Hi,
I'm running MT 2.9.27 and I have a freeradius server that uses mysql on another box. Users can log in to MT usin RADIUS, so that part of the setup works.

The problem is that when I try to authenticate DHCP users MT requests always get rejected, I believe the reason is that u password field is empty. This is the output of the Freeradius server:
I've added a row in radcheck database with this info:
But for some reason my request is always rejected. Any ideas?

Hi gog,

We run a similar configuration with FreeRADIUS and MySQL. We use only the nas, radgroupcheck, radgroupreply, and usergroup tables.

Our radgroupcheck table might look like:
id, GroupName, Attribute, op, Value
1, default, Auth-Type, :=, Local
2, default, Password, ==, (blank)
3, bizpackage2, Auth-Type, :=, Local
4, bizpackage2, Password, ==, (blank)

And then our usergroup table might look like:
UserName, GroupName, priority, desc
66:55:44:33:22:11, default, 1, BigCo's Tranzeo
11:22:33:44:55:66, bizpackage2, 1, BigCo's Router

Then when "BigCo's" antenna connects on the wireless, the MAC address of the antenna gets sent to FreeRADIUS with no password, and get authenticated to connect. Same thing for when their router requests an IP via DHCP -- their MAC gets sent to FreeRADIUS and once accepted, MikroTik hands out an IP.

If it still doesn't work, double-check your FreeRADIUS log file and make sure the IP of the Mikrotik that's coming in is the same one you have in the nas table of FreeRADIUS.

I hope this helps..

Hi, thank you for your time.

Currently I am only testing so I'm using only radcheck & radreply table. Yesterday I've changed the default behavior in ldap to accept everybody and the RADIUS sends back to MT the IP addres via Framed-IP-Address value in radreply.

But that still doesnt solve my problem, what could be the reason I get rejected if I have a row in radcheck with the correct MAC addres, and the value of User-Password set to ""? Is your Value field in radcheck maybe NULL or just empty?

LDAP shouldn't have anything to do with it, I wouldn't think. Are you essentially trying to give out static IP addresses via DHCP (Framed-IP-Address)?

The Value for Password we're using is just empty, its *not* set to NULL.

The only other thing I can think of, is to check that you're using the correct MAC form (ie: 000000-000000 vs 00:00:00:00:00:00) and uppercase vs lowercase.

In current MikroTik, the latter form is always used (this will changable in future versions, I believe) and I'm pretty sure MikroTik always sends MAC addresses with capital letters... but I also have our FreeRADIUS setup to convert to uppercase, and then we always use uppercase MAC addresses in MySQL.

If this is the same RADIUS server you use for MikroTik Router users, then you'd probably have to change those usernames to uppercase as well...if you enabled the uppercase usernames option.

Edit: For now, we just use RADIUS for MAC authentication on the wireless and DHCP (currently we're not giving out static addresses via DHCP either, but we're considering doing so for customer's antenna, so we always know what IP their equipment should have.)

Hi,
The problem is that when I try to authenticate DHCP users MT requests always get rejected, I believe the reason is that u password field is empty.

I got exactly the same problem.

I put a client MAC address as UserName in radcheck table with empty password field but I always get rejected.

Could someone can help me in this matter?

datanet,

do you have a empty password field (i.e. "") or a NULL value in the password field?

Best regards,
Christian Meis

Try to run freeradius in debug mode and then check what is going on.

Thanks for your reply.
Run freeradius in debug mode was very useful, also set sqltrace=yes in sql.conf. I have two workstation in my lab, and I made a mistake in MAC address in radcheck table...

DHCP works fine with FreeRadius now. But I found on page:
http://www.mikrotik.com/docs/ros/2.9/ip/dhcp that I must use Rate-Limit parameter in radius table, but it doesn't work (Failed to create the pair: Unknown attribute "Rate-Limit"). After change to Mikrotik-Rate-Limit I saw on MT logs: MT-Rate-Limit="128k/64k"

I'm going to use radius on wireless (check MAC), DHCP leases (provide IP on eth and radio interface based on client MAC address and set rate-limit) and Hotspot (authentication based on login name, password, MAC addres and client IP, and set Rate-limit). The only trouble for now I have with automatically activate a firewall chain for authenticated users in hotspot.

Regards,
Piotr Reda

To limit bandwidth, you can use another four attributes instead of Mikrotik-Rate-Limit:

WISPr-Bandwidth-Min-Up Guaranteed upload speed
WISPr-Bandwidth-Max-Up Maximal upload speed
WISPr-Bandwidth-Min-Down Guaranteed download speed
WISPr-Bandwidth-Max-Down Maximal download speed