[MikroTik] > system package print # NAME VERSION BUILD-TIME UNINSTALL 0 ppp 2.4.5 dec/04/2001 14:55:36 no 1 system 2.4.5 dec/04/2001 14:53:19 no [MikroTik] >
The RADIUS client and RADIUS accounting features are included in the "PPP" package.
Hardware Resource Usage
PPP uses a minimum amount of memory.
To see the list of available serial ports, use the command /ports print, for example:
[MikroTik] > port print
0 name=serial0 used-by=Serial Console baud-rate=9600 data-bits=8
parity=none stop-bits=1 flow-control=none
1 name=serial1 used-by="" baud-rate=9600 data-bits=8 parity=none
stop-bits=1 flow-control=none
[MikroTik] >
The PPP server management is done in the /interface ppp-serversubmenu.
You can add a PPP server using the add command:
[MikroTik] interface ppp-server>
add name=test local-address=1.1.1.1 remote-address=1.1.1.254 port serial1
[MikroTik] interface ppp-server> print
Flags: X - disabled
0 X port=serial1 pap=yes chap=yes ms-chapv2=yes local-address=1.1.1.1
remote-address=1.1.1.254 mtu=1500 mru=1500 idle-timeout=0s session-timeout=0s
null-modem=no modem-init="" ring-count=3 port-id=0 encryption=none name=test
[MikroTik] interface ppp-server> enable 0
[MikroTik] interface ppp-server> monitor test
user:
uptime: 0s
encoding:
status: Waiting for call...
[MikroTik] interface ppp-server>
Description of settings:
port - Serial port
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
local-address - Assigns an individual address to the PPP-Server
remote-address - Assigns an individual address to the PPP-Client.
mtu - Maximum Transmit Unit. Maximum packet size to be transmitted.
mru - Maximum Receive Unit.
idle-timeout - The link will be terminated if there is no activity with-in the time set in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
null-modem - Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "off" (for COM1 and COM2 only). So by default null-modem is turned off.
modem-init - Modem Initialization String.
ring-count - Number of rings to wait before answering phone.
port-id - number to be used for identification in Radius server. Should be 0..65535.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.name - Interface name for reference.
- none No encryption is used. If the other end supports compression, it will be used
- optional If the other end supports encryption, it will be used (40bit or 128bit if server requests this)
- required 40bit or 128bit if server agrees, link will be shut down if no agreement
- stateless Stateless-MPPE is required. Router will use MPPE-128bit or MPPE-40bit depending on the other end of connection. In stateless mode password will be changed before every packet is transmitted.
PPP Client Setup
The PPP client management can be accessed under the /interface ppp-client submenu.
You can add a PPP client using the add command:
[MikroTik] interface ppp-client>
add name=test local-address=1.1.1.254 remote-address=1.1.1.1 \
user=test add-default-route=yes port serial1 encryption=optional
[MikroTik] interface ppp-client> print
Flags: X - disabled
0 X name=test port=serial1 user=test pap=yes chap=yes ms-chapv2=yes
phone="" tone-dial=yes mtu=1500 mru=1500 local-address=1.1.1.254
remote-address=1.1.1.1 idle-timeout=0s session-timeout=0s null-modem=no
modem-init="" dial-on-demand=no add-default-route=yes encryption=optional
[MikroTik] interface ppp-client> enable 0
[MikroTik] interface ppp-client> monitor test2
uptime: 0s
encoding:
status: Logging in to network...
[MikroTik] interface ppp-client>
Descriptions of settings:
name - New interface name.
port - Serial port
user - User name to use for dialout.
pap, chap, ms-chapv2 - (no / yes). Authentication protocol. Encrypted links are only supported when ms-chapv2 is selected. This is a feature of the protocol. It is suggested that pap and chap always be set to 'no', unless there is a special situation which requires an unencrypted link.
phone - Phone number for dialout.
tone-dial - Enable/Disable tone dial.
mtu - Maximum Transmit Unit. Maximum packet size to be transmitted.
mru - Maximum Receive Unit.
local-address - Local IP Address
remote-address - Remote IP Address.
idle-timeout - The link will be terminated if there is no activity with-in the time set in seconds. When set to '0', there is no timeout.
session-timeout - The maximum time the connection can stay up. When set to '0', there is no timeout.
null-modem - Enable/Disable null-modem mode (when enabled, no modem initialization strings are sent). Default value is "off" (for COM1 and COM2 only). So by default null-modem is turned off.
modem-init - Modem Initialization String.
dial-on-demand - Enable/Disable dial on demand.
add-default-route - Add PPP remote address as a default route.
encryption - (none / optional / required / stateless). Will only work in encrypted mode when ms-chapv2 authentication is used. For most links, it should be set to 'required'.
- none No encryption is used. If the other end supports compression, it will be used
- optional If the other end supports encryption, it will be used (40bit or 128bit if server requests this)
- required 40bit or 128bit if server agrees, link will be shut down if no agreement
- stateless Stateless-MPPE is required. Router will use MPPE-128bit or MPPE-40bit depending on the other end of connection. In stateless mode password will be changed before every packet is transmitted.
If the PPP client is configured properly and it has established a connection to the server, you can:
[MikroTik] interface ppp-client> monitor test
uptime: 4h35s
encoding: none
status: Connected
[MikroTik] interface ppp-client>
Description of display:
uptime - Connection time displayed in days, hours, minutes, and seconds.
encoding - Encryption being used in this connection.
status - The status of this client may be:
- Dialing attempting to make a connection
- Verifying password... - connection has been established to the server, password verification in progress.
- Connected self-explanatory
- Terminated interface is not enabled or the other side will not establish a connection
The following topics are discussed below:
Local Authentication Overview
Local PPP authentication is part of the general user database stored on the router
this database is also responsible for administration authentication for the router.
Certain PPP specific attributes are supported for PPP user group:
Local Authentication Management of PPP Users
Only users which are in a group with the PPP attribute can be authenticated for PPP access. To add a user:
[mikrotik] user> add name client2 password ctest group ppp
[mikrotik] user> print
0 ;;; system default user
name: admin group: full address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
only-one: no max-session-time: 0
1 name: client2 group: ppp address: 0.0.0.0 netmask: 0.0.0.0 caller-id: ""
only-one: no max-session-time: 0
Descriptions of settings:
full address: 0.0.0.0 netmask: 0.0.0.0 - This is used to determine the address to be given to the remote site, if full address is set to a specific IP (for example: full address: 10.25.0.3 netmask: 255.255.255.255), then only 10.25.0.3 will be given to the remote site. If the remote site will not accept this, then the connection will fail. If a subnet were set (for example: full address: 10.25.0.3 netmask: 255.255.255.240), then an address in the subnet 10.25.0.0/28 would be allowed if the server gives an address in that range or the server has no addresses set to give, and the client request an address in that range. If no specific address or subnet is given (for example: full address: 0.0.0.0 netmask: 0.0.0.0.), then an address from the PPP server setup of "remote-address-from" and "remote-address-to" will be given.
caller-id: "" - For PPTP, this may be set the IP address which a client must connect from in the form of a.b.c.d. For PPPoE, the MAC address which the client must connect from can be set in the form or xx:xx:xx:xx:xx:xx. When this is not set, there are no restrictions on from where clients may connect.
only-one: no - If this is set to yes, then there may be only one connection at a time.
max-session-time: 0 - If set to >0, then this is the max number of seconds this session can stay up. "0" indicates no session limit.
Local Accounting of PPP Users
To enable local authentication and accounting, set "[MikroTik] ip ppp> set accounting yes authentication local".
If the "authentication" is set to "radius", then no local accounting logs will be made.
The following is an example of the local accounting when a PPPoE connection is made to the PPPoE server (access concentrator).
[Mikrotik]> log print apr/04/2001 17:19:14 pppoe-in7: waiting for authentication apr/04/2001 17:19:14 pppoe-in7: test logged in apr/04/2001 17:19:14 pppoe-in7: connection established apr/04/2001 17:19:20 pppoe-in7: using encoding - none apr/04/2001 17:25:08 pppoe-in7: connection terminated by peer apr/04/2001 17:25:08 pppoe-in7: modem hanged up apr/04/2001 17:25:08 pppoe-in7: connection terminated apr/04/2001 17:25:08 pppoe-in7: test logged out, 354 4574 1279 101 83The last line is the accounting which is printed when the connection is terminated. This line indicates that the user "test" connection has terminated at "apr/04/2001 17:25:08". The numbers following the "test logged out" entry represent the following:
354 session connection time in seconds 4574 bytes-in (from client) 1279 bytes-out (to client) 101 packets-in (from client) 83 packets-out (to client)
RADIUS authentication gives the ISP or network administrator the ability to manage
PPP user access and accounting from one server throughout a large network.
The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, and PPTP connections
no ISDN remote access support currently. Features supported:
Example output of the print command:
Description of the output:
Data received from serve:
Accounting information sent to server:
RADIUS Overview
RADIUS Client Setup
To set RADIUS client, use the following line:
[MikroTik] ip ppp> set authentication radius auth-server 10.10.1.1 shared-secret users
[MikroTik] ip ppp> print
primary-dns: 159.148.60.3
secondary-dns: 0.0.0.0
authentication: radius
auth-server: 10.10.1.1
shared-secret: users
accounting: no
accounting-port: 1646
authentication-port: 1645
primary-dns - ppp setting for remote site.
secondary-dns - ppp setting for remote site.
authentication - Can be set to "radius" or "local".
auth-server - IP address of the server in a.b.c.d.
shared-secret - corresponding text string from RADIUS server.
accounting - enable by setting "yes" or "no".
accounting-port - accounting-port.
authentication-port - default port 1645 according to RFC.
RADIUS Parameters
Authentication data sent to server Data received from server Accounting information sent to server:
PW_SERVICE_TYPE = PW_FRAMED
PW_FRAMED_PROTOCOL = PW_FRAME_PPP
PW_NAS_IDENTIFIER = system identity
PW_NAS_IP_ADDRESS = local PPP interface address
PW_NAS_PORT = unique PPP port identifier number
PW_NAS_PORT_TYPE = async or virtual in number form
PW_CALLING_STATION_ID = for PPTP, remote IP reported
for PPPoE, remote MAC reported
in form of xx:xx:xx:xx:xx:xx
PW_ACCT_INTERIM_INTERVAL = if non-zero then interval to update accouting data in seconds
PW_FRAMED_IP_ADDRESS = PPP remote address
PW_IDLE_TIMEOUT = if no traffic in that time, connection is closed
PW_SESSION_TIMEOUT = connection time allowed
PW_USER_NAME
PW_ACCT_INPUT_OCTETS = octets signifies bytes
PW_ACCT_INPUT_PACKETS
PW_ACCT_OUTPUT_OCTETS
PW_ACCT_OUTPUT_PACKETS
ACCT_SESSION_TIME = in the form of seconds
RADIUS Servers Suggested
Our RADIUS CLIENT should work well with all RFC complient servers. Our software has been tested with:
http://www.vircom.com/
http://www.ietf.org/rfc/rfc2138.txt?number=2138
PPPoE Bandwidth Setting
For local authentication, this can be set in the [MikroTik] user> menu with the baud-rate value (identical to bits/s).
For Radius authentication, the account of each user in the radius server should be set with:
Paramater: Ascend-Data-Rate (with parameter ID 197 -- in bits/s)
Additional Resources
Links for PPP documentation:
http://www.ietf.org/rfc/rfc2138.txt?number=2139
The problem might ne in the RADIUS server, which has kept the client state as 'connected'.
If only one connection per client is allowed, the second connection is not authenticated.
To configure the delay time for the watchdog (Interim) packet, modify the
attribute usually called "Interval Time Between Interim Packets".
Enter there the time in seconds that Radius will expect an interim (WatchDog)
packed before dropping the user from the users-online list.
This interval should be at least 3 minutes more that the time the
time configured for sending the interim packets.
Set the Redialing Options of the Windows client to "Redial if line is dropped = yes" and
"Time between redial attempts = 1s".
© Copyright 1999-2001, MikroTik