daniel
TRANSCRIPT
![Page 1: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/1.jpg)
RADIUS- make life easier
by Daniel Starnowski
![Page 2: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/2.jpg)
About me
Daniel Starnowski Network administrator since 2000 MikroTik user since 2008 MikroTik Trainer since 2011 From Kraków, Poland
1038-1596 capital of Poland 2007 Mikrotik User Meeting
http://startik.net
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 2
![Page 3: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/3.jpg)
Outline
Introduction FreeRADIUS – quick install Example: login management Connecting do SQL database Short example: wireless Example: DHCP (and modifying SQL query) Hotspot: MAC authorization & HTML redirection How to create a management platform in PHP
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 3
![Page 4: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/4.jpg)
Introduction
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 4
![Page 5: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/5.jpg)
Introduction
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 5
![Page 6: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/6.jpg)
Introduction
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 6
![Page 7: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/7.jpg)
Introduction
More devices = more problems Inconsistent login configuration Authorization and queueing for
customers on the nearest router – very problematic and hard to manage
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 7
![Page 8: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/8.jpg)
RADIUS – the protocol
Remote Authentication Dial In User Service RFC 2865 uses UDP ports 1812 and 1813 AAA concept
Authentication Authorization Accounting
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 8
![Page 9: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/9.jpg)
RADIUS
One server can centralize all user accounts
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 9
![Page 10: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/10.jpg)
RADIUS – server, client, user
User (a computer) tries to connect to the gateway (ppp, hotspot, etc.) using username and password
Client (MikroTik) looks for the user in local database and if it fails – asks RADIUS server
Server – tell the client whether it should accept or reject the user
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 10
![Page 11: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/11.jpg)
RADIUS – request and response
username/passwordAccess-Request (1)
Access-Accept (2)
Access-Reject (3)
or
Request and response – single UDP packets
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 11
![Page 12: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/12.jpg)
Radius – the packet
Code, Identifier, Length
Authenticator
Type, Length, Value
Type, Length, Value
...
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 12
![Page 13: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/13.jpg)
FreeRADIUS – quick install
Installation of FreeRADIUS is really easy! Ubuntu: sudo apt-get install freeradius /etc/freeradius – directory with the settings clients.conf – the only file we need to edit:
client 192.168.255.1/32 {
secret = $3CR3T$TR1NG
shortname = MikroTik }
We specify addresses accepted by the server
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 13
![Page 14: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/14.jpg)
RADIUS – dictionaries
/usr/share/freeradius/ - dictionary files dictionary.rfc2865:
ATTRIBUTE User-Name 1 stringATTRIBUTE User-Password 2 string
encrypt=1ATTRIBUTE CHAP-Password 3 octetsATTRIBUTE NAS-IP-Address 4 ipaddrATTRIBUTE NAS-Port 5 integerATTRIBUTE Service-Type 6 integerATTRIBUTE Framed-Protocol 7 integerATTRIBUTE Framed-IP-Address 8 ipaddrATTRIBUTE Framed-IP-Netmask 9 ipaddr
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 14
![Page 15: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/15.jpg)
FreeRADIUS – quick install
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 15
![Page 16: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/16.jpg)
Example: login management
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 16
![Page 17: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/17.jpg)
Example: login management
File users in /etc/freeradius username Cleartext-Password := ”password”
User ”username” with password ”password” will be accepted by the router, with default group
username Cleartext-Password := ”password”Mikrotik-Group := ”write”,Another-Attr := ”a_value”
We can specify, what attributes the RADIUS server will give in the response
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 17
![Page 18: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/18.jpg)
Example: login management
Access-Request: Service-Type = Login-User User-Name = (name entered by user) User-Password = (encrypted password) Calling-Station-Id = (IP address of the user) NAS-Identifier = (system identity of client) NAS-IP-Address = (IP address of the client)
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 18
![Page 19: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/19.jpg)
Example: login management
Access-Accept If there was no configured parameters, the
accept packet has no ”attribute-value” fields example: Mikrotik-Group = ”write”
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 19
![Page 20: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/20.jpg)
Connecting to SQL database
sudo apt-get install mysql-server-5.1
sudo apt-get install freeradius-mysql
/etc/freeradius/sql/mysql/ - here are configuration files for Radius to work with SQL
mysql> CREATE DATABASE radius;
We import schema.sql (or just simply paste the commands from the file) to MySQL database
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 20
![Page 21: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/21.jpg)
Connecting to SQL database
Back to radiusd.conf – in the ”modules” section we enable (uncomment) the SQL module:# $INCLUDE sql.conf
In the sql.conf file:database = "mysql"server = "localhost"login = "db_user"password = "his_password"radius_db = "radius"
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 21
![Page 22: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/22.jpg)
Creating SQL entries
Instead of the users file - two tables: radcheck radreply
They look exactly the same! In radcheck – the conditions to be checked In radreply – the attributes sent with the reply
packet
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 22
![Page 23: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/23.jpg)
Creating SQL entries
mysql> show fields from radcheck;+-----------+------------------+| Field | Type |+-----------+------------------+| id | int(11) unsigned || username | varchar(64) || attribute | varchar(64) || op | char(2) || value | varchar(253) |+-----------+------------------+5 rows in set (0.00 sec)
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 23
![Page 24: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/24.jpg)
Creating SQL entries
INSERT INTO radcheck(username, attribute, op, value)VALUES('user','Cleartext-Password',':=','pass');
INSERT INTO radreply(username, attribute, op, value)VALUES('user','Mikrotik-Group',':=','write');
Exactly like in the users file: user Cleartext-Password := ”pass”
Mikrotik-Group := ”write”
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 24
![Page 25: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/25.jpg)
Short example: wireless
For wireless – RADIUS works similar to ”Access List” and ”Connect List” - decides, which stations can get to the registration table
Configured in the Security Profile ”Default Authenticate”
stops working!
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 25
![Page 26: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/26.jpg)
Short example: wireless
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 26
![Page 27: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/27.jpg)
Short example: wireless
INSERT INTO radcheck(username, attribute, op, value)VALUES('00:0C:42:01:02:03', 'Auth-Type',':=','Accept');
INSERT INTO radreply(username, attribute, op, value)VALUES('00:0C:42:01:02:03', 'Mikrotik-Wireless-PSK',':=','PSKstring');
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 27
![Page 28: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/28.jpg)
Example: DHCP
MAC authorized and has ”Framed-IP-Address” in the reply: it will get the specific address
MAC is authorized but without reserved IP: it will get it from the pool
MAC not authorized: won't get any address!
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 28
![Page 29: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/29.jpg)
Example: DHCP
INSERT INTO radcheck(username, attribute, op, value)VALUES('00:0C:42:01:02:03', 'Auth-Type',':=','Accept');
Wait... we already have this one! INSERT INTO radreply(username, attribute, op, value)VALUES('00:0C:42:01:02:03', 'Framed-IP-Address',':=','172.17.2.2');
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 29
![Page 30: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/30.jpg)
Example: DHCP
We have the same MAC address for wireless and for DHCP services!
RADIUS will reply with all attributes to every service
Wireless will get Mikrotik-Wireless-PSK, but ignore Framed-IP-Address
DHCP will get Framed-IP-Address, but ignore Mikrotik-Wireless-PSK
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 30
![Page 31: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/31.jpg)
Example: DHCP
If a MAC address is not in the RADIUS database (it is not authorized) – it will not get a DHCP lease!!
What can we doto prevent it?
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 31
![Page 32: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/32.jpg)
Modifying SQL query
In dialup.conf file – we have the exact SQL query used to get the data from database:
authorize_check_query = "SELECT id, username, attribute, value, op \FROM ${authcheck_table} \WHERE username = '%{SQL-User-Name}' \ORDER BY id"
We can modify it, so that for every request from DHCP server it will give Auth-Type := Accept
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 32
![Page 33: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/33.jpg)
Modified SQL query
authorize_check_query ="SELECTid, username, attribute, value, op \FROM ${authcheck_table} \WHERE username = '%{SQL-User-Name}' \UNION \SELECT DISTINCT 0, '%{SQL-User-Name}', 'Auth-Type', 'Accept', ':=' \FROM ${authcheck_table} \WHERE '%{Called-Station-Id}' like 'dhcp%' \ORDER BY id"
Now every MAC will get an IP address from the DHCP!
0,'54:04:A6:24:35:12','Auth-Type',':=','Accept'© StarTik Daniel Starnowski 2012 RADIUS – make life easier 33
![Page 34: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/34.jpg)
Hotspot: MAC authorization
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 34
![Page 35: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/35.jpg)
Hotspot: MAC authorization
If a user (MAC address) is not present in the Users list of the hotspot, it will be checked in the RADIUS database
Only authorized users will access the network, unauthorized will get the login.html page
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 35
![Page 36: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/36.jpg)
Hotspot: MAC authorization
The MAC address will be authorized, if it will pass the radcheck query (i.e. will be present as username in the radcheck table)
Additional reply attributes possible, like limits for the up/down/total bytes or connection time
Mikrotik-Rate-Limit := ”256k/512k”
Rate Limit will create a dynamic simple queue with the max-limit restrictions.
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 36
![Page 37: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/37.jpg)
Hotspot: MAC authorization
If both DHCP and Hotspot services get data from the same RADIUS database – the queue will be created twice!
It can be avoided by modifying the reply SQL query
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 37
![Page 38: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/38.jpg)
Hotspot: HTML redirection
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 38
![Page 39: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/39.jpg)
Hotspot: HTML files
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 39
![Page 40: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/40.jpg)
Hotspot: HTML files (rlogin)
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 40
![Page 41: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/41.jpg)
Hotspot: HTML files
For $(link-redirect) hotspot puts:http://10.255.255.255/login.html?dst=OLD_URL
We modify the rlogin.html page Instead of $(link-redirect) we put:
http://192.168.255.2/register.php?mac=$(mac) 192.168.255.2 – our PHP/MySQL server For $(mac) hotspot will put user's MAC address The http server needs to be added to Hotspot's
Walled Garden
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 41
![Page 42: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/42.jpg)
Management platform
New SQL table customers: +----------+------------------+| Field | Type |+----------+------------------+| id | int(11) unsigned || username | varchar(64) || password | varchar(64) |+----------+------------------+
Tables radcheck and radreply get additional field ”customer” (integer)
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 42
![Page 43: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/43.jpg)
Management platform – live demo
You can connect to the live demo platform! SSID = StarTik All the settings from DHCP server
Try to open any webpage
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 43
![Page 44: Daniel](https://reader034.vdocuments.net/reader034/viewer/2022052218/5456eeafb1af9f7a1c8b493f/html5/thumbnails/44.jpg)
Any questions?
Thank you!
RADIUS – make life easier
© StarTik Daniel Starnowski 2012 RADIUS – make life easier 44