Page 1 of 1

Radius Client not recieving requests

Posted: Wed Oct 25, 2006 10:03 pm
by mambotech
Hi,

I have just setup freeradius on FreeBSD. The radius server is listening See Below:

radius# /usr/local/sbin/radiusd -x
Starting - reading configuration files ...
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.


But I am not seeing any requests from the radius client on the Mikrotik router.
Router config:

add service=wireless called-id="" domain="" address=192.168.2.3 \
secret="*******" authentication-port=1812 accounting-port=1813 \
timeout=2s accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=yes port=1700
/ snmp

Questions:

Do I need to run a hotspot for this to work. Currently users client mac's are trusted in the access list and recieve an ipaddress from a LAN based dhcp server.

If I need to use a hotspot how do I force all traffic through my proxy server that will sit on a 192.168.2.0 network. Current the proxy is the default gateway.

Thanks Mark

Posted: Wed Oct 25, 2006 10:56 pm
by Seccour
Make sure that the Mikrotik is listed in the radius configuration as an accepted NAS (client). If its not, then the mikrotik logs will give you error (assuming your logging radius messages) but freeradius will not log it by default, at least mine didn't.

I use DCHP and Hotspot with Radius in combination and been very pleased with my results.

Freeradius

Posted: Wed Oct 25, 2006 11:31 pm
by mambotech
Hi Seccour

Do you mean this when you Mikrotik in the radius.conf ....this is my client.conf entry

client 192.168.2.11 {
secret = *******
shortname = SingleRouter
nastype = Mikrotik

Thanks Mark

Some sucess

Posted: Thu Oct 26, 2006 12:34 am
by mambotech
Seccour

I have managed to hit the radius server now. See below:

rlm_chap: Setting 'Auth-Type := CHAP'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rlm_chap: login attempt by "rudytest" with CHAP password
rlm_chap: Using clear text password test for user rudytest authentication.
rlm_chap: chap user rudytest authenticated succesfully
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
Sending Access-Accept of id 9 to 192.168.2.10 port 1035

cannot assign ip address - no more free addresses from pool ???

It only allocated 1 address

Posted: Thu Oct 26, 2006 10:39 pm
by Seccour
I use sql for my setup so it may differ from your config, but my radius uses the mac address to see whether or not to give out a DCHP lease, and then for my replies i ahve framed-ip-address and the ip, plus other nifty stuff like my rate limiting.

The user that you are using, can you paste that config in here ?

What is the log from the routeros ? Do you have dhcp working on it correctly ?

I will paste my sample config here to see if helps you. This is using mac authentication for DHCP.

[admin@Mikrotik] ip dhcp-server> print detail
Flags: X - disabled, I - invalid
 0   name="MT-DHCP" interface=wlan2 lease-time=3d address-pool=static-only
     bootp-support=static add-arp=yes authoritative=after-2sec-delay
     use-radius=yes

[admin@Mikrotik] ip dhcp-server network> print detail
 0 ;;; MT-DHCP 
   address=10.7.1.0/24 gateway=10.7.1.1 dns-server=192.168.0.1,192.168.0.2 
Because I use radius for my DHCP data, I do not use a pool as the routeros isn't going to be managing that for me, radius is. Its only upto the routeros box to hand out the leases based off of the mac address. I used the routeros logging extensively when troubleshooting my problems I first had when setting this up. Turn on logging for radius and dhcp and it will give you more info.

Posted: Thu Oct 26, 2006 11:37 pm
by mambotech
Hi Seccour,

How did you setup your radius server to allocate the dhcp address's also do your users login through the Mikrotik login page ?? I need my users to login with a username and password so that the radius manager detects they are online

Thanks Mark

Posted: Fri Oct 27, 2006 1:23 am
by Seccour
in my rad reply table i have a attribute called Framed-Ip-Address and the address they are assigned. I assign then the network parameters in the DHCP server so that they get their Netmask, gateway, and DNS correctly without interaction from Radius. Radius only needs to know then the IP address and it tells the MT what that is on the login.

I support both MAC and HTTP login types. I have additional client information for the authentication part as DHCP and HOTSPOT pretty much work fully independant of each other. Hotspot doesn't care how a client get its IP address. So then for my MAC authenticated users, their mac address is in radius as well with a blank password and they authenticate with no user action and I get my accounting logs. My HTTP users fail the mac login, because their mac isn't in radius for hotspot authentication, and are presented with the login page, where they can use their username/password credentials that are assigned.

Posted: Fri Oct 27, 2006 1:45 am
by mambotech
Seccour,

Could you take a look at my radiusd config ....I can pay you. I am really struggling here.


Thanks Mark

Posted: Wed Nov 01, 2006 11:39 pm
by Seccour
email me your config's and i'll see what I figure out.

seccour [at] nebonet [dot] com