笔记:MikroTik Radius Configuration with FreeRADIUS

RecoReco
2,155 阅读3分钟

note from:

https://systemzone.net/mikrotik-radius-configuration-with-freeradius/

intro

FreeRADIUS is a high performance RADIUS suite that provides authentication, authorization and accounting facility for a large number of network devices including MikroTik Router. Although MikroTik has user manager RADIUS service to provide authentication, authorization and accounting facility but it is not free for customization and not suitable for medium to large organization.

On the other hand, freeRADIUS is free for customization according to your organization requirements. But freeRADIUS has to be customized by you.

In this article, I will show how to connect MikroTik Router with freeRADIUS Server and authenticate MikroTik login with freeRADIUS users.

In this network, MikroTik Router’s WAN interface (ether1) is connected to internet through WAN distribution switch having IP address:

192.168.40.8/25.

also has a LAN network having IP network

10.10.60.0/24.

The freeRADIUS Server, is also connected to internet through WAN switch having IP address

192.168.40.10.

So, MikroTik Router can see freeRADIUS Server through WAN interface and WAN switch.

In this article, we will configure MikroTik so that MikroTik Router can request for login user authentication and authorization from freeRADIUS Server. We will also configure freeRADIUS so that freeRADIUS can accept MikroTik authentication request and can authenticate users from its user database with proper authorization.

MikroTik Router Radius Configuration

The following steps will show how to do basic configuration in your MikroTik Router.

Login to your MikroTik Router using Winbox with full permission user.

  1. Go to IP > Addresses menu item. Address List window will appear. Click on PLUS SIGN (+). New Address window will appear.
  2. 添加广域网口地址。Put RouterOS WAN IP {192.168.40.8/25) in Address input field;choose WAN interface (ether1) from Interface dropdown menu;then click Apply and OK button.
  3. 添加局域网口地址。Click on PLUS SIGN (+) again and put LAN gateway IP (10.10.60.1/24) in Address input field and choose LAN interface (ether2) from Interface dropdown menu and then click Apply and OK button.
  4. Now go to IP > DNS and Put your DNS server IP (Public DNS IP: 8.8.8.8 or 8.8.4.4) in Servers input field and then click Apply and OK button.
  5. 设置网关。Go to IP > Routes and click on PLUS SIGN (+). New Route window will appear.
  6. Click on Gateway input box and put your internet gateway IP (192.168.40.1) in Gateway input field and then click on Apply and OK button.
  7. 设置防火墙。Go to IP > Firewall and click on NAT tab. Now click on PLUS SIGN (+). New NAT Rule window will appear. Under General tab, choose srcnat from Chain dropdown menu. Under Action tab, choose masquerade from Action dropdown menu. Click on Apply and OK button.

MikroTik Router basic configuration has been completed.

Now your MikroTik is able to get internet as well as freeRADIUS Server. Ping your DNS server and freeRADIUS server from Winbox CLI.If everything is OK, you will be success. Now we will configure MikroTik Radius to communicate with freeRADIUS Server.

MikroTik RADIUS Configuration

The following steps will show how to configure MikroTik Radius to communicate with freeRADIUS Server.

  1. Click on Radius menu item from Winbox menu bar. Radius window will appear.
  2. Click on PLUS SIGN (+). New Radius Server window will appear.
  3. Click on login checkbox from Service panel.
  4. Put freeRADIUS server IP address (192.168.40.10) in Address input field.
  5. Put Shared secret (such as: SystemZone) in Secret input field. This secret must be same in freeRADIUS client configuration.

Click Apply and OK button.

Enabling Login User Authentication and Authorization from freeRADIUS Server

  1. Go to System > Users menu item from Winbox.
  2. Click on AAA button. Login Authentication and Accounting window will appear.
  3. Click on Use RADIUS checkbox.Click Apply and OK button.

Radius configuration in MikroTik Router has been completed.

FreeRADIUS Client and User Configuration

Login to your freeRADIUS server with root user and ensure that your working directory is /etc/radddb.

[root@freeradius raddb]# cd /etc/raddb
[root@freeradius raddb]# ls

Open client.conf file

vim client.conf

and enter the following entry at the bottom of the clients.conf file.

client mikrotik-router {
    ipaddr  = 192.168.40.8
    secret = SystemZone
    nas_type = other
}

Define a FreeRADIUS user who will be able to login to MikroTik Router. Open users file

vim users

if MAC then this file:

etc/raddb/mods-config/files/authorize

and add the following lines at the top of the users file. Make sure that the second line is indented by a single tab character.

“bob” Cleartext-Password := “password”
MikroTik-Group :=  “write”

if MAC then this file:

“testing” Cleartext-Password := “password”
MikroTik-Group :=  “write”

You can add many users as you need following this step properly.

Reload the freeRADIUS server.

FreeRADIUS client and user configuration has been completed.

验证

Now open Winbox and login with freeRADIUS user (bob with password). If everything is OK, you will be able to login in your MikroTik Router with freeRADIUS user credentials.

avatar
文章
阅读
粉丝