Clever Geek Handbook

RADIUS - a little about Mikrotik, NPS and more

  • Purpose of the article





  • Definition





  • Components





  • General concepts





  • Scope of application  





    • - login  





    • - VPN (ppp *)  





    • - wifi





    •  - dot1x  





  • diagnostics





  • conclusions





goal

The purpose of this article is to explain the logic of the radius in examples, to get rid of the fear and illusion of the complexity of use.





Definition, purpose, general information

RADIUS is a protocol for authorization, authentication and accounting ( AAA ).





Enables you to improve network security and centrally manage access.





RADIUS (  mysql) , Active Directory.





AAA   () , vendor-specific attributes (VSA). Mikrotik , .





  , : freeRADIUS  NPS (Network Policy Server) Windows Server.   .





  • -   .





  • - ,   RADIUS . NB! -.





  • RADIUS ( , ).





, 100500 , :





  1.   -   " ", IP (... ""),   (mikrotik  )





     , .        (   ) .             .





     . ,   . , \ . {.is-warning}













:

  1.  aaa





  2. vpn (pptp\l2tp)





  3.  wifi





  4. rj45 - dot802.1x





  , + .      mikrotik 





/radius add address=10.10.11.100 comment="PVE AD" secret=STRONG_SECRET_PASSWORD service=ppp,logi
n,hotspot,wireless,dhcp,ipsec,dot1x timeout=600ms

address -   secret - , service -  mikrotik,   .





timeout=600ms



,   ,   .





  .





1.   

/user aaa
set accounting=yes default-group=read use-radius=yes

default-group



  ,   .





NPS:





…  , , .   , . , ,  c c , .





   Wiki mikrotik, RADIUS ,        RADIUS. *Mikrotik-Group - Router local user group name (defines in /user group) for local users; HotSpot default profile for HotSpot users; PPP default profile name for PPP users. *



  '



   ,    vpn hostspot. .     , .





, …  System -> users -> group  , ,  full



  read



.





,  NPS.



  admins-network



 admins-junior



.  net-junior



  net-admin



,   .





, . NPS    mikrotik-login-junior



  mikrotik-admin-network



,    :





  , .  





     read



 





:





mikrotik-admin-network



    admins-network



   MIKROTIK_GROUP



  full



,   :





/user active print detail
Flags: R - RADIUS, M - by-romon
 0 R when=jan/05/2021 10:36:52 name="net-admin" address=10.10.15.7 via=winbox
     group=full

 1 R when=jan/05/2021 10:37:04 name="net-admin" address=10.10.15.7 via=telnet
     group=full

, .

 , . management vlan  ,     1c, RDP, etc..



. ,  l2tp\ipsec/ PPP -> profile





/ip pool add name=pool_l2tp_admin ranges=10.10.21.10-10.10.21.250
/ip pool add name=pool_l2tp_users ranges=10.10.22.10-10.10.22.250

/ppp profile add dns-server=10.10.21.1 local-address=10.10.21.1 name=l2tp-vpn-admin remote-address=pool_l2tp_admin use-compression=no use-encryption=yes

/ppp profile add dns-server=10.10.22.1 local-address=10.10.22.1 name=l2tp-vpn-users remote-address=pool_l2tp_users use-compression=no use-encryption=yes

    ,        . ()  , .  10.10.21.0/24  management   10.10.22.0/24  , .





NPS.



2 vpn-admins



 vpn-users



, net-admin



  1 , net-buh



  . . . , NAS





.





. VPN  .





: Mikrotik-Rate-Limit -   vpn 





 IP    .





  :





-  ip  





Wifi  Dot1x

, ,    , ,  mac  ..    . :





  •   Windows ,





  • GPO CA 





  • GPO    docs.microsoft





  • GPO  dot1X ( )   (802.3)





  • GPO   Wifi 









  , .





wifi

WiFi  . ,  CapsMan,      AP  . Security Profile/Security Cfg.







: NAS = - IEEE 802.11







.





)? - .      .





:





  • Framed-Pool -     ip    





  • Filter-Id -





  • Mikrotik-Wireless-VLANID -  vlan  (, ,         vlan   wifi) …





  •   /





  •   , , :)





dot1x

  dot1X .. ,   .     wiki





dot1x  ,   .   ( ), ( ) Reject VLAN ID



  ,    ( )   .





:





:





:









 :





:





  , , . :





  • mikrotik





    system logging add topics=radius,debug action=memory disabled=no



      , log print



      . - 





  •  





    , -  ,  





  •  windows   





Get-NetFirewallRule -DisplayGroup "  " | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

   : 





Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

  • radclient  freeradius-utils. ,  vpn





:





echo "User-Name = USER,User-Password=PASSWORD,NAS-Port-Type=Virtual" | radclient -s 10.10.11.100:1812 auth SHARE_NPS_SECRET -x

:





Sent Access-Request Id 177 from 0.0.0.0:42354 to 10.10.11.100:1812 length 56
       User-Name = "USER"
       User-Password = "PASSWORD"
       NAS-Port-Type = Virtual
       Framed-Protocol = PPP
       Cleartext-Password = "PASSWORD"
Received Access-Accept Id 177 from 10.10.11.100:1812 to 10.10.15.7:42354 length 94
       Mikrotik-Group = "pptp-nps"
       Framed-Protocol = PPP
       Service-Type = Framed-User
       Class = 0xa1cd098c00000137000102000a0a0b6400000000ec967e14be8346ce01d6d63b3e2ca9d70000000000000092
Packet summary:
       Accepted     : 1
       Rejected     : 0
       Lost         : 0
       Passed filter : 1
       Failed filter : 0

RADIUS in a networked environment is very useful in terms of security and convenient in terms of centralized management. Configuring is not so difficult, the main thing is to read and understand the documentation and logs.





If any of the points is not clear, write. I will try to show or help figure it out.





If you find errors, inaccuracies in the article, or if you know how to do it better, write too.





Acknowledgments:

Thanks to @aslancherkesov for a



fresh look at letters.











More articles:


All Articles