FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s Click here to read more on FR tutorials …
Disclaimer! This is important!
Every Network is different , so one solution cannot be applied to all. Therefore try to understand the logic & create your own solution as per your network scenario. Just dont follow copy paste.
If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.
~ FreeRADIUS is a Dark Art ~
Regard's Syed Jahanzaib~
Scenario:
We have a Mikrotik routerboard working as a HOTSPOT & PPPoE server for local users. Freeradius is configured as billing system.
Requirements:
We want to restrict users connection based on there service type.
Example
- User1 is allowed to connect from PPPoE Dialer Only,
- User2 is allowed to connect from HOTSPOT web login only,
Since we have our own freeradius build setup which has USERS table with various columns therefore we will manipulate this table and use the SQL famous IF statements in the AUTHORIZE section to fulfill our requirements.
the USERS table contains various information for users, Sample is attached below ,
We will be using two columns to match user connection verification,
- SRVTYPE
- SRVTYPE_DESCR
- SRVTYPE variable will be used to match if the requesting user have correct service type
- if NOT matched then show SRVTYPE_DESCR variable which is actually a friendly version for display purpose in
REPLYattribute 🙂
1# FREERADIUS AUTHORIZE Section Configuration
Edit `/etc/freeradius/sites-enabled/default` file
nano /etc/freeradius/sites-enabled/default
Use the following in AUTHORIZE section ,
if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{Service-Type}") {
update reply {
Reply-Message = "Error: %{User-Name} is allowed to connect from %{sql:SELECT srvtype_descr from users where username = '%{User-Name}';} only!"
}
update control {
Auth-Type := "Reject"
}
}
Test Ride …
From Hotspot ID, try to dial via pppoe dialer,
Sending Access-Reject of id 150 to 101.11.50.50 port 51555 Reply-Message = "Error: 2C:44:FD:68:C0:18 is allowed to connect from Hotspot only!"
Now using PPPOE account, try to login via hotspot login page,
Sending Access-Reject of id 145 to 101.11.50.50 port 52841 Reply-Message = "Error: test is allowed to connect from PPP Dialer only!"
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
[…] FREERADIUS WITH MIKROTIK – Part #19 – Restricting user by Service Type […]
LikeLike
Pingback by Mikrotik with Freeradius/mySQL # Part-1 | Syed Jahanzaib Personal Blog to Share Knowledge ! — July 24, 2018 @ 2:33 PM