Вы находитесь на странице: 1из 7

2016/12/06 09:53

1/7

Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic)

Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic)

Introduction

With this scenario we assume you have:

working installation of RADIUSdesk.(Basic) Introduction With this scenario we assume you have: A We have a VPS somewhere in

A

We have a VPS somewhere in the cloud with IP of 116.73.109.36 which we will use here.we assume you have: working installation of RADIUSdesk. A This is patched with the rlm_raw patch

This is patched with the rlm_raw patch (as per install instructions or standard with VM) to allow Dynamic Clients.the cloud with IP of 116.73.109.36 which we will use here. new (or reset to defaults)

new (or reset to defaults) Mikrotik RouterBOARD 751U which you will set up from scratch.instructions or standard with VM) to allow Dynamic Clients. You want to run a Captive portal

You want to run a Captive portal on the Mikrotik's WiFi interface.RouterBOARD 751U which you will set up from scratch. A Getting started To reset the RouterBOARD

A

Getting started

To reset the RouterBOARD 751U simply hold the reset button in during start-up until the

To reset the RouterBOARD 751U simply hold the reset button in during start-up until the ACT

LED starts ashing. Now release the reset button.

You should now be able to connect on any of the Ethernet ports 2-5. (Port

You should now be able to connect on any of the Ethernet ports 2-5. (Port 1 needs to connect to the Internet).

If you connect with a machine which has DHCP enabled; you will get a 192.168.88.x

If

you connect with a machine which has DHCP enabled; you will get a 192.168.88.x IP Address

while the RouterBOARD 751U can be reached through 192.168.88.1.

The default username is admin with no password .

The default username is admin with no password.

Our approach

We will take the following con guration approach. This approach very common on the 751U.

Ethernet port 1 (Marked PoE) will be used to connect the 751U to the Internet. (Typically a DSL router's Ethernet port)guration approach. This approach very common on the 751U. Ethernet port 1 will be con gured

Ethernet port 1 will be con gured to be a DCHP Client . gured to be a DCHP Client.

Ethernet ports 2-5 will be used as a Ethernet switch which runs a DHCP Server and NAT tra c between Ethernet port 1 and Ethernet ports 2-5. c between Ethernet port 1 and Ethernet ports 2-5.

The WiFi interface will be used to run the Captive Portal (Hotspot) on.NAT tra c between Ethernet port 1 and Ethernet ports 2-5. This Captive Portal will regulate

This Captive Portal will regulate tra c between the WiFi interface and Ethernet port 1. c between the WiFi interface and Ethernet port 1.

Points to ponder when using Mikrotik

As soon as you increase the number of Mikrotik devices that connects to RADIUSdesk it is good to consider the following items beforehand.

During boot-up Mikrotik will send an Accounting-On packet to the RADIUS server it has been con gured to use. Accounting-On packet to the RADIUS server it has been con gured to use.

Last update: 2016/06/02 23:12

user_guide:mikrotik:rb751 http://www.radiusdesk.com/docuwiki/user_guide/mikrotik/rb751

The RADIUS server in turn has to determine which NAS device is it who just sent through the Accounting-On packet. Accounting-On packet.

There are two Attributes in this packet which we can use to uniquely identify the speci c Mikrotik router. c Mikrotik router.

NAS-Identi er This is the value speci ed in the System Identity eld. er This is the value speci ed in the System Identity eld.

NAS-IP-Address This is by default the IP Address if the interface on the Mikrotik which has This is by default the IP Address if the interface on the Mikrotik which has an Internet connection.

We recommend that you make use of the NAS-Identi er to uniquely identify the Mikrotik router. NAS-Identi er to uniquely identify the Mikrotik router.

Using a unique NAS-Identi er will help with the following: NAS-Identi er will help with the following:

Allow NAS devices of type Dynamic Clients since you can now pre-identify the NAS device based on this attribute. Dynamic Clients since you can now pre-identify the NAS device based on this attribute.

Prevent an ambiguity if the incoming Accounting-On packet speci es that the NAS-IP- Address is the same value as that of Accounting-On packet speci es that the NAS-IP- Address is the same value as that of another Mikrotik router.

Make it easier to identify a Mikrotik router to send a disconnection request to (if this is initiated by the RADIUSdesk admin.)is the same value as that of another Mikrotik router. Prepare Mikrotik Captive Portal or Hotspot?

Prepare Mikrotik

Captive Portal or Hotspot? Mikrotik uses the term Hotspot to refer to a Captive Portal.
Captive Portal or Hotspot?
Mikrotik uses the term Hotspot to refer to a Captive
Portal.
We prefer to use Captive Portal which is technically
speaking more correct.

In order to get a Captive Portal up and running on the Mikrotik we will need to con gure and con rm the following items. We assume a device reset to factory defaults.

1. Set the Mikrotik's identity.

2. Con rm the Ethernet-1 port is a DHCP client and did receive a valid IP Address from our DSL router.

3. Remove wlan1 WiFi interface from the bridge-local bridge.

4. Add a RADIUS server.

5. Con gure a Hotspot running on the wlan1 WiFi interface.

1. Con gure a DHCP pool that the hotspot will use for assigning IP Addresses.

2. Con gure a Pro le that makes use of the RADIUS server which we already de ned.

Set the Mikrotik's identity

We will use a ctional convention and assume that this Mikrotik is the rst one deployed in the city ctional convention and assume that this Mikrotik is the rst one deployed in the city of Pretoria, Gauteng province, South Africa.

The systems identity will thus be za-gp-pta-001 . za-gp-pta-001.

Connect to the Mikrotik's web interface and select System Identity . System Identity.

Specify the Identiry as za-gp-pta-001 and click Apply za-gp-pta-001 and click Apply

2016/12/06 09:53

3/7

Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic)

Con rm Ethernet-1's status

Connect to the Mikrotik's web interface and select IP DHCP Client . IP DHCP Client.

The ether1-gateway interface should be listed along with it's DHCP supplied IP Address. ether1-gateway interface should be listed along with it's DHCP supplied IP Address.

be listed along with it's DHCP supplied IP Address. If this is not listed or the

If this is not listed or the interface does not have an IP Address assigned to it; ensure that it is xed before continuing. xed before continuing.

Remove wlan1 from bridge-local

Connect to the Mikrotik's web interface and select Bridge . Bridge.

Select the Ports sub-tab to see the list of ports and to which bridge they are assigned. Ports sub-tab to see the list of ports and to which bridge they are assigned.

By default wlan1 and ether2-master-local will be members of the bridge-local bridge. wlan1 and ether2-master-local will be members of the bridge-local bridge.

Remove wlan1 from the list of ports (thus being a member of the bridge-local bridge. wlan1 from the list of ports (thus being a member of the bridge-local bridge.

of ports (thus being a member of the bridge-local bridge. Add a RADIUS server Mikrotik allows

Add a RADIUS server

Mikrotik allows you to de ne zero or more RADIUS servers. The Mikrotik will in turn become a client to ne zero or more RADIUS servers. The Mikrotik will in turn become a client to these pre-de ned servers.

Connect to the Mikrotik's web interface and select Radius Radius

Click the Add new button to add a RADIUS server. Select the Hotspot service. Add new button to add a RADIUS server. Select the Hotspot service.

button to add a RADIUS server. Select the Hotspot service. Specify the IP Address of the

Specify the IP Address of the RADIUSdesk server running FreeRADIUS. Specify the shared secret. Since we have a VPS, we increase the timeout to 5000ms. Leave Accounting Backup unchecked. Accounting Backup unchecked.

we increase the timeout to 5000ms. Leave Accounting Backup unchecked. RADIUSdesk - http://www.radiusdesk.com/docuwiki/
we increase the timeout to 5000ms. Leave Accounting Backup unchecked. RADIUSdesk - http://www.radiusdesk.com/docuwiki/
we increase the timeout to 5000ms. Leave Accounting Backup unchecked. RADIUSdesk - http://www.radiusdesk.com/docuwiki/

Last update: 2016/06/02 23:12

user_guide:mikrotik:rb751 http://www.radiusdesk.com/docuwiki/user_guide/mikrotik/rb751

http://www.radiusdesk.com/docuwiki/user_guide/mikrotik/rb751 Next we will set-up the hotspot Con gure a Hotspot

Next we will set-up the hotspothttp://www.radiusdesk.com/docuwiki/user_guide/mikrotik/rb751 Con gure a Hotspot running on the wlan1 WiFi interface

Con gure a Hotspot running on the wlan1 WiFi interface

Add a Hotspot using the setup wizard

Connect to the Mikrotik's web interface and select IP Hotspot . IP Hotspot.

Click the Hotspot Setup button. (Do not use the Add New option this time) Hotspot Setup button. (Do not use the Add New option this time)

Select the Hotspot Interface as wlan1 and click next . Hotspot Interface as wlan1 and click next.

Specify the Local address of Network as 10.5.50.1/24 Local address of Network as 10.5.50.1/24

Ensure Masquerade Network is selected. Masquerade Network is selected.

Click Next to continue. Next to continue.

Keep the default value of Address Pool of Network (10.5.50.2-10.5.50.254). Address Pool of Network (10.5.50.2-10.5.50.254).

Click Next to continue. Next to continue.

Specify Select certi cate as none since we will not use https. Select certi cate as none since we will not use https.

Click Next to continue. Next to continue.

Keep the default value for IP Address of SMTP Server (0.0.0.0). IP Address of SMTP Server (0.0.0.0).

Click Next to continue. Next to continue.

Keep the default value for DNS Servers . This will be the value assigned by the DHCP server to the DNS Servers. This will be the value assigned by the DHCP server to the Ethernet-1 interface.

Click Next to continue. Next to continue.

Keep the default value for DNS Name (empty). DNS Name (empty).

Click Next to continue. Next to continue.

2016/12/06 09:53

5/7

Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic)

Supply a local admin user for the hotspot with a password.Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic) Click Next to continue. This should bring you to

Click Next to continue. Next to continue.

This should bring you to the end of the wizard and leave you with an entry in the list of available con gured hotspots. gured hotspots.

Understanding the Hotspot con guration

The Hotspot Setup wizard did the following behind the scenes. You are welcome to con rm Hotspot Setup wizard did the following behind the scenes. You are welcome to con rm in order to understand the Mikrotik better.

Created a DHCP server pool called dhcp1 running in interface wlan1 Con rm by viewing IP DHCP Server . dhcp1 running in interface wlan1 Con rm by viewing IP DHCP Server.

interface wlan1 Con rm by viewing IP DHCP Server . Networks sub-tab will contain a ;;;Hotspot

Networks sub-tab will contain a ;;;Hotspot network with the 10.5.50 range. sub-tab will contain a ;;;Hotspot network with the 10.5.50 range.

Created a hotspot server pro le called hsprof1 . Con rm by viewing IP Hotspot . Server Pro les sub-tab le called hsprof1. Con rm by viewing IP Hotspot. Server Pro les sub-tab will contain the hsprof1 entry.

Server Pro les sub-tab will contain the hsprof1 entry. Modify the created Server Pro le We
Server Pro les sub-tab will contain the hsprof1 entry. Modify the created Server Pro le We

Modify the created Server Pro le

We need to tel the hsprof1 Server Pro le to make sure it use RADIUS. hsprof1 Server Pro le to make sure it use RADIUS.

Connect to the Mikrotik's web interface and select IP Hotspot . IP Hotspot.

Select IP Hotspot . Select the Server Pro les sub-tab and select hsprof1 IP Hotspot. Select the Server Pro les sub-tab and select hsprof1

Make sure Use RADIUS is selected. Use RADIUS is selected.

Make sure Interim Update has a sane value e.g. 00:10:00 for every 10 minutes. Interim Update has a sane value e.g. 00:10:00 for every 10 minutes.

Click Apply to save this value. Apply to save this value.

You can optionally enable MAC authentication and the format of the MAC address. Select XX- XX-XX-XX-XX-XX to work with RADIUSdesk. XX- XX-XX-XX-XX-XX to work with RADIUSdesk.

Your Mikrotik Hotspot is now con gured. Next we will prepare RADIUSdesk.

Prepare RADIUSdesk

Our situation

With our setup in this document, we make use of a VPS server that runs RADIUSdesk somewhere in the cloud.we will prepare RADIUSdesk. Prepare RADIUSdesk Our situation Since the Mikrotik NAS devices will be behind

Since the Mikrotik NAS devices will be behind a NAT rewall we will make use of FreeRADIUS that is patched with the rlm_raw patch to rewall we will make use of FreeRADIUS that is patched with the rlm_raw patch to allow Dynamic Clients.

Patching the FreeRADIUS server with the rlm_raw patch is in the installation instructions of FreeRADIUS.is patched with the rlm_raw patch to allow Dynamic Clients. Alternatively you can simply run the

Alternatively you can simply run the VM images since this already incorporates this patch.patch is in the installation instructions of FreeRADIUS. Our actions We will add a NAS device

Our actions

We will add a NAS device of Connection type Dynamic client . Connection type Dynamic client.

Last update: 2016/06/02 23:12

user_guide:mikrotik:rb751 http://www.radiusdesk.com/docuwiki/user_guide/mikrotik/rb751

If the Connection type Dynamic client is not available form the list, con rm it is activated in the <webroot>/cake2/rd_cake/Con g/RadusDesk.php le.

The value of NAS-Identi er (on the Mikrotik System Identi cation) will be crucial when adding a new NAS er (on the Mikrotik System Identi cation) will be crucial when adding a new NAS device. This value will have to be de ned in three places, where each place should contain the value of the Mikrotik system identi er. (za-gp-pta-001 in our case) The Dynamic AVP detail sub-tab in the add wizard will specify Attribute = NAS Identi er

in the add wizard will specify Attribute = NAS Identi er Value = za-gp-pta-001 The NAS
in the add wizard will specify Attribute = NAS Identi er Value = za-gp-pta-001 The NAS

Value = za-gp-pta-001in the add wizard will specify Attribute = NAS Identi er The NAS sub-tab in the

The NAS sub-tab in the add wizard will specify Name = za-gp-pta-001 After the NAS device has been added; you need to edit the NAS device. Select the NAS Optional info sub tab and make sure the value of NAS Identi er is speci ed as za-gp-

pta-001.

of NAS Identi er is speci ed as za-gp- pta-001 . Log into the RADIUSdesk webtop

Log into the RADIUSdesk webtop as either an Access Provider or the root user.of NAS Identi er is speci ed as za-gp- pta-001 . Select Menu NAS Devices NAS

Select Menu NAS Devices NAS Devices to open the NAS Devices applet. Menu NAS Devices NAS Devices to open the NAS Devices applet.

An optional start screen may ask you to specify the owner of this NAS device.Devices NAS Devices to open the NAS Devices applet. Select Next to continue. Select the Dynamic

Select Next to continue. Next to continue.

Select the Dynamic client connection type. Dynamic client connection type.

Select Next to continue. Next to continue.

Specify the Attribute and NAS-Identi er and the Value as za-gp-pta-001 in the Dynamic AVP Detail sub-tab Attribute and NAS-Identi er and the Value as za-gp-pta-001 in the Dynamic AVP Detail sub-tab

Specify the Name as za-gp-pta-001 and specify a secret in the NAS sub-tab. Name as za-gp-pta-001 and specify a secret in the NAS sub-tab.

Specify the realms who will be able to use this NAS device in the Realms sub-tab. Realms sub-tab.

Select Next to complete the action. Next to complete the action.

Once the NAS device has been added; edit it and select the NAS Optional info sub tab. Specify the NAS-Identi er as za-gp-pta-001 . Also select the NAS Optional info sub tab. Specify the NAS-Identi er as za-gp-pta-001. Also select the type as Mikrotik

Save the changes.er as za-gp-pta-001 . Also select the type as Mikrotik Wait at least ten minutes to

Wait at least ten minutes to allow FreeRADIUS to go thorough an auto restart cycle in order to activate the changes. FreeRADIUS to go thorough an auto restart cycle in order to activate the changes.

Alternatively you can (only as root user) go Menu Tools Log le Viewer and Stop ; Start in the Log le viewer applet's Menu Tools Log le Viewer and Stop; Start in the Log le viewer applet's toolbar.

Stop ; Start in the Log le viewer applet's toolbar. Testing it out Reboot the Mikrotik
Stop ; Start in the Log le viewer applet's toolbar. Testing it out Reboot the Mikrotik

Testing it out

Reboot the Mikrotikin the Log le viewer applet's toolbar. Testing it out Connect to the WiFi Access point

Connect to the WiFi Access point which the wlan1 interface advertises and con rm the following You get an IP Address in the 10.5.50.x range The DHCP server rm the following You get an IP Address in the 10.5.50.x range The DHCP server assigns you a DNS server's address for name resolution. As soon as you try to visit a website on the Internet you are redirected to the Mikrotik login page. Try to connect with a valid user de ned in RADIUSdesk and con rm that the authentication works as intended.

and con rm that the authentication works as intended. http://www.radiusdesk.com/docuwiki/ Printed on 2016/12/06
and con rm that the authentication works as intended. http://www.radiusdesk.com/docuwiki/ Printed on 2016/12/06
and con rm that the authentication works as intended. http://www.radiusdesk.com/docuwiki/ Printed on 2016/12/06
and con rm that the authentication works as intended. http://www.radiusdesk.com/docuwiki/ Printed on 2016/12/06

2016/12/06 09:53

7/7

Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic)

7/7 Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic) If things do not work correct; run a
7/7 Connect Mikrotik RouterBOARD 751U to RADIUSdesk (Basic) If things do not work correct; run a

If things do not work correct; run a debug trace on FreeRADIUS and restart the Mikrotik router.

Con rm that the Mikrotik router does send an Accounting-On packet to the RADIUS server by looking at the debug output of the FreeRADIUS server.

What next

Although your system is up and running now you may want to do the following advanced con gurations

Incorporate a heartbeat system to sent heartbeats from the Mikrotik to the RADIUSdesk server for monitor purposes.you may want to do the following advanced con gurations Introduce central managed Dynamic Login Pages

Introduce central managed Dynamic Login Pages for Mikrotik.the Mikrotik to the RADIUSdesk server for monitor purposes. The Advanced setup page will cover these

The Advanced setup page will cover these topics.

From: http://www.radiusdesk.com/docuwiki/ - RADIUSdesk Permanent link:
From:
http://www.radiusdesk.com/docuwiki/ - RADIUSdesk
Permanent link:
http://www.radiusdesk.com/docuwiki/user_guide/mikrotik/rb751
Last update: 2016/06/02 23:12