You should think about yourself as the boss and radius server as a lower level boss and NAS is the employee. Employee(NAS) ask to lower level boss(radius) a question about if he is allowed to do something. The boss(radius) looks from company policies(radius configure files or database) and decides if the employee(NAS) is allowed or not and returns an answer to the employee(NAS). The policies are dictated by the higher level boss (YOU).
So you feed in the radius what it should tell to mikrotik. If you tell to radius that a certain user should have 64k bandwidth limit, then when the mikrotik asks to radius about a user, radius would return, ok the password is correct but you should also enforce this bandwidth limit...blah blah.
The question is how you configure the radius that it will return this information? The answer is not easy, because many vendors support different attributes.
Well, luckily mikrotik has excellent support/documentation pages.
http://www.mikrotik.com/Documentation/manual_2.7/Basic/AAA.html#ht37996460
It is clearly explained what mikrotik asks from radius and what radius can send to mikrotik, well radius can send anything but it actually explains what mikrotik can understand.
So if you can make radius send anything you want then you have a green light :) and it is not that hard after all if you could install it etc.
Now it is best to use pppoe over wlan! if you use pppoe you can disable all the IP traffic over your wlan, one thing about using ppp is that if the people are able to connect to your APs and IP is enabled, then they can do their little own private networks which might not be able to connect to internet but they can transfer data to each other. Unless you use some kind of high end authentication method for the associations to your APs.
With PPPoE the IP packets do not need to travel over the lan. Yet it is possible that somebody might put up an PPPoE server himself but this, you can realize quickly and ban the user. Yet APs allow you to disallow communication in between clients etc. There can be done many complex setups.
There is always a way to crack a system and at the same time it is always possible make it virtually unusuable and expensive when you try to make your lan difficult to crack. For example you could ask for fingerprints or dna tests when you authenticate your users :))) They cant even share their passwords hehe
Evren
Evren
Evren
Martin Jessa wrote:
Hi Evren, guys.
I've installed mikrotik's router on my box, set up my radius server to work nicely with mysql and md5 hashed passwords. Now I need to chose whether to use ppp or pppoe for users to authenticate and connect to the outside world. I want my radius server to talk to the NAS (the mikrotik box) and give my users different bandwith based on their usernames. Is there any software I can use for that ? How can freeradius send that kind of info to the mikrotik router? And what would be the best to use, ppp or pppoe for my Wlan users with LAN-range IP numbers?
Thanks again.
YazzY
On Sun, 14 Sep 2003 12:25:02 -0700 Evren Yurtesen <[EMAIL PROTECTED]> wrote:
If you have a bridged network and a pppoe server then your users can connect to pppoe server from any ap and plus roam.
About the AP stuff, still the best is to use mikrotik operating system, unless you are using high end ap's like cisco or orinoco.
old PCs do great as an AP, if you have some old PCs then why pay for an expensive AP
Evren
Martin Jessa wrote:
I forgot to mention one thing. The bandwith limiting must be done on the routers, not on the AP's. The reason for that is I need to be able to give different bw to users connected to the same AP. Also users must be able to connect from different places to different AP's. Be able to roam. Pluss it must be easy to replace the AP's in case they broke, even for someone with little experience.
On Sun, 14 Sep 2003 02:29:24 -0700 Evren Yurtesen <[EMAIL PROTECTED]> wrote:
Hi :) I see you are a BSD guy like me :)
I had similar problem for my wireless clients, I came up with an excellent PPPoE solution. It is called www.Mikrotik.com
Its a shame that the pppoe implementation in FreeBSD cant do bandwidth limiting, but the mikrotik(linux yack) implementation does! I am almost sure it can do bandwidth limiting on pptp interfaces too.
You can download a trial version of mikrotik, although you cant use the trial version with wireless, you can try with ethernet, these pppoe and pptp connections.
I am sure you will be little alien to the interfaces of mikrotik for a while but it is similar to cisco ios and they have a quite nice graphical administration tool.
I wonder if your tunnels fail because of some MTU constraints.
If you use pppoe, you can give bandwidth from radius! upload/download different bandwidths are possible. The sky is the limit.
Evren
Martin Jessa wrote:
Hi guys.
I have a setup for wireless clients where I use pptp vpn tunnels for my users to be able to auth and connect. The vpn daemon (poptop) talks to freeradius server which against gets user info from MySQL database.
I use dialup_admin to be able to easly add new users.
Everything works great except for one thing.
The users (companies) are unable to create their own VPN tunnels (i.e IPsec) to other places.
It's impossible to tunnel IPsec inside of pptp vpn tunnels.
So maybe running plain PPPoE could solve that problem.
Then I could use WPA for traffic encryption.
Does that sound logical?
I also need some kind of system that will make it possible to give different bandwith to different users.
I though I could set up DUMMYNET with bw restrictions for different subnets with a subnet mask like /16 or similar.
Then give static IP's to my users depending on what bw they are allowed to use. But this approach does not seem to be very flexible.
Is there a way to make radius do bandwith restrictions or run commands against an external application?
I am not "locked" to use BSD, if this works better on Linux then I will use it too.
Thanks YazzY
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
