Community discussions

MikroTik App
  4. RouterOS
  5. General

[solved] freeradius + aaa + assign users to groups

Post Reply
 
User avatar
luqasz
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Aug 16, 2007 9:53 pm
Location: Poland

[solved] freeradius + aaa + assign users to groups

Tue May 17, 2011 8:15 pm

hi

i have installed freeradius and set up mikrotik to use accounts in radius to login via telnet ssh. default group is read. i can not find any info how to set up radius to assign some users to group full. i am using freeradius + postgres backend.

have any 1 tried it ?

radreply table (i have tried changing Mikrotik-Group to Group and operator to = and == with no effect)
Code: Select all
id | username |   attribute    | op | value 
----+----------+----------------+----+-------
  2 | kostek   | Mikrotik-Group | := | 1
from dictionary.mikrotik (shipped with freeradius)
Code: Select all
# this attribute is unused
ATTRIBUTE	Mikrotik-Group				3	string

radusergroup table
Code: Select all
username | groupname | priority 
----------+-----------+----------
 kostek   | full      |        1
please help.
Last edited by luqasz on Tue May 17, 2011 9:36 pm, edited 1 time in total.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 8:44 pm

I checked with User Manager.

In Users/Edit, in the "Group" entry:
full
write
read

In FreeRADIUS radreply table:
UserName "user"
Attribute "Mikrotik-Group"
op "="
Value "full/write/read"

Use only one of those in the Value tho.
Top
 
User avatar
luqasz
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Aug 16, 2007 9:53 pm
Location: Poland

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 8:52 pm

thx for info but:

- freeradius says that Mikrotik-Group is no longer used (confusing)
- in witch table should i input this value (radreply, radgroupcheck, radgroupreply) and how it should look like (operator)?

maybe you could post me some debug infor from mikrotik user manager and mikrotik device that speaks with user manager. maybe then i would figure out something
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 8:55 pm

AH HA!! I knew there was something up with the User Manager response! Try
Attribute "MT-Group"

What RouterOS version are you using?
Top
 
blake
Member
Member
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 8:59 pm

The 'radusergroup' table is only used inside FreeRADIUS for assigning RADIUS users to 'RADIUS groups', and then returning a set of replies to said group. ie:
Code: Select all
radcheck

  id |     username      |   attribute   | op |       value    
 ----+-------------------+---------------+----+-------------------
  67 | 00:15:6D:33:0B:48 | User-Password | == | 00:15:6D:33:0B:48

radusergroup

     username      |     groupname     | priority 
-------------------+-------------------+----------
 00:15:6D:33:0B:48 | mikrotik-wireless |        0

radgroupreply

 id |     groupname     |          attribute           | op | value 
----+-------------------+------------------------------+----+-------
  1 | mikrotik-wireless | Mikrotik-Wireless-Forward    | := | 0
  2 | mikrotik-wireless | Mikrotik-Wireless-Skip-Dot1x | := | 1
For your issue, you need this in 'radreply'.
Code: Select all
 id  |     username      |      attribute      | op |       value       
----+-------------------+---------------------+----+-------------------
 65  | test              | Mikrotik-Group      | =  | full
Last edited by blake on Tue May 17, 2011 9:07 pm, edited 2 times in total.
Top
 
User avatar
luqasz
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Aug 16, 2007 9:53 pm
Location: Poland

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 9:05 pm

Code: Select all
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'ukasz'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'ukasz'           ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string "full" for attribute name "Mikrotik-Group"
rlm_sql (sql): Error getting data from database
i have also tried with MT-Group and same error
do i need to have anything in radusergroup table ?
Top
 
blake
Member
Member
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 9:06 pm

I used the above config with ROS 4.x. Haven't tried it with 5.x. Is that what you are using?
do i need to have anything in radusergroup table ?
You don't need anything. It's optional based on your return params.
Top
 
User avatar
luqasz
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Aug 16, 2007 9:53 pm
Location: Poland

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 9:18 pm

Code: Select all
 #   NAME                                                                                                   VERSION                                                                                                  SCHEDULED              
 0   system                                                                                                 4.10                                                                                                                            
 1   dhcp                                                                                                   4.10                                                                                                                            
 2   hotspot                                                                                                4.10                                                                                                                            
 3   calea                                                                                                  4.10                                                                                                                            
 4   gps                                                                                                    4.10                                                                                                                            
 5   advanced-tools                                                                                         4.10                                                                                                                            
 6   mpls                                                                                                   4.10                                                                                                                            
 7   ipv6                                                                                                   4.10                                                                                                                            
 8   multicast                                                                                              4.10                                                                                                                            
 9   routerboard                                                                                            4.10                                                                                                                            
10   ups                                                                                                    4.10                                                                                                                            
11   security                                                                                               4.10                                                                                                                            
12   ntp                                                                                                    4.10                                                                                                                            
13   user-manager                                                                                           4.10                                                                                                                            
14   routing                                                                                                4.10                                                                                                                            
15   ppp                                                                                                    4.10                                                                                                                            
16   wireless                                                                                               4.10
Code: Select all
ii  freeradius                           2.1.10+dfsg-2                     a high-performance and highly configurable RADIUS server
ii  freeradius-common                    2.1.10+dfsg-2                     FreeRADIUS common files
ii  freeradius-mysql                     2.1.10+dfsg-2                     MySQL module for FreeRADIUS server
ii  freeradius-utils                     2.1.10+dfsg-2                     FreeRADIUS client utilities
ii  libfreeradius2                       2.1.10+dfsg-2                     FreeRADIUS shared library
ii  libradius1                           0.3.2-13                          /bin/login replacement with RADIUS. Shared lib to used by programs
ii  radiusclient1                        0.3.2-13                          /bin/login replacement which uses the RADIUS protocol for authentication
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 9:24 pm

Here is mine with user 'test'.
mysql> insert into radreply (username,attribute,op,value) values ('test','Mikrotik-Group','=','read');
Query OK, 1 row affected (0.00 sec)

mysql>
Top
 
User avatar
luqasz
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Aug 16, 2007 9:53 pm
Location: Poland

Re: freeradius + aaa + assign users to groups

Tue May 17, 2011 9:32 pm

OMG it is so SICK. i have found that in debian not all dictionaries are included in directory /usr/share/freeradius/dictionary file (witch holds $INCLUDE lines per vendor dictionary)
i was missing $INCLUDE dictionary.mikrotik line


any way thx for your quick response. much apicieated. :D
Top
Post Reply

Who is online

Users browsing this forum: McSee, RobertsN, sid5632, silviub, smirgo and 43 guests
  4. RouterOS
  5. General