Community discussions

MikroTik App
  4. RouterOS
  5. General

How to set multiple NAS-Port-Id on Mikrotik + freeradius

Post Reply
 
ianngrh
newbie
Topic Author
Posts: 26
Joined: Thu Aug 30, 2018 6:53 am

How to set multiple NAS-Port-Id on Mikrotik + freeradius

Mon Feb 04, 2019 7:37 am

Hi All,

I am newbie in mikrotik hotspot & freeradius and I have problem with it.
My mikrotik is CCR 1016-12G with RouterOS version 6.42.10 Lts.
Currently it running hotspot on vlan 1101, 1102, 1201 & 1202.
And to manage the user I am using freeradius 3.0 running on debian linux.

I have created 5 user for testing, they are superadmin, director, operator, staff, & guest.
The user scheme I want are like this.
1. User superadmin is allowed to login from all vlan
2. User director is allowed to login from all vlan except 1101
3. user operator is only allowed to login from vlan 1201 & 1202
4. user staff only allowed to login from vlan 1201.
5. user guest only allowed to login from vlan 1202.

On the future, I want to create username for each staff and given access based on their position like above.
For that purpose, I want to use NAS-Port-Id Attribute on the freeradius to define the allowed vlan.
Then, my problem is to define NAS-Port-Id for operator

How to set the value of attribute NAS-Port-Id which allowed multiple vlan?

Here is my mikrotik hotspot & freeradius radcheck configuration
Code: Select all
/ip hotspot profile
set [ find default=yes ] login-by=http-pap,mac-cookie use-radius=yes
add dns-name=hotspot.myoffice.net hotspot-address=192.168.101.1 login-by=\
    http-chap,http-pap,mac-cookie name=hsprof4 nas-port-type=ethernet \
    use-radius=yes
add dns-name=hotspot.myoffice.net hotspot-address=192.168.102.1 login-by=\
    http-chap,http-pap,mac-cookie name=hsprof5 use-radius=yes
add dns-name=hotspot.myoffice.net hotspot-address=192.168.201.1 login-by=\
    http-chap,http-pap,mac-cookie name=hsprof6 use-radius=yes
add dns-name=hotspot.myoffice.net hotspot-address=192.168.202.1 login-by=\
    http-chap,http-pap,mac-cookie name=hsprof7 use-radius=yes

/ip hotspot user profile
set [ find default=yes ] insert-queue-before=first shared-users=unlimited

/ip hotspot
add address-pool=hs-pool-44 disabled=no interface=vlan1101 name=hs-vlan1101 \
    profile=hsprof4
add address-pool=hs-pool-42 disabled=no interface=vlan1102 name=hs-vlan1102 \
    profile=hsprof5
add address-pool=hs-pool-41 disabled=no interface=vlan1201 name=hs-vlan1201 \
    profile=hsprof6
add address-pool=hs-pool-43 disabled=no interface=vlan1202 name=hs-vlan1202 \
    profile=hsprof7
Image

Or perhaps there are any way to solve it without using NAS-Port-Id attribute?
You do not have the required permissions to view the files attached to this post.
Top
 
ianngrh
newbie
Topic Author
Posts: 26
Joined: Thu Aug 30, 2018 6:53 am

Re: How to set multiple NAS-Port-Id on Mikrotik + freeradius

Thu Aug 08, 2019 8:56 am

After struggling and testing for a few months I finally found the way to solve it.
1) Create user on radcheck table
2) Assign your username into group by listing it on radusergroup table. More than 1 group is OK, but don't forget to assign the priority.
3) Don't forget to assign your username into group with auth-type reject and set the priority as low as possible like 9999
4) Assign Attribute Fall-Through = Yes into radreply table for your username
5) On radgroupcheck add your groups and add NAS-Port-Id attribute on each of the groups, like NAS-Port-Id := ether2
6) Don't forget to forbid the forbidden groups to authenticate with attribute Auth-Type == REJECT.
Top
 
erem331
just joined
Posts: 1
Joined: Tue Dec 17, 2019 12:49 am

Re: How to set multiple NAS-Port-Id on Mikrotik + freeradius

Tue Dec 17, 2019 1:02 am

Hi, I'm trying to do something similar, but with PPPoE.
Can you help me?.
you could put the detail of the records of the RADIUS database or you can explain a little more the steps.
Thank you!
Top
Post Reply
  4. RouterOS
  5. General