Using Freeradius with Mikrotik wireless routers

By | Mar 31, 2010 |

I inherited a wireless setup of three Mikrotik routers in the roof of a set of office suites in Cape Town, South Africa. They were connected to an ADSL router, but the owners problem was there was no accountability on usage.

Mikrotik

Mikrotik make a numberof Single-board computers, known as “Routerboard"s, and licence a proprietary operating system called RouterOS for use on these boards.

This was my first time to come across the Routerboards, and I like them. I was asked in because Mikrotik specialists in Cape Town are hard to find, and harder to schedule.

I looked around for solutions to his problem, and decided on a Freeradius installation on Ubuntu, backed up with a mysql database and Freeradius-dialupadmin as a web front end for management. I found no good documentation on a setup to handle my requirements, so I had to figure it out as I went along, and now I am writing it up for anyone else. I did find auseful article on a hotspot-style setup and another on the Mikrotik wiki, but nothing that used MACauthentication.

RouterOS will authenticate via RADIUS - Remote Authentication Dial In UserService - and 3.x versions of RouterOS will do accounting via RADIUS.

The existing setup used the (insecure) method of system identification via MAC address. It has the advantage of not requiring users to remember passwords, it just needs a list of the wireless MAC addresses.

RouterOS setup

Wireless clients need a number of things before they can use the Internet. They need an address, a default route, and nameservers. This is traditionally done via DHCP, and I saw no reason to change that. Even though the Mikrotik boxes can run a ‘hotspot’ - where they allocate IP addresses locally and ‘NAT’ the collective for the upstream routers, I decided there should be one DHCP server serving all clients. To accomplish this I bridged the wireless and wired interfaces on the Mikrotiks. The wired interface needs an IP address - I used an RFC1918 Class C network for everything. I put the Ubuntu server at 172.16.1.254, and the Mikrotik access points at 172.16.1.{1,2,3}. All the Mikrotiks need different IPs, and I also give them different names, so obviously those below will change between boxes. I had to upgrade two of the Mikrotik boxes to 3.X software as the 2.X software does not do radius accounting.

Mikrotiks have a command hierarchy - and easy help. I am using the export verb at the appropriate command level to show my configuration. I do not include default parameters, and I keep the long lines so they can be copy-pasted.

Wired interface

/ip addressadd interface=ether1 address=172.16.1.2/24

Wireless interface

The wireless network also needs setup. The interface name is wlan1, it should not authenticate by default (we need it to ask RADIUS that), it must be configured as an Access Point, and it needs an SSID that laptop users can identify with.

/interface wirelessset 0 name=wlan1 country="south africa" default-authentication=no default-forwarding=no  mode=ap-bridge security-profile=default ssid=TokaiSuites2 radio-name=tokaisuites2

Bridge the interfaces :-

/ interface bridgeadd name=bridge1/interface bridge portadd bridge=bridge1 interface=wlan1add bridge=bridge1 interface=ether1

Radius

We must instruct the wireless interface to use radius authentication and accounting, and we must tell it where to find the radius server (the IP address below). The Radius server and clients (the Mikrotik boxes) need a common secret, used to hash information in either direction. I enabled the incoming radius port, meaning that the radius server can contact the client as well. Normally the client initiates all exchanges.

/interface wireless security-profilesset default name=default radius-mac-accounting=yes radius-mac-authentication=yes/radiusadd service=wireless address=172.16.1.254  secret=whiteroad /radius incomingset accept=yes port=1700

Now we have 3 wireless access points, requesting authentication from a Radius server, allowing authenticated clients to make DHCP requests from their common wired interface, and passing accounting packets back to the same Radius server.

Radius server

I installed Ubuntu 9.10 with freeradius, freeradius-mysql,freeradius-dialupadmin, mysql, phpmyadmin and dhcp (out of repositories). Iinstall phpmyadmin with mysql - it is an excellent database administrator. I will not cover DHCP here - suffice it to say that it is a standard setup, with’range’ set to 172.16.1.20-172.16.1.250.

The main radius configuration file is/etc/freeradius/radiusd.conf - the only change needed here is to ensure that it includes sql.conf - by default that line is commented out.

$INCLUDE sql.conf

In sql.conf, set the database type to mysql, and set a custom mysql password for the radius user.

sql {       database = "mysql"       driver = "rlm_sql_${database}"       server = "localhost"       login = "radius"       password = "whiteroad"       ....}

Ubuntu has apache-style configuration directories/etc/freeradius/sites-available and/etc/freeradius/sites-enabled, and on installation two ‘sites’ are enabled, default and inner-tunnel. Keep it that way, and edit only /etc/freeradius/sites-available/default.

Mikrotik routers when using MAC radius authentication present the MAC address as the username with an empty password. We wish the MAC address to be looked up from the database. In /etc/freeradius/sites-available,uncomment “sql” in the “authorize” section, and comment out “pap” in the same section.

MySQL

We must now create all the necessary tables in mysql for radius to use. I am assuming mysql has been installed expressly for this purpose - if you are using mysql for other things you will know which instructions below to avoid. mysql on ubuntu comes with no root password in installation, we must create one, and that ‘radius’ database.

mysql -u rootmysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('wizzypassword');mysql> CREATE DATABASE radius;mysql> quit;

From here we can use the scripts provided in/etc/freeradius/sql/mysql. Edit admin.sql in that directory to set a custom password - for this discussion I will use wizzyradius.

mysql -u root -p < /etc/freeradius/sql/mysql/admin.sql

At the prompt, use the mysql root password above -wizzypassword.

mysql -uradius -p radius < schema.sql
mysql -uradius -p radius < nas.sql

At the prompt, use the radius user password above - wizzyradius.this sets up all the radius tables, and the optional nas table.

Now to add in a user for testing. It is easiest to use phpmyadmin, but I will do it from the command line here.

mysql -uradius -p radiusmysql> insert into radcheck (UserName, Attribute, op, Value ) values ( "00:11:22:33:44:55", "User-Password", "==", "");mysql> insert into usergroup ( UserName, GroupName) values ( "00:11:22:33:44:55", "wireless");mysql> insert into userinfo (UserName , Name) values ( "00:11:22:33:44:55", "Test User");mysql> quit;

With radius running, we can now test authentication with radius :-

echo "User-Name = '00:11:22:33:44:55',password=''" | /usr/bin/radclient 127.0.0.1 auth whiteroad

We are looking for a response code 2. To debug any steps with radius, stop radius, and start it with debugging.

/etc/init.d/freeradius stopfreeradius -X

If this works as above, you should be ready to test with the Mikrotiks.

Finally, let us throw freeradius-dialupadmin into the mix, to make things easier on the administration front. If you installed it above, apache would also have been installed. Symlink its configuration file into apache, like so:-

ln -s  /etc/freeradius-dialupadmin/apache2.conf /etc/apache2/conf.d/freeradius-dialupadmin.conf

and take a look at its configuration files in/etc/freeradius-dialupadmin/. The main one isadmin.conf. Just showing all the changes I made below, not all the variables in the file. I also commented out all references to ldap.

general_domain: whiteroad.local
general_finger_type:
general_radius_server_secret: whiteroad
#INCLUDE: /etc/freeradius-dialupadmin/naslist.conf# I keep the naslist in mysql
sql_server: 127.0.0.1
sql_username: radius
sql_password: whiteroad
sql_usergroup_table: radusergroup
sql_password_attribute: Cleartext-Password
general_test_account_login: 00:11:22:33:44:55
general_test_account_password:

Now, from http://172.16.1.254/freeradius-dialupadmin/ you should see the administration page, and in particular the user we added earlier. There are some useful cron scripts at/usr/share/freeradius-dialupadmin/bin/freeradius-dialupadmin.cron that I also installed to run as user radius.

If you need Mikrotik help in Cape Town, feel free to contact me.