AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

133

RouterOS v3 Configuration and User Guide

 

 

 

domain (text; default: "") - Microsoft Windows domain of client passed to RADIUS servers that require domain validation

realm (text) - explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name

secret (text; default: "") - shared secret used to access the RADIUS server

service (multiple choice: hotspot login ppp telephony wireless dhcp; default: "") - router services that will use this RADIUS server

hotspot - HotSpot authentication service login - router's local user authentication

ppp- Point-to-Point clients authentication telephony - IP telephony accounting

wireless - wireless client authentication (client's MAC address is sent as User-Name) dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name) timeout (time; default: 100ms) - timeout after which the request should be resend

￿

The order of the items in this list is meaningful.

Microsoft Windows clients send their usernames in form domain\username

When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using shared secret, secret is used only in authentication reply, and router is verifying it. So if you have wrong shared secret, RADIUS server will accept request, but router won't accept reply. You can see that with /radius monitor command, "bad-replies" number should increase whenever somebody tries to connect.

Example

To set a RADIUS server for HotSpot and PPP services that has 10.0.0.3 IP address and ex shared secret, you need to do the following:

[admin@AT-WR4562] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex

[admin@AT-WR4562] radius> print

Flags: X - disabled

 

 

 

 

#

SERVICE

CALLED-ID

DOMAIN

ADDRESS

SECRET

0

ppp,hotspot

 

 

10.0.0.3

ex

[admin@AT-WR4562] radius>

AAAfor the respective services should be enabled too: [admin@AT-WR4562] radius> /ppp aaa set use-radius=yes

[admin@AT-WR4562] radius> /ip hotspot profile set default use-radius=yes To view some statistics for a client:

[admin@AT-WR4562] radius> monitor 0

pending: 0

requests: 10

accepts: 4

rejects: 1

resends: 15 timeouts: 5 bad-replies: 0 last-request-rtt: 0s [admin@AT-WR4562] radius>

7.1.3 ConnectionTerminating from RADIUS

Submenu level: /radius incoming

Description

This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend RADIUS protocol commands that allow terminating a session which has already been connected from RADIUS server. For this purpose DM (Disconnect-Messages) are used. Disconnect messages cause a user session to be terminated immediately

Property Description

accept (yes no; default: no) - Whether to accept the unsolicited messages

Page 133
Image 133
Allied Telesis AT-WR4500 manual ConnectionTerminating from Radius, Submenu level /radius incoming