General Point to Point Settings

Document revision 7-Jan-2003
This document applies to the MikroTik RouterOS V2.6

Overview

This section describes setting user configuration for Point to Point links as: PPP, PPTP, PPPoE as well as ISDN.

P2P (point to point) authentication on the MikroTik RouterOS is supported by a local authentication database or a RADIUS client. Authentication is supported for PPP asynchronous connections, PPPoE, PPTP, and ISDN PPP (local only). Authentication protocols supported are PAP, CHAP, and MS-CHAPv2. The authentication process is as follows: P2P sends a user authentication request, the user ID is first checked against the local user database for any users which have the PPP attribute, if no matching user is found then the RADIUS client (if enabled) will request authentication from the RADIUS server. Note that the users will first be checked against the local database and then only against the RADIUS server. Be careful not to have the same P2P user on the local database and the RADIUS server – the authentication will finish at the local database in this case.

Contents of the Manual

The following topics are covered in this manual:

Installation

The ppp-2.6.x.npk package is required. The package can be downloaded from MikroTik’s web page www.mikrotik.com. To install the package, please upload them to the router with ftp and reboot. You may check to see if the PPP package is installed with the command:

The RADIUS client and RADIUS accounting features are included in the PPP package.

Hardware Resource Usage

There is no significant resource usage.

Local Authentication Overview

Local P2P authentication is part of the general user database stored on the router – this database is also responsible for administration authentication for the router. Certain attributes are supported for P2P users:

Local Authentication Management of P2P Users

P2P users are configured in /ppp secret and /ppp profile

PPP Profile

With PPP installation, one default profile is created. PPP profiles are used to define default values to users managed in /ppp secret submenu. Settings in /ppp secret override corresponding /ppp profile settings except in one case when local-address or remote-address are configured in both /ppp secret and /ppp profile, but in one of them ip pool is referred, concrete IP addresses always take precedence.

PPP profiles are configured as follows: 

[admin@MikroTik] ppp profile> print
Flags: * - default
  0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
      session-timeout=0s idle-timeout=0s use-compression=no
      use-vj-compression=yes use-encryption=no require-encyrption=no
      only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter=""
      outgoing-filter=""


[admin@MikroTik] ppp profile>
Argument description:
name - profile name
local-address - (either address or pool) Assigns an individual address to the PPP-Server
remote-address - (either address or pool) Assigns an individual address to the PPP-Client
session-timeout - The maximum time the connection can stay up. When set to 0, there is no timeout
idle-timeout - The link will be terminated if there is no activity with-in the time set – in seconds. When set to 0, there is no timeout
use-compression - defines whether compress traffic or not
use-vj-compression - use Van Jacobson header compression
use-encryption - defines whether encrypt traffic or not
require-encryption - defines whether require encryption from the client or simply prefer it
only-one - allow only one connection at a time
tx-bit-rate - Transmit bitrate in bits/s
rx-bit-rate - Receive bitrate in bits/s
incoming-filter - Firewall chain name for incoming packets. If not empty for each packet coming from client, this firewall chain will get control
outgoing-filter - Firewall chain name for outgoing packets. If not empty for each packet coming to client, this firewall chain will get control
Note that filter rules 'jumping' to the specified firewall chain are added automatically to the ppp firewall chain. This means that you should create ppp chain and pass some (or all) the packets to it in order to get filtering function.

PPP Secret

/ppp secret submenu defines P2P users ad defines owner and profile for each of them: 
[admin@MikroTik] ppp secret> print
Flags: X - disabled
  #   NAME              SERVICE CALLER-ID       PASSWORD        PROFILE
  0   ex                any                     lkjrht          default
[admin@MikroTik] ppp secret> print detail
Flags: X - disabled
  0   name="ex" service=any caller-id="" password="lkjrht" profile=default
      local-address=0.0.0.0 remote-address=0.0.0.0 routes==""


[admin@MikroTik] ppp secret>
Argument description:
name - user name
service - specifies service that will use this user (any, async, isdn, pppoe, pptp)
caller-id - For PPTP, this may be set the IP address which a client must connect from in the form of “a.b.c.d”. For PPPoE, the MAC address which the client must connect from can be set in the form or “xx:xx:xx:xx:xx:xx”. When this is not set, there are no restrictions on from where clients may connect
password - user password
profile - profile name for the user
local-address - (either address or pool) Assigns an individual address to the PPP-Server
remote-address - (either address or pool) Assigns an individual address to the PPP-Client
routes - routes that appear on the server when the client is connected. The route format is: "dst-address gateway metric" (for example, "10.1.0.0/ 24 10.0.0.1 1"). Several routes may be specified separated with commas

Active Users

Current active users can be viewed using /ppp active print command: 
[admin@web-proxy] ppp active> print
Flags: R - radius
  #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME ENCODING
  0   home         pptp    10.0.0.204        10.5.0.2        40m58s MPPE12...
[admin@web-proxy] ppp active> print detail
Flags: R - radius
  0   name="home" service=pptp caller-id="10.0.0.204"
      address=10.5.0.2 uptime=40m57s encoding="MPPE128 stateless"


[admin@web-proxy] ppp active>

Local Accounting of PPP Users

Local authentication and accounting is enabled by default. And is used when RADIUS client is disabled. The following is an example of the local accounting when a PPPoE connection is made to the PPPoE server (access concentrator). 

[admin@Mikrotik]> log print

 dec/09/2002 18:11:14 <pppoe-test>: authenticated
 dec/09/2002 18:11:14 <pppoe-test>: connected
 dec/09/2002 18:11:15 test logged in
 dec/09/2002 18:11:26 test logged out, 12 3760 133 15 9
 dec/09/2002 18:11:26 <pppoe-test>: terminating... - disconnected
 dec/09/2002 18:11:26 <pppoe-test>: disconnected
The last line is the accounting that is printed when the connection is terminated. This line indicates that the user test connection has terminated at dec/09/2002 18:11:26. The numbers following the test logged out entry represent the following: 

12          session connection time in seconds
3760        bytes-in (from client)
133         bytes-out (to client)
15          packets-in (from client)
9           packets-out (to client)

Authentication using RADIUS Server

RADIUS Overview

RADIUS authentication gives the ISP or network administrator the ability to manage P2P user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, and PPTP connections – no ISDN remote access support currently. Features supported:

Note that if RADIUS server is used, then resulting settings for the client are taken from the RADIUS server and from the default profile so that settings received from the RADIUS server will always override corresponding settings taken from the default profile

RADIUS Client Setup

To use RADIUS client, enable it and set the appropriate parameters: 

[admin@MikroTik] ppp radius-client> set enabled=yes primary-server 10.10.1.1 shared-secret users
[admin@MikroTik] ppp radius-client> print
                enabled: yes
             accounting: yes
         primary-server: 10.10.1.1
       secondary-server: 0.0.0.0
          shared-secret: "users"
    authentication-port: 1812
        accounting-port: 1813
         interim-update: 0s
[admin@MikroTik] ppp radius-client>

Description of the output:

enabled - (yes / no) Status of RADIUS client
accounting - (yes / no) Status of RADIUS accounting
primary-server - Primary RADIUS server
secondary-server - Secondary RADIUS server
shared-secret - corresponding text string from RADIUS server
accounting-port - accounting-port
authentication-port - default port 1645 according to RFC
interim-update - defines time interval between communications with the router. If this time will exceed, RADIUS server will assume that this connection is down. This value is suggested to be not less than 3 minutes

RADIUS Client Monitor

The RADIUS client can be monitored using monitor command, for example: 

[admin@MikroTik] ppp radius-client> monitor                             
             pending: 0
            requests: 2
             accepts: 1
             rejects: 0
         bad-replies: 0
    last-request-rtt: 0s

[admin@MikroTik] ppp radius-client>

Counters can be reset using the reset-counters command. Similar monitor is for HotSpot Radius client as well.

RADIUS Parameters

Authentication data sent to server (Access-Request)

Service-Type		always is Framed

Framed-Protocol		always is PPP

NAS-Identifier		router identity

NAS-Port-Type		Async (for async PPP)
			Virtual	(for PPTP)
			Ethernet (for PPPoE)
			ISDN Sync (for ISDN)

Calling-Station-Id	client MAC address (with CAPITAL letters) (for PPPoE)
			client public IP address (for PPTP)

Called-Station-Id	service name (for PPPoE)
			server IP address (for PPTP)
			interface MSN (for ISDN)

NAS-Port-Id		serial port name (for async PPP)
			ethernet interface name on which server is running (for PPPoE)

User-Name		client login name
Depending on authentication methods: 
User-Password		encrypted password (used with PAP auth.)

CHAP-Password,
CHAP-Challenge          encrypted password and challenge (used with CHAP auth.)

MS-CHAP2-Response,
MS_CHAP-Challenge	encrypted password and challenge (used with MS-CHAPv2 auth.)

Data received from server (Access-Accept)

Framed-IP-Address	IP address given to the client. If address belongs to
                        networks 127.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, IP pool
                        is used from the default profile to allocate client IP address.

Framed-Pool		IP pool name (on the router) from which to get IP address
                        for the client. If specified, overrides Framed-IP-Address.

Idle-Timeout		idle-timeout parameter

Session-Timeout		session-timeout parameter

Class			cookie, will be included in Accounting-Request unchanged

Framed-Route		routes to add on the server. Format is specified in
                        RFC2865 (Ch. 5.22), can be specified as many times as needed.

Filter-Id		firewall filter chain name. It is used to make dynamic
                        firewall rule that will jump to specified chain, if
                        incoming or outgoing interface is client PPP, PPTP, PPPoE
                        interface. Firewall chain name can have suffix .in or .out,
			that will install rule only for incoming or outgoing
			traffic. Multiple filter-id can be provided, but only
                        last ones for incoming and outgoing is used.

Acct-Interim-Interval	interim-update for RADIUS client, if 0 uses the one
                        specified in RADIUS client.

MS-MPPE-Encryption-Policy  require-encryption parameter
MS-MPPE-Encryption-Type    use-encryption parameter. Non 0 value means use encryption

Ascend-Data-Rate	tx/rx data rate limitation (for PPPoE).	If multiple
                        attributes are provided, first limits tx data rate,
                        second - rx data rate. 0 if unlimited.

MS-CHAP2-Success	auth. response if MS-CHAPv2 was used

MS-MPPE-Send-Key
  and MS-MPPE-Recv-Key  encryption keys for encrypted PPP, PPTP and PPPoE,
			provided by RADIUS server only is MS-CHAPv2 was
			used as authentication (for PPP, PPTP, PPPoE only)

Note that the received attributes override the default ones (set in the default profile), but if an attribute is not received from RADIUS server, the default one is to be used.

Accounting information sent to server(Accounting-Request)

Acct-Status-Type	Start, Stop, or Interim-Update
Acct-Session-Id		accounting session ID
Service-Type		same as in request
Framed-Protocol		same as in request
NAS-Identifier		same as in request
User-Name		same as in request
NAS-Port-Type		same as in request
NAS-Port-Id		same as in request
Calling-Station-Id	same as in request
Called-Station-Id	same as in request
Acct-Authentic		authenticated by whom
Framed-IP-Address	IP address given to the user
Class			RADIUS server cookie
RADIUS attributes additionally included in Stop and Interim-Update Accounting-Request packets: 
Acct-Session-Time	connection uptime in seconds
Acct-Input-Octects	bytes received from the client
Acct-Input-Packets	packets received from the client
Acct-Output-Octets	bytes sent to the client
Acct-Output-Packets	packets sent to the client
Stop Accounting-Request packets can additionally have: 
Acct-Terminate-Cause	session termination cause (described in RFC2866 Ch. 5.10)

RADIUS Servers Suggested

MikroTik RouterOS RADIUS CLIENT should work well with all RFC compliant servers. It has been tested with:

Vircom RADIUS http://www.vircom.com/
Livingston RADIUS 2.1 http://www.livingston.com/

PPPoE Bandwidth Setting

For local authentication, this can be set in the /ppp profile menu with the tx-bit-rate and rx-bit-rate values (identical to bits/s). For Radius authentication, the account of each user in the radius server should be set with: Parameter: Ascend-Data-Rate (vendor id: 529, attribute id: 197 -- in bits/s).

PPP Troubleshooting

RADIUS Server Configuration Example

Below are general steps for configuring RADIUS server under UNIX. Let us assume you have downloaded a server installation, installed it, and the service is running.

  1. Check what ports are used for RADIUS authentication and accounting. You can use 'netstat -l' or 'netstat -ln' command, for example: 

    [root@server home]# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      
udp        0      0 0.0.0.0:1812            0.0.0.0:*                           
udp        0      0 0.0.0.0:1813            0.0.0.0:*                           
...

  2. Make sure your RADIUS clients are listed in the clients file. It should contain client's IP address or hostname, and secret key, for example: 

    [root@server raddb]# cat clients 
#Client Name            Key
#----------------       -------------------
10.5.15.4               rm219pppoe-radius
10.5.6.5                a-hotspot-radius
10.0.0.100              artis-secret
[root@server raddb]#

  3. Make sure the RADIUS attributes used are included in the dictionary file containing dictionary translations for parsing requests and generating responses. For example, for vendor specific attributes of Ascend and Mikrotik, the dictionary file should contain lines: 

    [root@server raddb]# cat dictionary
...
VENDOR      Ascend      529
VENDOR      Mikrotik    14988

#
#   Bandwidth limitation (in bits/s)
#
ATTRIBUTE   Ascend-Data-Rate        197 integer     Ascend

#
#   Traffic limitation (in bytes)
#
ATTRIBUTE   Mikrotik-Recv-Limit     1   integer     Mikrotik
ATTRIBUTE   Mikrotik-Xmit-Limit     2   integer     Mikrotik
[root@server raddb]#

  4. All users should be listed in the 'users' file, for example: 

    [root@server raddb]# cat users
randy           Password = "w7fxc"
                Service-Type = Framed-User,
                Framed-Protocol = PPP,
                Framed-IP-Address = 10.5.13.19,
                Ascend-Data-Rate = 64000,

monica          Password = "bil"
                Service-Type = Framed-User,
                Framed-Protocol = PPP,
[root@server raddb]#

  5. If you have changed RADIUS server settings, most probably you have to restart the RADIUS daemon (see instructions for it). For example, you have to issue command on your server: 

    [root@server raddb]# /etc/rc.d/init.d/radiusd restart
Shutting down radiusd: [  OK  ]
Starting radiusd: [  OK  ]
[root@server raddb]#

Remember, that users included in router's ppp secret list are not authenticated using the RADIUS server!

To troubleshoot your RADIUS server and client setup,

  1. use /ppp radius-client monitor, or /ip hotspot radius-client monitor commands,
  2. examine RADIUS server log files.

© Copyright 1999-2002, MikroTik