wiki.mikrotik.com/wiki/Manual…
RADIUS authentication and accounting gives the ISP or network administrator ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for
- HotSpot,
- PPP,
- PPPoE,
- PPTP,
- L2TP and
- ISDN connections.
The attributes received from RADIUS server override the ones set in the default profile.
If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service ,else Traffic is accounted locally with MikroTik Traffic Flow and Cisco IP pairs and snapshot image can be gathered using Syslog utilities.
Example
To setup a RADIUS Client for HotSpot and PPP services that will authenticate against a RADIUS Server (10.0.0.3), you need to do the following:
[admin@MikroTik] > /radius add service=hotspot,ppp address=10.0.0.3 secret=ex
然后查看命令的结果:
[admin@MikroTik] > /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp,hotspot 10.0.0.3 ex
called-id (string; Default: ) Value depends on PTP protocol: PPPoE - service name, PPTP,L2TP - server's IP address
To setup a RADIUS Client with RadSec protocols, you need to do the following:
[admin@MikroTik] > /radius add service=hotspot,ppp address=10.0.0.3 secret=radsec protocol=radsec certificate=client.crt
然后查看命令的结果:
[admin@MikroTik] > /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp,hotspot 10.0.0.3 radsec
To view RADIUS Client statistics, you need to do the following:
[admin@MikroTik] > /radius monitor 0
pending: 0
requests: 10
accepts: 4
rejects: 1
resends: 15
timeouts: 5
bad-replies: 0
last-request-rtt: 0s
Make sure you enable RADIUS authentication for the PPP:
/ppp aaa set use-radius=yes
Make sure you enable RADIUS authentication for the hotspot:
/ip hotspot profile set default use-radius=yes
Connection Terminating from RADIUS
子菜单:
/radius incoming
unsolicited (不请自来的)
This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend RADIUS protocol commands, that allow to terminate a session which has already been connected from RADIUS server. For this purpose Disconnect-Messages are used. Disconnect messages cause a user session to be terminated immediately.
Properties
accept (yes | no; Default: no) Whether to accept the unsolicited messages
port (integer; Default: 1700) The port number to listen for the requests on
RADIUS disconnect and Change of Authorization (according to RFC3576) are supported as well. These attributes may be changed by a CoA request from the RADIUS server:
Mikrotik-Group
Mikrotik-Recv-Limit
Mikrotik-Xmit-Limit
Mikrotik-Rate-Limit
Ascend-Data-Rate (only if Mikrotik-Rate-Limit is not present)
Ascend-XMit-Rate (only if Mikrotik-Rate-Limit is not present)
Mikrotik-Mark-Id
Filter-Id
Mikrotik-Advertise-Url
Mikrotik-Advertise-Interval
Session-Timeout
Idle-Timeout
Port-Limit
Note that it is not possible to change IP address, pool or routes that way - for such changes a user must be disconnected first.
| Property | Description |
|---|---|
| accounting-backup (yes | no; Default: no) |
| accounting-port (integer [1..65535]; Default: 1813) | RADIUS server port used for accounting |
| address (IPv4/IPv6 address; Default: 0.0.0.0) | IPv4 or IPv6 address of RADIUS server. |
| authentication-port (integer [1..65535]; Default: 1812) | RADIUS server port used for authentication. |
| called-id (string; Default: ) | Value depends on Point-to-Point protocol: PPPoE - service name, PPTP,L2TP - server's IP address |
| certificate (string; Default: ) | Certificate file to use for communicating with RADIUS Server with RadSec enabled. |
| comment (string; Default: ) | |
| disabled (yes | no; Default: no) |
| domain (string; Default: ) | Microsoft Windows domain of client passed to RADIUS servers that require domain validation. |
| protocol (radsec | udp; Default: udp) |
| realm (string; Default: ) | Explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name. |
| secret (string; Default: ) | Shared secret used to access the RADIUS server. |
| service (ppp | login |
hotspot - HotSpot authentication service login - router's local user authentication ppp - Point-to-Point clients authentication wireless - wireless client authentication (client's MAC address is sent as User-Name) dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)| |src-address (ipv4/ipv6 address; Default: 0.0.0.0)|Source IP/IPv6 address of the packets sent to RADIUS server| |timeout (time; Default: 100ms)|Timeout after which the request should be resend|
