笔记： FreeRADIUS User Profile Configuration for MikroTik Router

How to configure freeRADIUS user profile to apply user limitation with more efficiently?

we will create the following three profiles for MikroTik PPPoE users

Profile Name Properties 512k_Profile Bandwidth 512kbps and IP Pool will be 512k_pool 1M_Profile Bandwidth 1Mbps and IP Pool will be 1M_pool 2M_Profile Bandwidth 2Mbps and IP Pool will be 2M_pool

Creating User Limitation with Group Management

In freeRADIUS, group is used to categorize user check and reply attributes that actually apply user limitations. The radgroupcheck table contains check AVPs and the radgroupreply table contains reply AVPs. As we will create three user profiles, we have to create three groups also.

Group Name Check AVPs Reply AVPs 512k Framed-Protocol to check PPP MikroTik-Rate-Limit to apply 512kbps bandwidth and Framed-Pool to assign IP to the requested client. 1M Framed-Protocol to check PPP MikroTik-Rate-Limit to apply 1Mbps bandwidth and Framed-Pool to assign IP to the requested client. 2M Framed-Protocol to check PPP MikroTik-Rate-Limit to apply 2Mbps bandwidth and Framed-Pool to assign IP to the requested client.

The radgroupcheck table contains group check AVPs. So, we have to insert group check AVP Framed-Protocol in radgroupcheck table. The following steps will show how to insert check AVP in the radgroupcheck table.

Login to your freeRADIUS Server (I have installed freeRADIUS server on CentOS 7 with MariaDB Database Server) with root user.
Now login to your Database Server and select your RADIUS database (radius). You should replace your database username and password in the following command.
Issue the following command to insert Framed-Protocol check AVP for 512k group. As we are creating profile for MikroTik PPPoE user, the value of Framed-Protocol attribute should be PPP.

insert into radgroupcheck (groupname,attribute,op,value) values (“512k”,”Framed-Protocol”,”==”,”PPP”); insert into radgroupcheck (groupname,attribute,op,value) values (“1M”,”Framed-Protocol”,”==”,”PPP”); insert into radgroupcheck (groupname,attribute,op,value) values (“2M”,”Framed-Protocol”,”==”,”PPP”);

we will now insert group reply AVP in the radgroupreply table. The following steps will show how to insert reply AVPs in the radgroupreply table.

 insert into radgroupreply (groupname,attribute,op,value) values (“512k”,”Framed-Pool”,”=”,”512k_pool”);
 insert into radgroupreply (groupname,attribute,op,value) values (“1M”,”Framed-Pool”,”=”,”1M_pool”);
  insert into radgroupreply (groupname,attribute,op,value) values (“2M”,”Framed-Pool”,”=”,”2M_pool”);
 insert into radgroupreply (groupname,attribute,op,value) values (“512k”,”Mikrotik-Rate-Limit”,”=”,”512k/512k 1M/1M 512k/512k 40/40″);
 insert into radgroupreply (groupname,attribute,op,value) values (“512k”,”Mikrotik-Rate-Limit”,”=”,”512k/512k 1M/1M 512k/512k 40/40″);
 insert into radgroupreply (groupname,attribute,op,value) values (“1M”,”Mikrotik-Rate-Limit”,”=”,”1M/1M 2M/2M 1M/1M 40/40″);
  insert into radgroupreply (groupname,attribute,op,value) values (“2M”,”Mikrotik-Rate-Limit”,”=”,”2M/2M 4M/4M 2M/2M 40/40″);

Assigning Group to a Profile Holder User

After creating groups, it is time to assign group to user. As discussed early, freeRADIUS profile is a user but it has no entry in radcheck and radreply table. So, our proposed three profiles (512k_Profile, 1M_Profile and 2M_Profile) are logical users and we will assign these users to group according to the following table.

insert into radusergroup (username,groupname,priority) values (“512k_Profile”,”512k”,10);
insert into radusergroup (username,groupname,priority) values (“1M_Profile”,”1M”,10);
 insert into radusergroup (username,groupname,priority) values (“2M_Profile”,”2M”,10);

Assigning Created Profile to Users

After creating user profile, we can create as many users as we want and assign their profile with User-Profile control attribute for applying user limitation. The radcheck table contains user check attribute. So, to create users, we have to insert username and password as well as other user check attribute in radcheck table. In this article, we will create three users (bob, alice and tom) and assign their profile with radcheck table. The following steps will show how to insert user check attribute in radcheck table.

 insert into radcheck (username,attribute,op,value) values (“bob”,”Cleartext-Password”,”:=”,”passme”);
insert into radcheck (username,attribute,op,value) values (“alice”,”Cleartext-Password”,”:=”,”passme”);
insert into radcheck (username,attribute,op,value) values (“tom”,”Cleartext-Password”,”:=”,”passme”);
insert into radcheck (username,attribute,op,value) values (“bob”,”User-Profile”,”:=”,”512k_Profile”);
insert into radcheck (username,attribute,op,value) values (“alice”,”User-Profile”,”:=”,”1M_Profile”);
 insert into radcheck (username,attribute,op,value) values (“tom”,”User-Profile”,”:=”,”2M_Profile”);

FreeRADIUS User Profile Testing with radtest Program

We will now test our user profile configuration with radtest program. So, issue the following command to login with bob user and check his reply attribute.

[root@freeradius ~]# radtest bob passme 127.0.0.1 100 testing123 1
Sent Access-Request Id 14 from 0.0.0.0:41714 to 127.0.0.1:1812 length 79
User-Name = “bob”
User-Password = “passme”
NAS-IP-Address = 192.168.40.10
NAS-Port = 100
Message-Authenticator = 0x00
Framed-Protocol = PPP
Cleartext-Password = “passme”
Received Access-Accept Id 14 from 127.0.0.1:1812 to 0.0.0.0:0 length 152
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Pool = “512k_pool”
Mikrotik-Rate-Limit = “512k/512k 1M/1M 512k/512k 40/40”