Thursday, April 21, 2016

Setup radius server for pppoe authentication from mikrotik rotuer

Mikrotik has it own way for pppoe authentication, but if we use radius, it will facilitate with accounting and centralize the authentication across your network.

***setup infromation***
radius server: ip: 192.168.202.25
mikrotik ether4 pppoe interface connect to client
               ether3 ip: 192.168.202.3 connect to radius

structure
client ---> (ether4) mikrotik (ether3) ---> radius server


**** on radius server ***
1- install radius server, the package name is freeradius
$ sudo apt-get install freeradius

2- configure radius server by modify some configuration file as below
-  /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
    type = auth
    ipaddr = *
    port = 0
}
listen {
    ipaddr = *
    port = 0
    type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log {
    destination = files
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
    allow_vulnerable_openssl = no
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}
modules {
    $INCLUDE ${confdir}/modules/
    $INCLUDE eap.conf
}
instantiate {
    exec
    expr
    expiration
    logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/


-  /etc/freeradius/modules/chap
chap {
    authtype = CHAP
}



-  /etc/freeradius/modules/mschap
mschap {
               authtype = MS-CHAP
               use_mppe = no
}


-  /etc/freeradius/sites-enabled/default
authorize {
    preprocess
    chap
    mschap
    digest
    suffix
    eap {
        ok = return
    }
    files
    expiration
    logintime
    pap
}
authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    digest
    unix
    eap
}
preacct {
    preprocess
    acct_unique
    suffix
    files
}
accounting {
    detail
    exec
    attr_filter.accounting_response
}
session {
    radutmp
}
post-auth {
    exec
    Post-Auth-Type REJECT {
        eap
        attr_filter.access_reject
    }
}
pre-proxy {
}
post-proxy {
    eap
}


-  /etc/freeradius/sites-enabled/inner-tunnel

server inner-tunnel {
listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}
authorize {
    chap
    mschap
    suffix
    update control {
           Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    files
    expiration
    logintime
    pap
}
authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
    unix
    eap
}
session {
    radutmp
}
post-auth {
    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }
}
pre-proxy {
}
post-proxy {
    eap
}


3- add clients (NAS) that can authenticate username/password against our radius server. in this we add localhost for testing and add ip 192.168.202.3 fro mikrotik in file /etc/freeradius/clients.conf
client localhost {
    ipaddr = 127.0.0.1
    secret        = testing123
    require_message_authenticator = no
}
client 192.168.202.3 {
    ipaddr = 192.168.202.3
    secret = passtest
    nastype     = mikrotik
}


4- add username and password in file /etc/freeradius/users
 user8      Cleartext-Password := "pass8"
            Service-Type = Framed-User,
            Framed-Protocol = PPP,
            Framed-IP-Address = 192.168.100.1,
            Framed-Compression = Van-Jacobsen-TCP-IP


5- restart radius service
$ sudo service freeradius restart

6- testing authentication on radius server to itself.
- test using pap protocol
$ radtest user8 pass8 localhost 1812 testing123Sending Access-Request of id 106 to 127.0.0.1 port 1812
    User-Name = "user8"
    User-Password = "pass8"
    NAS-IP-Address = 192.168.202.25
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=106, length=44
    Service-Type = Framed-User
    Framed-Protocol = PPP
    Framed-IP-Address = 192.168.100.1
    Framed-Compression = Van-Jacobson-TCP-IP


- test using chap protocol
$ radtest -t chap user8 pass8 localhost 1812 testing123

- test using mschap protocol
$ radtest -t mschap user8 pass8 localhost 1812 testing123

*** on mikrotik router ***
1- add radius to mikrotik radius list
/radius add address=192.168.202.25 secret=passtest service=ppp

2- add pppoe server listen for pppoe incoming on interface ether4
/interface pppoe-server server add service-name=service1  interface=ether4 disabled=no default-profile=default

3- enable ppp authentication to use with radius
/ ppp aaa set use-radius=yes

4- set local ip address on default profile to 192.168.100.255
/ppp profile set 0 local-address=192.168.100.255



+++ now everything is ready and we can use windows client to dial pppoe connection to our mikrotik router. client must connect to interface 4 of mikrotik

- below screenshot from windows xp using username user8 and password pass8



No comments:

Post a Comment