Authorization through Radius on Mikrotik with local group expansion

Good day to all! I work as a novice network administrator in a large federal company with a mixed network, cisco, mikrotik, juniper.
And then one day the following task appeared.

Initial data:

1. There is a regional system administrator, who has several system administrators subordinate. Each system administrator has an RU - a regional node, where the head units are 2 Mikrotik 1100ahx2 and cisco c3550, for shops - MikroTik RB751G-2HnD.
2. Each Mikrotik has a local group with the same name as the city: Omsk - OMS, Kemerovo - KMR, with full rights to Mikrotik.


To authorize the regional administrator through Radius only within his area of ​​responsibility, for example, OMS and KMR.

There is a task, we are trying to fulfill it.
Configure Radius on Mikrotik:

/ radius add service = login address = 10.0.x.10 secret = xxx disabled = no
/ user aaa set use-radius = yes

Install FreeRadius on Linux, I had Debian: apt-get install freeradius
I have subnet on Mikrotik,
write to /etc/freeradius/clients.conf

client {
secret = xxx
shortname = Network_Devices

Then, do not forget / etc / freeradius / dictionary

VENDOR Mikrotik 14988


ATTRIBUTE Mikrotik-Recv-Limit 1 integer
ATTRIBUTE Mikrotik-Xmit-Limit 2 integer
ATTRIBUTE Mikrotik-Group 3 string
ATTRIBUTE Mikrotik-Wireless-Forward 4 integer
ATTRIBUTE Mikrotik-Wireless-Skip-Dot1x 5 integer
ATTRIBUTE Mikrotik-Wireless-Enc-Algo 6 integer
ATTRIBUTE Mikrotik-Wireless-Enc-Key 7 string
ATTRIBUTE Mikrotik-Rate-Limit 8 string
ATTRIBUTm M 9 string
ATTRIBUTE Mikrotik-Host-IP 10 ipaddr
ATTRIBUTE Mikrotik-Mark-Id 11 string
ATTRIBUTE Mikrotik-Advertise-URL 12 string
ATTRIBUTE Mikrotik-Advertise-Interval 13 integer
ATTRIBUTE Mikrotik-Recv-Limit-Gigawords 14 integer
ATTRIBUT -Gigawords 15 integer
ATTRIBUTE Mikrotik-Wireless-PSK 16 string
ATTRIBUTE Mikrotik-Total-Limit 17 integer
ATTRIBUTE Mikrotik-Total-Limit-Gigawords 18 integer
ATTRIBUTE Mikrotik-Address-List 19 string
ATTRIBUTE Mikrotik-Wireless-MPKey 20 string
ATTRIBUTE Mikrotik-Wireless-Comment 21 string
ATTRIBUTE Mikrotik-Delegated-IPv6-Pool 22 string

# MikroTik Values

VALUE Mikrotik-Wireless-Enc-Algo No-encryption 0
VALUE Mikrotik-Wireless-Enc-Algo 40-bit-WEP 1
VALUE Mikrotik-Wireless-Enc-Algo 104-bit-WEP 2
VALUE Mikrotik-Wireless-Enc-Algo AES-CCM 3
VALUE Mikrotik-Wireless-Enc-Algo TKIP 4

END -VENDOR Mikrotik

That's it, now we need to create a user in / etc / freeradius / users:

regSA User-password: = 12345
Auth-Type = CHAP,
Mikrotik-Group: = OMS

We restart FreeRadius and try to go to Omsk Mikrotiki. Everything works.

But now we are trying to go to Kemerovo. We get the read group, with read-only permissions. What's the matter? We look at the log on Mikrotik and see:

In active users:

You forgot to register a group for Kemerov, you say.

We write : regSA User-password: = 12345
Auth-Type = CHAP,
Mikrotik-Group: = OMS, KMR

Restart freeradius. We try, we get the same thing. It turns out that for one user we can specify only one group. Because during authorization, the first one is always taken. Dead end? No, a couple of hours of Google, research FreeRadius and find a way out.
There is a post-auth handler in radiusd.conf, I decide to try using it.
We write:

post-auth {
if (User-Name == “regSA”) {check
if username if (NAS-IP-Address = ~ /172\.22\.(2(2[4-9†|►3-4] [0-9] | 5 [0-5])) \. ([0-9] | [1-9] [0-9] | 1 ([0-9] [0-9]) | 2 ( [0-4] [0-9] | 5 [0-5])) /) {and check the IP
update reply {
Mikrotik-Group: = "OMS" if everything works out, then give the microtik group that is on it
if (NAS-IP-Address = ~ /172\.20\.(6[4-9†|►7-8†[0-9†|9[0-5†)\.([0-9 ] | [1-9] [0-9] | 1 ([0-9] [0-9]) | 2 ([0-4] [0-9] | 5 [0-5])) /) {
update reply {
Mikrotik-Group: = "KMR"

} close all post-auth

NAS-IP-Address - this is the IP address from which the authorization request arrives. A regular is used, but since I’m with you for them, I used the site to
Now in / etc / freeradius / users: we remove the group, as the attribute

regSA is absolutely superfluous for us User-password: = 12345
Auth-Type = CHAP

After restarting FreeRadius we understand that everything works for us, that the region gets to Omsk Mikrotiks with the OMS group, to Kemerovo ones - with KMR.

Why was it impossible to put Mikrotik-Group: = "full" in users? It was possible, but then the regional system administrator got access to all Mikrotiks throughout Russia, which of course is not good. Only a select few have such rights.

Also popular now: