This manual discusses how to make two users ex and ex2 which are members of different groups and are authenticated with RADIUS.
For the purposes of this manual we use Debian GNU/Linux system and FreeRADIUS RADIUS server. Both these products are free software.
*** Mikrotik Router Configuration
Configure the router with proper RADIUS server connection parameters.
[admin@Mikrotik] radius> add service=login address=1.1.1.1 secret="xxx" disabled=no
[admin@Mikrotik] radius> print detail
Flags: X -disabled
0 service=login called-id="" domain="" address=1.1.1.1 secret="xxx"
authentication-port=1812 accounting-port=1813 timeout=300ms accounting-backup=no
[admin@Mikrotik] radius>
Enable local user authorization service to use RADIUS server
[admin@Mikrotik] user aaa> set use-radius=yes
[admin@Mikrotik] user aaa> print
use-radius: yes
accounting: yes
interim-update: 0s
default-group: read
[admin@Mikrotik] user aaa>
*** FreeRADIUS server installtion and Configuration
Install FreeRADIUS server package
root@wildcat:/etc# apt-get install freeradius
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packegaes:
freeradius-Idap freeradius-mysql freeradius-krb5 freeradius-iodbc
The following NEW packages will be installed:
freeradius
0 upgraded, 1 newly installed, 0 to remove and 269 not upgraded.
Neet to get 0B/1788kB of archives.
After unpacking 4362kB of additional disk space will be used.
Selecting previously deselected package freeradius.
(Reading database ... 60006 files and directories currently installed.)
Unpacking freeradius (from .../freeradius_0.9.3-1_i386.deb) ...
Setting up freeradius (0.9.3-1) ...
Group freerad does already exist as a system group. Exiting...
freerad: freerad shadow
Restarting FreeRADIUS daemon: Stopping FreeRADIUS daemon:
freeRADIUS.
Starting FreeRADIUS daemon: Tue Sep 14 10:50:30 2--8 : infor:
Starting
- Reading configuration files...
freeradius.
root@wildcat:/etc#
Open the files /etc/freeradius/clients.conf and add the following record:
client 1.1.1.3 {
secret = xxx
shortname = xxx
}
This record represents reachable MT router's address (src-address of packets coming form MT router).
Open the file /etc/freeradius/users and add the following line:
ex User-password=="ex"
This adds user named ex which will belong to the default group specified under /user aaa submenu.
To add a user which belongs to the group other then default, you need to supply Group attribute to the router.
Open /etc/freeradius/users file once more and add second user named ex2 which will be the member of group full.
ex2 User-password =="ex2"
Group = "full"
Do not forget to update FreeRADIUS dictionary with additional attributes! Open /etc/freeradius/dictionary file and add the following:
VENDOR Mikrotik 14988
ATTRIBUTE Recv-limit 1 integer Mikrotik
ATTRIBUTE Xmit-Limit 2 integer Mikrotik
ATTRIBUTE Group 3 string Mikrotik
ATTRIBUTE Wireless-Forward 4 integer Mikrotik
ATTRIBUTE Wireless-Skip-Dot1x 5 integer Mikrotik
ATTRIBUTE Wireless-Enc-Algo 6 integer Mikrotik
ATTRIBUTE Wireless-Enc-Key 7 string Mikrotik
ATTRIBUTE Rate-Limit 8 string Mikrotik
Restart FreeRADIUS server.
root@wildcat:/etc# /etc/init.d/freeradius restart
Restring FreeRADIUS daemon: Stopping FreeRADIUS daemon:
freeradius
Starting FreeRADIUS daemon: Tue Sep 14 12:02:05 2008 : info:
Starting
- reading configuration files ...
freeradius.
root@wildcat:/etc#
===================
Configuration testing
To test the configuartion log on to your router as whether ex or ex2 user. Note, that user ex has only read permissions while on the contraty user ex2 has full permission, exempli gratia he can create new users.
For the purposes of this manual we use Debian GNU/Linux system and FreeRADIUS RADIUS server. Both these products are free software.
*** Mikrotik Router Configuration
Configure the router with proper RADIUS server connection parameters.
[admin@Mikrotik] radius> add service=login address=1.1.1.1 secret="xxx" disabled=no
[admin@Mikrotik] radius> print detail
Flags: X -disabled
0 service=login called-id="" domain="" address=1.1.1.1 secret="xxx"
authentication-port=1812 accounting-port=1813 timeout=300ms accounting-backup=no
[admin@Mikrotik] radius>
Enable local user authorization service to use RADIUS server
[admin@Mikrotik] user aaa> set use-radius=yes
[admin@Mikrotik] user aaa> print
use-radius: yes
accounting: yes
interim-update: 0s
default-group: read
[admin@Mikrotik] user aaa>
*** FreeRADIUS server installtion and Configuration
Install FreeRADIUS server package
root@wildcat:/etc# apt-get install freeradius
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packegaes:
freeradius-Idap freeradius-mysql freeradius-krb5 freeradius-iodbc
The following NEW packages will be installed:
freeradius
0 upgraded, 1 newly installed, 0 to remove and 269 not upgraded.
Neet to get 0B/1788kB of archives.
After unpacking 4362kB of additional disk space will be used.
Selecting previously deselected package freeradius.
(Reading database ... 60006 files and directories currently installed.)
Unpacking freeradius (from .../freeradius_0.9.3-1_i386.deb) ...
Setting up freeradius (0.9.3-1) ...
Group freerad does already exist as a system group. Exiting...
freerad: freerad shadow
Restarting FreeRADIUS daemon: Stopping FreeRADIUS daemon:
freeRADIUS.
Starting FreeRADIUS daemon: Tue Sep 14 10:50:30 2--8 : infor:
Starting
- Reading configuration files...
freeradius.
root@wildcat:/etc#
Open the files /etc/freeradius/clients.conf and add the following record:
client 1.1.1.3 {
secret = xxx
shortname = xxx
}
This record represents reachable MT router's address (src-address of packets coming form MT router).
Open the file /etc/freeradius/users and add the following line:
ex User-password=="ex"
This adds user named ex which will belong to the default group specified under /user aaa submenu.
To add a user which belongs to the group other then default, you need to supply Group attribute to the router.
Open /etc/freeradius/users file once more and add second user named ex2 which will be the member of group full.
ex2 User-password =="ex2"
Group = "full"
Do not forget to update FreeRADIUS dictionary with additional attributes! Open /etc/freeradius/dictionary file and add the following:
VENDOR Mikrotik 14988
ATTRIBUTE Recv-limit 1 integer Mikrotik
ATTRIBUTE Xmit-Limit 2 integer Mikrotik
ATTRIBUTE Group 3 string Mikrotik
ATTRIBUTE Wireless-Forward 4 integer Mikrotik
ATTRIBUTE Wireless-Skip-Dot1x 5 integer Mikrotik
ATTRIBUTE Wireless-Enc-Algo 6 integer Mikrotik
ATTRIBUTE Wireless-Enc-Key 7 string Mikrotik
ATTRIBUTE Rate-Limit 8 string Mikrotik
Restart FreeRADIUS server.
root@wildcat:/etc# /etc/init.d/freeradius restart
Restring FreeRADIUS daemon: Stopping FreeRADIUS daemon:
freeradius
Starting FreeRADIUS daemon: Tue Sep 14 12:02:05 2008 : info:
Starting
- reading configuration files ...
freeradius.
root@wildcat:/etc#
===================
Configuration testing
To test the configuartion log on to your router as whether ex or ex2 user. Note, that user ex has only read permissions while on the contraty user ex2 has full permission, exempli gratia he can create new users.
No comments:
Post a Comment