RADIUSdesk

This is an old revision of the document!


Mikrotik -> Basic

Introduction

With this scenario we assume you have:

  • A recent installation of RADIUSdesk which includes Dynamic RADIUS Clients support.
    • We will use our Radiusdesk Hosted server which has an IP Address of 178.32.59.137 in this document.
    • Our Radiusdesk Hosted server has a site wide RADIUS shared secret of RDhostedXYZ2525.
  • A new (or reset to defaults) Mikrotik RouterBOARD 751U which you will set up from scratch.
  • You want to run a Captive portal on the Mikrotik's WiFi interface.

Getting started

  • To reset the RouterBOARD 751U simply hold the reset button in during start-up until the ACT LED starts flashing. Now release the reset button.
  • You should now be able to connect on any of the Ethernet ports 2-5. (Port 1 needs to connect to the Internet).
  • If you connect with a machine which has DHCP enabled; you will get a 192.168.88.x IP Address while the RouterBOARD 751U can be reached through 192.168.88.1.
  • The default username is admin with no password.

Our approach

We will take the following configuration approach. This approach very common on the 751U.

  • Ethernet port 1 (Marked PoE) will be used to connect the 751U to the Internet. (Typically a DSL router's Ethernet port)
  • Ethernet port 1 will be configured to be a DCHP Client.
  • Ethernet ports 2-5 will be used as a Ethernet switch which runs a DHCP Server and NAT traffic between Ethernet port 1 and Ethernet ports 2-5.
  • The WiFi interface will be used to run the Captive Portal (Hotspot) on.
  • This Captive Portal will regulate traffic between the WiFi interface and Ethernet port 1.

Prepare Mikrotik

Captive Portal or Hotspot?

  • Mikrotik uses the term Hotspot to refer to a Captive Portal.
  • We prefer to use Captive Portal which is technically speaking more correct.

In order to get a Captive Portal up and running on the Mikrotik we will need to configure and confirm the following items. We assume a device reset to factory defaults.

  1. Set the Mikrotik's identity.
  2. Confirm the Ethernet-1 port is a DHCP client and did receive a valid IP Address from our DSL router.
  3. Remove wlan1 WiFi interface from the bridge with the name bridge.
  4. Add a RADIUS server.
  5. Configure a Hotspot running on the wlan1 WiFi interface.
    1. Configure a DHCP pool that the hotspot will use for assigning IP Addresses.
    2. Configure a Profile that makes use of the RADIUS server which we already defined.

Set the Mikrotik's identity

  • We will use a fictional convention and assume that this Mikrotik is the first one deployed in the city of Pretoria, Gauteng province, South Africa.
  • The systems identity will thus be za-gp-pta-001.
  • Connect to the Mikrotik's web interface and select SystemIdentity.
  • Specify the Identiry as za-gp-pta-001 and click Apply

Confirm Ethernet-1's status

  • Connect to the Mikrotik's web interface and select IPDHCP Client.
  • The ether1-gateway interface should be listed along with it's DHCP supplied IP Address.

  • If this is not listed or the interface does not have an IP Address assigned to it; ensure that it is fixed before continuing.

Remove wlan1 from bridge-local

  • Connect to the Mikrotik's web interface and select Bridge.
  • Select the Ports sub-tab to see the list of ports and to which bridge they are assigned.
  • By default wlan1 and ether2-master-local will be members of the bridge named bridge.
  • Remove wlan1 from the list of ports (thus being a member of the bridge named bridge).

Add a RADIUS server

  • Mikrotik allows you to define zero or more RADIUS servers. The Mikrotik will in turn become a client to these pre-defined servers.
  • Connect to the Mikrotik's web interface and select Radius
  • Click the Add new button to add a RADIUS server.
    • Select the Hotspot service.
    • Specify the IP Address of the RADIUSdesk server running FreeRADIUS. (We use 178.32.59.137)
    • Specify the shared secret. (We use RDhostedXYZ2525)
    • Since our server is somewhere out on the Internet, we increase the timeout to 5000ms.
    • Leave Accounting Backup unchecked.

mt-radius.jpg

  • Next we will set-up the hotspot

Configure a Hotspot running on the wlan1 WiFi interface

Add a Hotspot using the setup wizard

  • Connect to the Mikrotik's web interface and select IPHotspot.
  • Click the Hotspot Setup button. (Do not use the Add New option this time)
  • Select the Hotspot Interface as wlan1 and click next.
  • Specify the Local address of Network as 10.5.50.1/24
  • Ensure Masquerade Network is selected.
  • Click Next to continue.
  • Keep the default value of Address Pool of Network (10.5.50.2-10.5.50.254).
  • Click Next to continue.
  • Specify Select certificate as none since we will not use https.
  • Click Next to continue.
  • Keep the default value for IP Address of SMTP Server (0.0.0.0).
  • Click Next to continue.
  • Keep the default value for DNS Servers. This will be the value assigned by the DHCP server to the Ethernet-1 interface.
  • Click Next to continue.
  • Keep the default value for DNS Name (empty).
  • Click Next to continue.
  • Supply a local admin user for the hotspot with a password.
  • Click Next to continue.
  • This should bring you to the end of the wizard and leave you with an entry in the list of available configured hotspots.

Understanding the Hotspot configuration

  • The Hotspot Setup wizard did the following behind the scenes. You are welcome to confirm in order to understand the Mikrotik better.
    • Created a DHCP server pool called dhcp1 running in interface wlan1
      • Confirm by viewing IPDHCP Server.
      • Networks sub-tab will contain a ;;;Hotspot network with the 10.5.50 range.
    • Created a hotspot server profile called hsprof1.
      • Confirm by viewing IPHotspot.
      • Server Profiles sub-tab will contain the hsprof1 entry.

Modify the created Server Profile

Be sure to do the following steps. Failing to do this will not allow the hotspot to use the RADIUS server.

  • We need to tel the hsprof1 Server Profile to make sure it use RADIUS.
  • Connect to the Mikrotik's web interface and select IPHotspot.
  • Select IPHotspot. Select the Server Profiles sub-tab and select hsprof1
  • Make sure Use RADIUS is selected.
  • Make sure Interim Update has a sane value e.g. 00:10:00 for every 10 minutes.
  • Click Apply to save this value.
  • You can optionally enable MAC authentication and the format of the MAC address. Select XX-XX-XX-XX-XX-XX to work with RADIUSdesk.

Your Mikrotik Hotspot is now configured. Next we will prepare RADIUSdesk.


Prepare RADIUSdesk

Our situation

  • With our setup in this document, we make use of a VPS server that runs RADIUSdesk somewhere in the cloud. (We use our Radiusdesk Hosted server.)
  • Recent versions of RADIUSdesk makes it super easy to add a RADIUS client to the FreeRADIUS server to which RADIUSdesk is a front-end.
  • One simply have to take care of the following items when you are pointing a RADIUS client to the RADIUSdesk server.
    • Specify the public IP Address of the RADIUSdesk server.
    • Ensure the site wide shared secret is correct. (Check this with the person who configured the RADIUSdesk server)
    • Ensure there is a unique identifier the RADIUS client can identify itself to the server. (We did this by setting the Identity of the Mikrotik router.)
  • After you took care of that a simply reboot the Mikrotik router while it has an active Internet connection.
  • It should then be reported under the Unknown Clients list of the RADIUS → Dynamic RADIUS Clients applet.

Our actions

  • We will add a NAS device of Connection typeDynamic client.

If the Connection typeDynamic client is not available form the list, confirm it is activated in the <webroot>/cake2/rd_cake/Config/RadusDesk.php file.

  • The value of NAS-Identifier (on the Mikrotik ⇒ System → Identification) will be crucial when adding a new NAS device. This value will have to be defined in three places, where each place should contain the value of the Mikrotik system identifier. (za-gp-pta-001 in our case)
    • The Dynamic AVP detail sub-tab in the add wizard will specify
      • Attribute = NAS Identifier
      • Value = za-gp-pta-001
    • The NAS sub-tab in the add wizard will specify
      • Name = za-gp-pta-001
    • After the NAS device has been added; you need to edit the NAS device. Select the NASOptional info sub tab and make sure the value of NAS Identifier is specified as za-gp-pta-001.
  • Log into the RADIUSdesk webtop as either an Access Provider or the root user.
  • Select MenuNAS DevicesNAS Devices to open the NAS Devices applet.
  • An optional start screen may ask you to specify the owner of this NAS device.
  • Select Next to continue.
  • Select the Dynamic client connection type.
  • Select Next to continue.
  • Specify the Attribute and NAS-Identifier and the Value as za-gp-pta-001 in the Dynamic AVP Detail sub-tab
  • Specify the Name as za-gp-pta-001 and specify a secret in the NAS sub-tab.
  • Specify the realms who will be able to use this NAS device in the Realms sub-tab.
  • Select Next to complete the action.
  • Once the NAS device has been added; edit it and select the NASOptional info sub tab.
    • Specify the NAS-Identifier as za-gp-pta-001.
    • Also select the type as Mikrotik
  • Save the changes.
  • Wait at least ten minutes to allow FreeRADIUS to go thorough an auto restart cycle in order to activate the changes.
  • Alternatively you can (only as root user) go MenuToolsLogfile Viewer and Stop; Start in the Logfile viewer applet's toolbar.

Testing it out

  • Reboot the Mikrotik
  • Connect to the WiFi Access point which the wlan1 interface advertises and confirm the following
    • You get an IP Address in the 10.5.50.x range
    • The DHCP server assigns you a DNS server's address for name resolution.
    • As soon as you try to visit a website on the Internet you are redirected to the Mikrotik login page.
    • Try to connect with a valid user defined in RADIUSdesk and confirm that the authentication works as intended.
  • If things do not work correct; run a debug trace on FreeRADIUS and restart the Mikrotik router.
  • Confirm that the Mikrotik router does send an Accounting-On packet to the RADIUS server by looking at the debug output of the FreeRADIUS server.

What next

Although your system is up and running now you may want to do the following advanced configurations

  • Incorporate a heartbeat system to sent heartbeats from the Mikrotik to the RADIUSdesk server for monitor purposes.
  • Introduce central managed Dynamic Login Pages for Mikrotik.

The Advanced setup page will cover these topics.