Beruflich Dokumente
Kultur Dokumente
username
00:1B:11:0A:8B:C1
attribute
Cleartext-Password
op
:=
value
groupname
wireless
wireless
attribute
Auth-Type
Password
op
:=
==
value
Local
Andy!
radiusd.conf :-
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions
= yes
extended_expressions
= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
######################################################################
#################3333
# clients.conf :client localhost {
ipaddr = 127.0.0.1
secret
= whiteroad
require_message_authenticator = no
}
client 172.16.1.1 {
secret = $$ecret
shortname = tokaisuites1
nastype = other
}
client 172.16.1.2 {
secret = $$ecret
shortname = tokaisuites2
nastype = other
}
client 172.16.1.3 {
secret = $$ecret
shortname = tokaisuites3
nastype = other
}
######################################################################
#################3333
# mar/28/2010 16:06:21 by RouterOS 2.9.44
# software id = IGPI-3TT
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:15:80:18
arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface wireless
set wlan1 name="wlan1" mtu=1500 mac-address=00:0B:6B:4F:30:1D
arp=enabled
disable-running-check=no radio-name="tokaisuites2" mode=ap-bridge \
ssid="TokaiSuites2" area="" frequency-mode=manual-txpower
country="south
africa" antenna-gain=0 frequency=2437 band=2.4ghz-b/g scanlist=default \
rate-set=configured supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-ratesa/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=26 tx-power-mode=all-rates-fixed \
noise-floor-threshold=default periodic-calibration=default
periodic-calibration-interval=60 burst-time=disabled dfs-mode=none
antenna-mode=ant-a \
wds-mode=disabled wds-default-bridge=none wds-default-cost=100
wds-cost-range=50-150 wds-ignore-ssid=no update-statsinterval=disabled \
default-authentication=no default-forwarding=no default-ap-txlimit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25 hidessid=no \
Main
Links
Forum
Login
Register
manson
newbie
Posts: 29
Joined: Thu Feb 14, 2013 10:41 am
Posts: 21
Joined: Tue Jan 18, 2011 6:52 pm
The only way for now create static address lists and write script in scheduler
that makes dynamic leases into static and updates them on new dynamic
entries.
DLNoah
Frequent Visitor
Posts: 80
Joined: Fri Nov 12, 2010 6:33 pm
Posts: 344
Joined: Fri Jul 23, 2010 1:09 am
Posts: 29
Joined: Thu Feb 14, 2013 10:41 am
Posts: 71
Joined: Mon Jul 11, 2011 11:49 am
leases it will not process radius request again. I should do it only for radius
leases.
What is the workarounds?
1.
2.
3.
4.
Begetan
Frequent Visitor
Posts: 71
Joined: Mon Jul 11, 2011 11:49 am
Are you shure that DHCP radius accept message can provide MikroTikAccess-List atribute?
lambert
Member
Posts: 344
Joined: Fri Jul 23, 2010 1:09 am
Begetan wrote:I am trying to do shaiping via DHCP and got the same issue.
I think there is an issue in DHCP processing on Mikrotik side.
If station send request frst time mikrotik has no lease and correctly sends
requests to RADIUS.
If station disconnects and resends DHCP request or makes renewal leases,
Mirotik trys to check it's databases for static leases. If it can fnd any kind of
leases it will not process radius request again. I should do it only for radius
leases.
What is the workarounds?
1.
2.
3.
4.
Number 1 works for my 2000 customers.... I would say 2 and 3 are not
necessary if you do 1. 4 is not necessary because it is working as designed.
Authentication is separate from Authorization.
If RADIUS doesn't specify a session timeout, the DHCP server uses MAC
authentication to authenticate the device. If no limits were in the RADIUS
authorization response, the user/device is unlimited. The DHCP server has
it's own concept of Lease Time which is not related to authorization. So,
when an authorized without limits client requests to renew its lease, the
DHCP server looks at it's table of limits and says "00:11:22:33:44:55" is not
beyond its authorized time limit, renew the lease.
If RADIUS returns a Session-Timeout, the DHCP server knows this MAC
address is authenticated and is also authorized for the next ${SessionTimeout} seconds. If the device requests to renew it's lease, the DHCP
server looks at its table and sees "this MAC address already authenticated
and is authorized until ${time}." If the new Lease Time would give the
device access beyond $time, DHCP needs to ask the RADIUS server about
the device's authorization again.
With PPP, if you don't specify a Session-Timeout or other limit, the user can
stay connected forever and never has to re-authenticate. There is no
difference here. It is just the DHCP concept of a default lease-time which is
confusing people.
lambert
Member
Posts: 344
Joined: Fri Jul 23, 2010 1:09 am
Are you shure that DHCP radius accept message can provide MikroTikAccess-List atribute?
Posts: 71
Joined: Mon Jul 11, 2011 11:49 am
Posts: 71
Joined: Mon Jul 11, 2011 11:49 am
Posts: 344
Joined: Fri Jul 23, 2010 1:09 am
Posts: 344
Joined: Fri Jul 23, 2010 1:09 am
Posts: 71
Joined: Mon Jul 11, 2011 11:49 am
Posts: 344
Joined: Fri Jul 23, 2010 1:09 am
Who is online
Users browsing this forum: Alright71, ayger, NathanA, yancho and 50 guests
It is currently Fri Jan 23, 2015 2:00 pm
Return to General
MikroTik.com
Karma functions powered by Karma MOD 2007, 2009 m157y
Home
Bullets
Mikrotik
Checkout
Training
My Account
Support
Home
Consultancy
ServicesTrai
ning &
Events
Routers
RouterBoard
sPoint to
Point
LinksAccess
PointsClient
Units CPE
BracketsAnt
ennas
Power
SuppliesEth
ernet