MikroTik

"Trying" to use steal belted RADIUS with my mikrotik WiFi routers. I accesss the router via winbox...go to radius, add a radius server with all the correct info. After a few hours of frustration i have just set the SBR server to accept ANY incoming request from any address. And that is the problem...the mikrotik never requests anything from my radius.

Well, I can assure you that RADIUS integration is working quite well (and several other forum users will probably state the same).

This most probably is some problem with routing, firewalling or the like prohibiting communication between your MikroTik and the RADIUS server.

Best regards,
Christian Meis

im sure it works! just giving me a headache right now, maybe it something simple im missing.


the mikrotik and the radius arn't being blocked by anything

they are both on a local network sitting right next to each other

xxx.xxx.xxx.101
xxx.xxx.xxx.102

the radius can ping the mik, and mik can ping radius...

Did you configure the security profile for the access point interface to use RADIUS?

You'll need to go to the wireless tables, security profiles tab then edit (or create a new profile) and checkmark "RADIUS MAC Authentication", that will make it ask the server. The username format is "xx:xx:xx:xx:xx:xx" by the way.

I would like anyone to be able to connect to the AP.........go to the splash page, use their login.


when i click RADIUS MAC authenication, it won't even let you connect to the AP.

has nobody used SBR to authenticate hotspots before??????

I misunderstood what you were asking for, I read that as "I want associations to be RADIUS authenticated".

Personally, I've not done radius authentication on hotspots so I can't help specific to that radius server.

What port is your RADIUS server listening on? Perhaps that is the problem. RADIUS used to be 1645/authentication 1646/accounting, but newer things use 1815/auth 1816/acct - make sure which your server is using, and make sure that the MKT is using the same thing.

I misunderstood what you were asking for, I read that as "I want associations to be RADIUS authenticated".

Personally, I've not done radius authentication on hotspots so I can't help specific to that radius server.

What port is your RADIUS server listening on? Perhaps that is the problem. RADIUS used to be 1645/authentication 1646/accounting, but newer things use 1815/auth 1816/acct - make sure which your server is using, and make sure that the MKT is using the same thing.

yea its on the 1813/1812


im up for anything right now.....nothing is getting to the radius server when the hotstop login page is used.

Im going to put a wifi card in the server just to see if it is sending the requests over the wrong interface for some crazy reason.

Might be a stupid question (you don't mention this anywhere in your posts).

You *did* configure the radius server right? Shared secrets, radius profiles, etc?

What are you seeing on your Radius Status pages in MT? Timeouts, Retransmissioins? Or are there Bad Replies?

Debug output from the Radius Server? Logs from the Radius Server? We need to see what's going on, before we can decide how to resolve the problem

Might be a stupid question (you don't mention this anywhere in your posts).

You *did* configure the radius server right? Shared secrets, radius profiles, etc?

What are you seeing on your Radius Status pages in MT? Timeouts, Retransmissioins? Or are there Bad Replies?

Debug output from the Radius Server? Logs from the Radius Server? We need to see what's going on, before we can decide how to resolve the problem

10-4 i'll get you some screen shots of step by step what im doing.

ok here are screen shots of what im doing on the radius and the mikrotik
im accpeting all incoming requests from any address right now out of desperation.


http://home.comcast.net/~jodom0101/1.bmp

http://home.comcast.net/~jodom0101/2.bmp

http://home.comcast.net/~jodom0101/3.bmp

http://home.comcast.net/~jodom0101/4.bmp

http://home.comcast.net/~jodom0101/5.bmp

anyone?

Well I'm not familiar with what ever Radius server it is you are using, so I can't really help you. As I said previously, "What are you seeing on your Radius Status pages in MT? Timeouts, Retransmissioins? Or are there Bad Replies? "

Additionally, you don't have any reply attributes (it would seem to me) configured in your Radius Server. Your Radius server is not telling MT what to do with the connection.

You have a MT, and you have a Radius Server it seems - there is nothing configured to tell them how to talk to each other. Configure some user profiles, add some accounts, and get the attributes in place. These are all documented on the MT Docs pages, as well as a good tutorial on the WIKI in regards to what needs to be configured on the Radius Servers as far as attributes go.

--
C

im reading the Wiki for freeradius....... and i think i see the problem.

i downloaded NTRADPING and my radius server is alive and well.......but again MT won't send any auth requests over to the radius.

so i see once you set up the radius for the hotspot the next thing you do is

/ip hotspot aaa set use-radius=yes

well if i run that from the term, I get

> /ip hotspot aaa set use-radius=yes
no such command or directory (aaa)

You need to set the radius flag on the hotspot profile:
For your radius server under /radius, you need to check/set hotspot under services too. (from the CLI: /radius set [radius_index] service=hotspot).

yep i did that...... its that next step that isn't working so well.


/ip hotspot aaa set use-radius=yes

From the doc:

[admin@MikroTik] radius> /ppp aaa set use-radius=yes
[admin@MikroTik] radius> /ip hotspot profile set default use-radius=yes

It's posible you mistake both options?

radius definitely works with hotspot. I've had it working with freeradius with a mysql back-end from a hotspot. I currently am not using it anymore for completely unrelated reasons but it definetly worked, was stable, and was easy to setup on the MT side.

All I can say is make sure that the NAS setup on the radius side is correct, ie, make sure the secret is correct, make sure that the IP address is correct (maybe the NAS is sending the AAA packets from another interface?), and check the radius logs to see if it is seeing anything. On freeradius if you start the daemon with -X it gives you a ton of debugging information.

In terms of config the MT side was very easy, it took some time on the freeradius/Mysql side but it definitely works.

Craig

J_RaD

Have you tried 2.9.20 wimbox version?

Said it previously, will say it again as well...

What does the MT Radius Status page show? Timeouts, bad replies, etc ???

Will immediately give a indication as to what's going on here... Logging radius in debug mode on the MT will also help...

--
C

I experienced a peculiarity in the 2.8 radius where the MT's radius wouldnt
start if configured through the winbox. Since then i've always
pasted the radius configuration during configuration, but presume the winbox been fixed since - possibly inserting a false character in the secret
or something.

Said it previously, will say it again as well...

What does the MT Radius Status page show? Timeouts, bad replies, etc ???

Will immediately give a indication as to what's going on here... Logging radius in debug mode on the MT will also help...

--
C

I've got all zeros across the board.

J_RaD

Have you tried 2.9.20 wimbox version?

im using 2.9.12

Said it previously, will say it again as well...

What does the MT Radius Status page show? Timeouts, bad replies, etc ???

Will immediately give a indication as to what's going on here... Logging radius in debug mode on the MT will also help...

--
C

I've got all zeros across the board.

/set radius x service=hotspot

then look at the counters again