-
Mikrotik Router Local Users Authentication via RADIUS Server
Local Users Authentication via RADIUS Server
This manual discusses how to make two users ex and ex2 which are members of different groups and are authenticated with RADIUS.
For the purposes of this manual we use Debian GNU/Linux system and FreeRADIUS RADIUS server. Both these products are free software.
* MikroTik Router Configuration
o
Configure the router with proper RADIUS server connection parameters.
[admin@MikroTik] radius> add service=login address=1.1.1.1 secret="xxx" disabled=no
[admin@MikroTik] radius> print detail
Flags: X - disabled
0 service=login called-id="" domain="" address=1.1.1.1 secret="xxx"
authentication-port=1812 accounting-port=1813 timeout=300ms
accounting-backup=no
[admin@MikroTik] radius>
o
Enable local user authorization service to use RADIUS server
[admin@MikroTik] user aaa> set use-radius=yes
[admin@MikroTik] user aaa> print
use-radius: yes
accounting: yes
interim-update: 0s
default-group: read
[admin@MikroTik] user aaa>
* FreeRADIUS Server Installation and Configuration
o
Install FreeRADIUS server package
root@wildcat:/etc# apt-get install freeradius
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packages:
freeradius-ldap freeradius-mysql freeradius-krb5 freeradius-iodbc
The following NEW packages will be installed:
freeradius
0 upgraded, 1 newly installed, 0 to remove and 269 not upgraded.
Need to get 0B/1788kB of archives.
After unpacking 4362kB of additional disk space will be used.
Selecting previously deselected package freeradius.
(Reading database ... 60006 files and directories currently installed.)
Unpacking freeradius (from .../freeradius_0.9.3-1_i386.deb) ...
Setting up freeradius (0.9.3-1) ...
Group freerad does already exist as a system group. Exiting...
freerad : freerad shadow
Restarting FreeRADIUS daemon: Stopping FreeRADIUS daemon: freeradius.
Starting FreeRADIUS daemon: Tue Sep 14 10:50:30 2004 : Info: Starting
- reading configuration files ...
freeradius.
root@wildcat:/etc#
o
Open the file /etc/freeradius/clients.conf and add the following record:
client 1.1.1.3 {
secret = xxx
shortname = xxx
}
This record represents reachable MT router's address (src-address of packets coming from MT router).
o
Open the file /etc/freeradius/users and add the following line:
ex User-Password == "ex"
This adds user named ex which will belong to the default group specified under /user aaa submenu.
o
To add a user which belongs to the group other then default, you need to supply Group attribute to the router. Open /etc/freeradius/users file once more and add second user named ex2 which will be the member of group full.
ex2 User-Password == "ex2"
Group = "full"
Do not forget to update FreeRADIUS dictionary with additional attributes! Open /etc/freeradius/dictionary file and add the following:
VENDOR Mikrotik 14988
ATTRIBUTE Recv-Limit 1 integer Mikrotik
ATTRIBUTE Xmit-Limit 2 integer Mikrotik
ATTRIBUTE Group 3 string Mikrotik
ATTRIBUTE Wireless-Forward 4 integer Mikrotik
ATTRIBUTE Wireless-Skip-Dot1x 5 integer Mikrotik
ATTRIBUTE Wireless-Enc-Algo 6 integer Mikrotik
ATTRIBUTE Wireless-Enc-Key 7 string Mikrotik
ATTRIBUTE Rate-Limit 8 string Mikrotik
o
Restart FreeRADIUS server.
root@wildcat:/etc# /etc/init.d/freeradius restart
Restarting FreeRADIUS daemon: Stopping FreeRADIUS daemon: freeradius.
Starting FreeRADIUS daemon: Tue Sep 14 12:02:05 2004 : Info: Starting
- reading configuration files ...
freeradius.
root@wildcat:/etc#
*
Configuration testing
To test the configuration log on to your router as whether ex or ex2 user. Note, that user ex has only read permissions while on the contrary user ex2 has full permissions, exempli gratia he can create new users.
next .. have to lunch ..
Jika info lebih lanjut, silahkan bertanya di komentar.
2 komentar:
-
you can some mikrotik tut from here : http://mikrotiktutorialblog.blogspot.com
Leave a Reply
Subscribe to:
Post Comments (Atom)
Very nice example. Some good mikrotik tutorials can be found on tikdude.com.