Wiki.mikrotik.com Wiki AAA With Active Directory
-
Upload
charlston-leite -
Category
Documents
-
view
581 -
download
7
Transcript of Wiki.mikrotik.com Wiki AAA With Active Directory
AAA with Active Directory
Example One
MT setup
Windows Setup
Example Two
Part A - Setup IAS RADIUS on Active Directory Services
Página 1 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Setup IAS on a server acting as Active Directory Services Domain Controller and register it’s services.
Página 2 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Give a meaningful description and enable logging for authentication status.
Página 3 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
User respective 1812 for Authentication and 1813 for Accounting port only.
Página 4 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Create a Realms profile, find “User-Name” replace it with “DOMAIN\User-Name” variables into IAS.
Página 5 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Create a “hotspot.com” client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Vendor to RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box.
Página 6 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Enable Remote Access Logging check box for all properties.
Página 7 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Select IAS Format and set Log Time Period to Daily.
Página 8 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Create Remote Access Policies profile to “hotspot.com”. Add “Windows-Groups” matches “DOMAIN\Username
remote access permission.
Página 9 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
At Authentication tab Enable check box for “MS-CHAP v2, MS-CHAP, CHAP and PAP” method. Note HotSpot only uses PAP method.
Página 10 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
At Encryption tab Enable all the check box allowed by this profile.
Página 11 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
At Advance tab do not add any additional connection attributes.
Part B - Setup IAS RADIUS with MikroTik
Página 12 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Add a RADIUS server profile and enable service for “hotspot”. Enter IP Address of IAS RADIUS server. Enter the same password created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms.
At “Hotspot Server Profiles” Login By check “HTTP PAP” only.
Página 13 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
At “Hotspot Server Profiles” check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or(Ethernet) mode.
Part C – Testing IAS RADIUS with PC
Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/1.Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test. 2.
Página 14 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Enter the IAS RADIUS server IP Address and port “1812” for Request Type “Authentication Request” RADIUS Secret Key.
3.
Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply willAccepted”.
4.
Página 15 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Next change port to “1813” for Request Type “Accounting Start” click send and reply should be “AccountingRADIUS server is working.
5.
Part D – Activating Domain Users for IAS RADIUS
Página 16 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Check for respective User properties if they are member of “RAS and IAS Server” groups, if not add them as group members.
Página 17 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Next check the Dial-in tab and enable Allow access for Remote Access Permission.
Página 18 de 18AAA with Active Directory - MikroTik Wiki
07/04/2011http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory