FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s Click here to read more on FR tutorials …
Disclaimer! This is important!
Every Network is different , so one solution cannot be applied to all. Therefore try to understand the logic & create your own solution as per your network scenario. Just dont follow copy paste.
If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.
~ FreeRADIUS is a Dark Art ~
Regard's Syed Jahanzaib~
Scenario:
We have a Mikrotik routerboard working as a HOTSPOT server for local guests. Freeradius is configured as billing system.
Requirements:
We want to allow user auto login by his mac address. We can do this in mikrotik itself by using bypassed but we want to authenticate user by billing system so his usage, expiry, package etc should be determined by Freeradius according to his assigned package !
Solution:
We assume that hotspot is already in working condition along with freeradius ,
Please note that this is just an example, in real production environment you should consider more better approach with safety controls. I personally never recommend HOTSPOT dueto its security weaknesses.
1# Mikrotik Side Configuration
- Goto
IP>HOTSPOT>SERVER PROFILE - Select working profile,
- Goto
LOGIN, & selectLOGIN BY MAC, In MAC AUTH. MODE, - Also select
MAC AS USERNAME AND PASSWORD
2# FREERADIUS POST-AUTH Configuration
Edit `/etc/freeradius/sites-enabled/default` file
nano /etc/freeradius/sites-enabled/default
Goto `post-auth` section, & add following sql Query,
[as an example i am pasting full post-auth section]
### ZAIB radpost-auth section Starts from here ##
post-auth {
exec
Post-Auth-Type REJECT {
update reply {
Reply-Message = 'Wrong Password'
}
# This is our query to check if MAC address found in username section, you can make your own table , zaib
sql
if("%{sql:SELECT COUNT(username) FROM users WHERE username ='%{User-Name}'}" > 0){
ok
}
else{
reject
}
attr_filter.access_reject
}
}
### ZAIB radpost-auth section ENDS Here ##
Insert USER record in RADCHECK & USERS TABLE
[you can modify following section or above sql query to match your need,
Login to MYSQL and select RADIUS DB,
Now insert a Test user in USERS & RADCHECK table (replace mac address with your own test device mac address]
INSERT INTO 'radcheck' ('id', 'username', 'attribute', 'op', 'value') VALUES
(1, '2C:44:FD:68:C0:18', 'Cleartext-Password', ':=', '2C:44:FD:68:C0:18');
INSERT INTO 'users' ('id', 'username', 'password', 'firstname', 'lastname', 'email', 'mobile', 'cnic', 'srvname', 'srvid', 'expiration', 'mac', 'macvendor', 'bwpkg', 'pool', 'is_enabled', 'is_days_expired', 'is_qt_expired', 'is_uptime_expired', 'qt_total', 'qt_used', 'uptime_limit', 'uptime_used', 'owner', 'vlanid', 'nas_id', 'createdon') VALUES
(1, '2C:44:FD:68:C0:18', '2C:44:FD:68:C0:18', 'firstname', 'lastname', 'aacable@hotmail.com', '345345345', '242342420424-42-2', '2mb', 0, '2017-01-06', '2C:44:FD:68:C0:18', 'Hewlett Packard', '2048k/2048k', 'private-pool', 1, 1, 0, 0, '200', '12121613', '', '', 'zaib', '', NULL, '2018-07-24 05:30:21');
Test Ride …
Now connect your test device and you will see something like
in Freeradius DEBUG, we will be seeing …
rad_recv: Access-Request packet from host 101.11.50.50 port 40624, id=58, length=218
NAS-Port-Type = Ethernet
Calling-Station-Id = "2C:44:FD:68:C0:18"
Called-Station-Id = "hotspot1"
NAS-Port-Id = "ether10-lan"
User-Name = "2C:44:FD:68:C0:18"
NAS-Port = 2159017996
Acct-Session-Id = "80b0000c"
Framed-IP-Address = 192.168.88.2
Mikrotik-Host-IP = 192.168.88.2
User-Password = "2C:44:FD:68:C0:18"
Service-Type = Login-User
WISPr-Logoff-URL = "http://192.168.88.1/logout"
NAS-Identifier = "XYZ_RB3011_TEST"
NAS-IP-Address = 101.11.50.50
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
[sql] expand: %{User-Name} -> 2C:44:FD:68:C0:18
[sql] sql_set_user escaped user --> '2C:44:FD:68:C0:18'
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:44:FD:68:C0:18' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:44:FD:68:C0:18' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '2C:44:FD:68:C0:18' ORDER BY priority
rlm_sql (sql): Released sql socket id: 30
++[sql] = ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
++[logintime] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
++[expiration] = noop
++? if (userlock)
? Evaluating (userlock) -> FALSE
++? if (userlock) -> FALSE
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 58 to 101.11.50.50 port 40624
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
[…] FREERADIUS WITH MIKROTIK – Part #18 – MAC Login for Hotspot Users […]
LikeLike
Pingback by Mikrotik with Freeradius/mySQL # Part-1 | Syed Jahanzaib Personal Blog to Share Knowledge ! — July 24, 2018 @ 1:01 PM
Dear Sir,
Hope you always fine. I informed you that now I don’t havemy business. I already told you the reason about my problem. I could effort myselfall tried to save my only one earning resources but I failed to protect. Last timewhen I was only 60 users rest although attacked still continues. Now I don’t haveany work to survive on earth whatever now my situation is better than previousbecause I never thought that my compensation or penalty ever be stopped so eachand every month I took lose and huge debt money increased .I respected you frombottom of my heart. I could gain from your online about topic and solution in Mikrotik,Linux and Cisco.
I knew that my life from IT or my educational background basis professional doing option leaved furthermoreif I don’t see any lose and without take undergo penalty in future then Ishould do another something to survive.
Thanks
Md Iqbal
Iqbal10000@yahoo.com
LikeLike
Comment by dewanonlinebd — August 7, 2018 @ 2:58 AM
Hi Zaib, Can you please explain little in more detail as to how is this SQL query checking for the availability of the mac address in the users table? We are talking about Guests and we need to capture their mac address on the fly ( may be from first time login at the login page) and then somehow making that mac address go into the SQL users table as mac address with password as mac address. Yes MT will be sending the mac address as username / password to radius, but I am trying to understand how will this get checked against, unless either someone manually adds those mac addresses as accounts or this gets done by some SQl script. I do see you have added one mac address account manually, but how will we get that auto populated in for auto-login function? Thanks much and God Bless.
LikeLike
Comment by dpsguard — September 13, 2020 @ 8:46 AM