WiFi and L2TP authorization via freeradius

Kamaz · Thu Nov 08, 2018 3:33 pm

Hello everyone. I need some help with configuration of VPN(l2tp) and WiFi authorization via freeradius.
My goal is to configure one point for authorizing all connections. There is no Windows server in my company, so I have to use Linux.

Additional information:\
ROS version is 6.42.7

/radius
add address=10.10.0.134 secret=mysupersecret service=ppp,wireless timeout=1s

/interface wireless
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:XX:XX:XX \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3-radius \
    security-profile=radius ssid=test-radius wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled


/interface wireless security-profiles
add authentication-types=wpa2-eap management-protection=allowed mode=\
    dynamic-keys name=radius radius-eap-accounting=yes supplicant-identity=""

Freeradius 3.0 is running on Ubuntu 18 server, all updates are installed. IP 10.10.0.134
Configuration of freeradius:
I added to file /etc/freeradius/3.0/clients.conf

client 10.10.2.1{
ipaddr = 10.10.2.1
secret = mysupersecret
shortname = msk1
proto = *
}

Also we have a l2tp tunnel between router 10.10.2.1 and remote server 10.10.0.134.
There are screenshots from Mikrotik log, created during I was trying to connect

radius1.png

radius2.png

I used this instruction while freeradius configuration https://computingforgeeks.com/how-to-in ... ntu-16-04/

Kamaz · Tue Feb 19, 2019 9:22 am

Additional information:
I've done my task, Freeradius woks as it should, and wifi and pptp auth works fine to.

But now I'm faced with problem when I have to connect every username in Freeradius database with user's IP or pool. I've found such information:
https://wiki.freeradius.org/guide/Ippoo ... %20clients
viewtopic.php?f=10&t=131137&p=704071&hi ... 6a#p704071
http://www.netexpertise.eu/en/networkin ... pools.html

but I can't understand how this schema works in general.

ianngrh · Wed Feb 20, 2019 6:53 am

Additional information:
I've done my task, Freeradius woks as it should, and wifi and pptp auth works fine to.

But now I'm faced with problem when I have to connect every username in Freeradius database with user's IP or pool. I've found such information:
https://wiki.freeradius.org/guide/Ippoo ... %20clients
viewtopic.php?f=10&t=131137&p=704071&hi ... 6a#p704071
http://www.netexpertise.eu/en/networkin ... pools.html

but I can't understand how this schema works in general.

Hi Kamaz,

As far as I know the radius authentication on mikrotik is like this.

Access-request. The mikrotik ask to the radius server if the username & another requirement match with data on radius server. If the data match then radius will reply with the access-accept. If not, it will will reply with access-reject.
Access-accept. The radius send attribute for requested user to the mikrotik such as Framed-Pool, Framed-IP, etc. This placed on Radreply table on database if you are using mysql.
Mikrotik will configure the ppp/wireless/hotspot/login client based on this data. If this data does not exist, the mikrotik will give it from default configuration.
For example : PPP will take configuration from /ppp profile default or default-encryption based on server configuration.
I think this is the schema you are asking about.

For more radius attribute details on mikrotik, please check wiki for radius client mikrotik.
https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client

Hope this help.

Kamaz · Wed Feb 20, 2019 9:21 pm

Thank you for your response, my problem becomes more clear!
As far as I understood, the only thing I need is to add record to Radreply table. And that's all? 0_o

ianngrh · Thu Feb 21, 2019 5:33 am

That's depend on how far you want to utilize the freeradius features.
For basic feature like just PPP authentication and then give them IP and bandwidth limiter, you have to add record on radcheck table for access-request and add record on radreply for access-accept.

Kamaz · Thu Apr 18, 2019 5:42 pm

Thank you so much for help.
But how to assign ip with mask, dns, gateway, and route to client correctly?
I need a schema for remote connection to my network for using inner resources but default route shouldn't be modified. All traffic should flow through user's internet channel except 10.10.5.0/24 network.

When I'm trying to use radreply table

INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Framed-IP-Address', ':=', '10.11.1.145');
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Framed-IP-Netmask', ':=', '255.255.255.0');
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Framed-Route', ':=', '"10.10.5.0 10.11.1.1 1"');

client gets only IP address from database while other parameters remain defaults.
Connection with Freeradius:

ppp.png

Connection without Freeradius (correct connection):

ppp2.png

Joni · Fri Apr 19, 2019 9:53 pm

Just a thought... https://turbofuture.com/internet/How-to ... us-Package

Kamaz · Thu May 02, 2019 5:03 pm

Previous question was resolved by configuring Default gateway on client side, so everything fine.

Next problem is how to assign PPTP user's IP or name (user1 = 10.11.1.145 in my case) with Mikrotik's firewall group ?
Because Firewall groups helps to deal with rules.

I've tried to add record to radreply table but without result:
INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Mikrotik-Address-List', ':=', 'remote_managers');

After user1 connected to Mikrotik:

MT.jpg

there is a record in Log that MT-Address-List="remote_managers" but it doesn't appear in Firewall>Address List.

Topics that didn't help:
viewtopic.php?t=48713
https://wiki.mikrotik.com/wiki/Manual:R ... ric_Values
https://www.youtube.com/watch?v=P47D5Z6fkeI

SiB · Tue Jun 23, 2020 6:23 pm

This is a problem with ONLY ONE profile for VPN Engine.... still this is a big problem to divide Radius users into sub-group's.

My way is to use script inside PROFILE who check new users logins and if assign to internal list then Add they VPN-IP into Firewall Address List as base to have own ACL at them.
Many OK/Apply doing changes inside profile not do disconnect of users, you can edit this scripts and save that changes safe.
This is only one work a round I found at that problem by years of searching.

Example
PPP Profile \ Scripts \ on-up:

local userlist sib1,sib2,sib3
foreach x in=$userlist do={
if ($x = $user) do={
local userip [/ip pool used get [find where info=$user ] address ]
ip firewall address-list add list=vpn-radius-list1 address=$userip comment=$user
}
}

PPP Profile \ Scripts \ down-up:

ip firewall address-list remove [find list=vpn-radius-list1 comment=$user ]

This is not perfect way, special when you want use many usernames as sub-group.
Maybe someone have other way... maybe ros7 have/give new way ...

WiFi and L2TP authorization via freeradius [SOLVED]

WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius [SOLVED]

Re: WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius

Re: WiFi and L2TP authorization via freeradius