4.9 seconds. |