FREERADIUS WITH MIKROTIK MAC Login for Hotspot Users

 

1# Mikrotik Side Configuration

 

• Goto IP > HOTSPOT > SERVER PROFILE
• Select working profile,
• Goto LOGIN, & select LOGIN BY MAC, In MAC AUTH. MODE ,
• Also select MAC AS USERNAME AND PASSWORD

---

2# FREERADIUS POST-AUTH Configuration

Edit `/etc/freeradius/sites-enabled/default` file

1	nano /etc/freeradius/sites-enabled/default

Goto `post-auth` section, & add following sql Query,

[as an example i am pasting full post-auth section]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

### timenet-auth section Starts from here ## post-auth { exec Post-Auth-Type REJECT { update reply { Reply-Message = 'Wrong Password' }   # This is our query to check if MAC address found in username section, you can make your own table , timenet   sql if("%{sql:SELECT COUNT(username) FROM users WHERE username ='%{User-Name}'}" > 0){ ok } else{ reject }   attr_filter.access_reject } } ### timenet-auth section ENDS Here ##

---

Insert USER record in RADCHECK & USERS TABLE

[you can modify following section or above sql query to match your need,

Login to MYSQL and select RADIUS DB,

Now insert a Test user in USERS & RADCHECK table (replace mac address with your own test device mac address]

1 2 3 4 5

INSERT INTO 'radcheck' ('id', 'username', 'attribute', 'op', 'value') VALUES (1, '2C:44:FD:68:C0:18', 'Cleartext-Password', ':=', '2C:44:FD:68:C0:18');   INSERT INTO 'users' ('id', 'username', 'password', 'firstname', 'lastname', 'email', 'mobile', 'cnic', 'srvname', 'srvid', 'expiration', 'mac', 'macvendor', 'bwpkg', 'pool', 'is_enabled', 'is_days_expired', 'is_qt_expired', 'is_uptime_expired', 'qt_total', 'qt_used', 'uptime_limit', 'uptime_used', 'owner', 'vlanid', 'nas_id', 'createdon') VALUES (1, '2C:44:FD:68:C0:18', '2C:44:FD:68:C0:18', 'firstname', 'lastname', 'zoraizazam1@gmail.com', '345345345', '242342420424-42-2', '2mb', 0, '2017-01-06', '2C:44:FD:68:C0:18', 'Hewlett Packard', '2048k/2048k', 'private-pool', 1, 1, 0, 0, '200', '12121613', '', '', 'zaib', '', NULL, '2018-07-24 05:30:21');

---

Test Ride …

Now connect your test device and you will see something like

in Freeradius DEBUG, we will be seeing …

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

rad_recv: Access-Request packet from host 101.11.50.50 port 40624, id=58, length=218 NAS-Port-Type = Ethernet Calling-Station-Id = "2C:44:FD:68:C0:18" Called-Station-Id = "hotspot1" NAS-Port-Id = "ether10-lan" User-Name = "2C:44:FD:68:C0:18" NAS-Port = 2159017996 Acct-Session-Id = "80b0000c" Framed-IP-Address = 192.168.88.2 Mikrotik-Host-IP = 192.168.88.2 User-Password = "2C:44:FD:68:C0:18" Service-Type = Login-User WISPr-Logoff-URL = "http://192.168.88.1/logout" NAS-Identifier = "XYZ_RB3011_TEST" NAS-IP-Address = 101.11.50.50 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { [sql] expand: %{User-Name} -> 2C:44:FD:68:C0:18 [sql] sql_set_user escaped user --> '2C:44:FD:68:C0:18' rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2C:44:FD:68:C0:18' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2C:44:FD:68:C0:18' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '2C:44:FD:68:C0:18' ORDER BY priority rlm_sql (sql): Released sql socket id: 30 ++[sql] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop ++[logintime] = noop ++? if (reject) ? Evaluating (reject) -> FALSE ++? if (reject) -> FALSE ++[expiration] = noop ++? if (userlock) ? Evaluating (userlock) -> FALSE ++? if (userlock) -> FALSE +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 58 to 101.11.50.50 port 40624 Finished request 0. Going to the next request Waking up in 4.9 seconds.

---

Regard’s
Networkingssolution