RADIUS

- make life easier

by Daniel Starnowski

About me

Daniel Starnowski

Network administrator since 2000

MikroTik user since 200

MikroTik Trainer since 20!!

"rom #rak$w% &oland

!0'-!()* ca+ital of &oland

200, Mikrotik User Meetin-

.tt+/00startik1net
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2

Outline

Introduction

"reeRADIUS 3 4uick install

56am+le/ lo-in mana-ement

7onnectin- do S89 database

S.ort e6am+le/ wireless

56am+le/ D:7& ;and modifyin- S89 4uery<

:ots+ot/ MA7 aut.ori=ation > :TM9 redirection

:ow to create a mana-ement +latform in &:&

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '

Introduction
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ?

Introduction
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier (

Introduction
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier *

Introduction

More de@ices A more +roblems

Inconsistent lo-in confi-uration

Aut.ori=ation and 4ueuein- for

customers on t.e nearest
router 3 @ery +roblematic and
.ard to mana-e
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ,

RADIUS the protocol

Remote Aut.entication Dial In User Ser@ice

R"7 2*(

uses UD& +orts !!2 and !!'

AAA conce+t

Aut.entication

Aut.ori=ation

Accountin-
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier

RADIUS

Bne ser@er can centrali=e all user accounts

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier )

RADIUS server, client, user

User ;a com+uter< tries to connect to t.e

-ateway ;+++% .ots+ot% etc1< usin- username
and +assword

Client ;MikroTik< looks for t.e user in local

database and if it fails 3 asks RADIUS ser@er

Server 3 tell t.e client w.et.er it s.ould acce+t

or reCect t.e user
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !0

RADIUS reuest and response
username0+assword
Access-Re4uest ;!<
Access-Acce+t ;2<
Access-ReCect ;'<
or

Re4uest and res+onse 3 sin-le UD& +ackets

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !!

Radius the packet
7ode% Identifier% 9en-t.
Aut.enticator
Ty+e% 9en-t.% Dalue
Ty+e% 9en-t.% Dalue
111
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !2

!reeRADIUS uick install

Installation of "reeRADIUS is really easyE

Ubuntu/ sudo apt"#et install $reeradius

0etc0freeradius 3 directory wit. t.e settin-s

clients1conf 3 t.e only file we need to edit/

client 192.168.255.1/32 {
secret = $3CR3T$TR1NG
shortname = MiroTi !

Fe s+ecify addresses acce+ted by t.e ser@er

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !'

RADIUS dictionaries

0usr0s.are0freeradius0 - dictionary files

dictionary1rfc2*(/

"TTR#$%T& %ser'Name 1 strin(

"TTR#$%T& %ser')ass*or+ 2 strin(
encr,-t=1
"TTR#$%T& C.")')ass*or+ 3 octets
"TTR#$%T& N"/'#)'"++ress 0 i-a++r
"TTR#$%T& N"/')ort 5 inte(er
"TTR#$%T& /er1ice'T,-e 6 inte(er
"TTR#$%T& 2rame+')rotocol 3 inte(er
"TTR#$%T& 2rame+'#)'"++ress 8 i-a++r
"TTR#$%T& 2rame+'#)'Netmas 9 i-a++r
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !?

!reeRADIUS uick install
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !(

%&ample' lo#in mana#ement
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !*

%&ample' lo#in mana#ement

"ile users in 0etc0freeradius

4sername Clearte5t')ass*or+ 6= 7-ass*or+7

User GusernameG wit. +assword G+asswordG will

be acce+ted by t.e router% wit. default -rou+

4sername Clearte5t')ass*or+ 6= 7-ass*or+7

Miroti'Gro4- 6= 7*rite78
"nother'"ttr 6= 7a91al4e7

Fe can s+ecify% w.at attributes t.e RADIUS

ser@er will -i@e in t.e res+onse
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !,

%&ample' lo#in mana#ement

Access-Re4uest/

Ser@ice-Ty+e A 9o-in-User

User-Name A ;name entered by user<

User-&assword A ;encry+ted +assword<

7allin--Station-Id A ;I& address of t.e user(

NAS-Identifier A ;system identity of client<

NAS-I&-Address A ;I& address of t.e client<

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !

%&ample' lo#in mana#ement

Access-Acce+t

If t.ere was no confi-ured +arameters% t.e

acce+t +acket .as no Gattribute-@alueG fields

e6am+le/ Mikrotik-Hrou+ A GwriteG

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier !)

Connectin# to S)* database

s4+o a-t'(et install m,s:l'ser1er'5.1

s4+o a-t'(et install ;reera+i4s'm,s:l

0etc0freeradius0s4l0mys4l0 - .ere are

confi-uration files for Radius to work wit. S89

m,s:l< CR&"T& ="T"$"/& ra+i4s>

Fe im+ort sc.ema1s4l ;or Cust sim+ly +aste t.e

commands from t.e file< to MyS89 database
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 20

Connectin# to S)* database

Iack to radiusd1conf 3 in t.e GmodulesG section

we enable ;uncomment< t.e S89 module/
? $#NC@%=& s:l.con;

In t.e s4l1conf file/

+ataAase = Bm,s:lB
ser1er = BlocalhostB
lo(in = B+A94serB
-ass*or+ = Bhis9-ass*or+B
ra+i4s9+A = Bra+i4sB
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2!

Creatin# S)* entries

Instead of t.e users file - two tables/

radc.eck

radre+ly

T.ey look e6actly t.e sameE

In radcheck 3 t.e conditions to be c.ecked

In radrepl+ 3 t.e attributes sent wit. t.e re+ly

+acket
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 22

Creatin# S)* entries
m,s:l< sho* ;iel+s ;rom ra+chec>
C'''''''''''C''''''''''''''''''C
D 2iel+ D T,-e D
C'''''''''''C''''''''''''''''''C
D i+ D intE11F 4nsi(ne+ D
D 4sername D 1archarE60F D
D attriA4te D 1archarE60F D
D o- D charE2F D
D 1al4e D 1archarE253F D
C'''''''''''C''''''''''''''''''C
5 ro*s in set EG.GG secF
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2'

Creatin# S)* entries

#N/&RT #NTH ra+chec

E4sername8 attriA4te8 o-8 1al4eF
I"@%&/
EJuserJ8JCleartext-PasswordJ8J6=J8JpassJF>

#N/&RT #NTH ra+re-l,

E4sername8 attriA4te8 o-8 1al4eF
I"@%&/
EJuserJ8JMikrotik-GroupJ8J6=J8JwriteJF>

56actly like in t.e users file/

4ser Clearte5t')ass*or+ 6= 7-ass7

Miroti'Gro4- 6= 7*rite7
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2?

Short e&ample' ,ireless

"or wireless 3 RADIUS works similar to

GAccess 9istG and G7onnect 9istG - decides%
w.ic. stations can -et to t.e re-istration table

7onfi-ured in t.e Security &rofile

GDefault Aut.enticateG
sto+s workin-E
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2(

Short e&ample' ,ireless
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2*

Short e&ample' ,ireless

#N/&RT #NTH ra+chec

E4sername8 attriA4te8 o-8 1al4eF
I"@%&/
EJ00:0C:42:01:02:03J8
JAuth-TypeJ8J6=J8JAcceptJF>

#N/&RT #NTH ra+re-l,

E4sername8 attriA4te8 o-8 1al4eF
I"@%&/
EJ00:0C:42:01:02:03J8
JMikrotik-Wireless-P!J8J6=J8JP!stri"#JF>
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2,

%&ample' D-C.

MA7 aut.ori=ed and

.as
G"ramed-I&-AddressG
in t.e re+ly/ it will -et
t.e s+ecific address

MA7 is aut.ori=ed but

wit.out reser@ed I&/ it
will -et it from t.e +ool

MA7 not aut.ori=ed/

wonJt -et any addressE
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2

%&ample' D-C.

#N/&RT #NTH ra+chec

E4sername8 attriA4te8 o-8 1al4eF
I"@%&/
EJ00:0C:42:01:02:03J8
JAuth-TypeJ8J6=J8JAcceptJF>

Fait111 we already .a@e t.is oneE

#N/&RT #NTH ra+re-l,

E4sername8 attriA4te8 o-8 1al4eF
I"@%&/
EJ00:0C:42:01:02:03J8
J$ra%ed-&P-AddressJ8J6=J8J1'2(1'(2(2JF>
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier 2)

%&ample' D-C.

Fe .a@e t.e same MA7 address for wireless

and for D:7& ser@icesE

RADIUS will re+ly wit. all attributes to e@ery

ser@ice

Fireless will -et Mikrotik"/ireless".S0% but

i-nore !ramed"I."Address

D:7& will -et !ramed"I."Address% but i-nore

Mikrotik"/ireless".S0
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '0

%&ample' D-C.

If a MA7 address is not in t.e RADIUS

database ;it is not aut.ori=ed< 3 it will not -et a
D:7& leaseEE

F.at can we do
to +re@ent itK
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '!

Modi$+in# S)* uer+

In dialu+1conf file 3 we .a@e t.e e6act S89

4uery used to -et t.e data from database/

a4thoriKe9chec9:4er, =
B/&@&CT
i+8 4sername8 attriA4te8 1al4e8 o- L
2RHM ${a4thchec9taAle! L
M.&R& 4sername = JN{/O@'%ser'Name!J L
HR=&R $P i+B

Fe can modify it% so t.at for e@ery re4uest from

D:7& ser@er it will -i@e Aut.-Ty+e /A Acce+t
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '2

Modi$ied S)* uer+

a4thoriKe9chec9:4er, =
B/&@&CT
i+8 4sername8 attriA4te8 1al4e8 o- L
2RHM ${a4thchec9taAle! L
M.&R& 4sername = JN{/O@'%ser'Name!J L
%N#HN L
/&@&CT =#/T#NCT G8 JN{/O@'%ser'Name!J8
J"4th'T,-eJ8 J"cce-tJ8 J6=J L
2RHM ${a4thchec9taAle! L
W)*+* -./Called-tatio"-&d0- like -dhcp.- L
HR=&R $P i+B

Now ever+ MAC will -et an I& address from t.e D:7&E

G8J506G06"6620635612J8J"4th'T,-eJ8J6=J8J"cce-tJ
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ''

-otspot' MAC authori1ation
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '?

-otspot' MAC authori1ation

If a user ;MA7 address< is not +resent in t.e

Users list of t.e .ots+ot% it will be c.ecked in
t.e RADIUS database

Bnly aut.ori=ed users will access t.e network%

unaut.ori=ed will -et t.e lo-in1.tml +a-e
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '(

-otspot' MAC authori1ation

T.e MA7 address will be aut.ori=ed% if it will

+ass t.e radc.eck 4uery ;i1e1 will be +resent as
username in t.e radc.eck table<

Additional re+ly attributes +ossible% like limits

for t.e u+0down0total bytes or connection time

Miroti'Rate'@imit 6= 7256/5127

Rate 9imit will create a dynamic sim+le 4ueue

wit. t.e ma6-limit restrictions1
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '*

-otspot' MAC authori1ation

If bot. D:7& and :ots+ot ser@ices -et data

from t.e same RADIUS database 3 t.e 4ueue
will be created twiceE

It can be a@oided by modifyin- t.e re+ly S89

4uery
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ',

-otspot' -TM* redirection
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier '

-otspot' -TM* $iles
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ')

-otspot' -TM* $iles 2rlo#in(
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ?0

-otspot' -TM* $iles

"or 32link"redirect( .ots+ot +uts/

.tt+/00!012((12((12((0lo-in1.tmlKdstAB9DLUR9

Fe modify t.e rlo#in4html +a-e

Instead of M;link-redirect< we +ut/

.tt+/00!)21!*12((120re-ister1+.+KmacAM;mac<

!)21!*12((12 3 our &:&0MyS89 ser@er

"or 32mac( .ots+ot will +ut userJs MA7 address

T.e .tt+ ser@er needs to be added to :ots+otJs

/alled 5arden
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ?!

Mana#ement plat$orm

New S89 table customers/

C''''''''''C''''''''''''''''''C
D 2iel+ D T,-e D
C''''''''''C''''''''''''''''''C
D i+ D intE11F 4nsi(ne+ D
D 4sername D 1archarE60F D
D -ass*or+ D 1archarE60F D
C''''''''''C''''''''''''''''''C

Tables radcheck and radrepl+ -et additional

field GcustomerG ;inte-er<
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ?2

Mana#ement plat$orm live demo

Nou can connect to t.e li@e demo +latformE

SSID A StarTik

All t.e settin-s from D:7& ser@er

Try to o+en any web+a-e

2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ?'

Any 4uestionsK
Thank +ou6
RADIUS make li$e easier
2 StarTik Daniel Starnowski 20!2 RADIUS 3 make life easier ??