A free radius server for Wireless, Hotspot, PPP, users and DHCP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay thank you again so I you miss me yeah absolutely yes so yeah well here we are again for my presentation about user manager it's a free radio server for wireless for hotspots PPP users and the HDP so this is why I call with a short name like user manager playbook so I will jump for you all this part yes here we can start the user manager it's an additional package for rather wise and it's a powerful radio server that can be used for managing authentication for the hot spot day PPP for rudderless users for the wireless clients and for the DHCP clients against a DHCP server and it's free why I prepared this presentation because during trainings usually students ask me about info or suggestion on which radio server to use and the user manager is not well-known this is this is a factor but there are reasons for not the user radius included in radar s and for free let's check it's also not well know where otherwise can ask authentication to a radio servers yes everyone know that hotspot and PPP can use a radius for making authentication but is not well-known that ot can authenticate rather less users so the access to the router the wireless clients and also into the capsule and into the DHCP server and the question is how many are you using the user manager one just two three four whew so yes I agree that user manager is not corporate radius yes it's a simple product but it's free and it's inside any rubberized device like this one can run radius yes you can run user manager yes that's it its effect I'm running here a user manager inside a map powered on by a USB this is not a full presentation about the user manager because we take ours will be boring with a lot of things to see it's just a playbook to be use it in conjunction with the wiki so with the wiki and my slides with some tricks that I made to avoid common mistakes yes you can use with such as the user manager in a lot of environment you can also check the wiki for all the manuals you can take and user management training classes from my trainer and I was all I didn't know why maybe because I was like.he I was one in the world that spread the user management to the other trainers in the world I don't know why but happened this way so the user manager is a radio server nothing less nothing more radios mean for remote authentication dial in user services was designed in the 80s I remember em was such this protocols after the taxa uno data tax or tax plus yes one two three four okay yes when I start with my Cisco SS concentration yes I had one I had the takig server for managing central authentication for dialing users and only them after a few years we have new protocol of radius it's a letter protocol that provides centralized authentication authorization and accounting is called also a a al Triple A and the radius packets from my clients to drive your servers use UDP packets radio server is useful to manage centralized authentication what does it mean from one Center radius you can manage authentication authorization in the counting tribal a in many routers one on 100 or 1000 and doesn't mean it doesn't matter sorry if they are in the neighborhood of they are in to another part of the world it's just say server that authenticate provide authentication this way a client actual radius the authentication providing the credential that was gained from the users users provide username and password for any services say doesn't matter what the radius client ask at the radius server they can have access it's a question using this username and password the radius will reply with yes except yes reset and will pass lot of parameters 1 or 10 or 20 depend exist dictionary that you can control you can check for make a lot of implementation you can pass a lot of parameters to create custom services for your needs otherwise have a radius client that it's included into the system so you don't have to add optional packages or special licenses it's included in the system can ask authentication at any standard radio server so like user manager or like free radius or other radius on the market and also the radius client is free of course he is this is the Redis client is on the main menu there is radius button you can add more 10:1 radius client into your router eyes why because you can add the different radius servers for each services that you want authenticate or you can add the more than one server for having redundant radio servers to ask authorization form so for each radius client you can specify the services that you want to use with this ever for indicate this is a bad example for you because usually a single radio server it's used for a single services this is just a practical version but can exist this way yes of course but it's unusual the address of the radio server in this example user the local lost address because I'm using the radius client into this small router and I have the user manager the radio server into the same machine so this client are asking radius query to the local machine and a secret a radius require a secret password to authenticate the requests so no others clients without the correct pressure at the key can make query the ports that understand that you can set up and customize the timeout so if the radius does not reply in this time will ask to the next one and so on and this a rule of thumb that usually we forget is that rudder eyes will use the local user database first and only then if no user match any records will ask to a radio server if was set of course if I have to authenticate a user that exists in local user database for example the for hotspot I will use a radius for authenticate customers but if I write an user name on the secrets into my hotspot rudderless will check first the user and if exist we'll use this user without asking to radius so it's nice to play with the Stu to the databases because you will have an admin local account of course and the others for remote but we have to be careful when you migrate from local to radius because we have to remove the users from local database where is the user manager you have to manually install this optional package you have to download the old packages zip file from my critique we have to take the user manager package drag into file reboot and only then you will have the user manager running is not included into the photo package the requirement are very very minimal only 32 Emma Graham and two Meg of three spaces so today any device can run the radio server user manager we work also on any x86 or cloud the hospital rather also and that is the products that I like a smallest one that you can it have a magnet you know you can attach into any iron surface into Iraq or fridge or your car any place you like and about the licensing the user manager is free but have different limitations depending your otherwise license level so work on layer 3 on the CPA also on the small devices layer 3 but support only 10 active sessions negev for like this one support 20 concurrent active section sessions layer 5 50 layer 6 unlimited and hive a web interface this is web interface of the user manager and it's different address and different managing everything is different because the address is the IP address of the router and with the slash user mem this is the difference obviously the IP in IP services you should enable that will double double services or you will not able to reach this interface this is the main menu and I will not explain you everything routers you can setup all the routers manage it by this radio server so if you're adding routers you have to add every routers here I will play with my browser this is my map on the routers you can add it's a very very simple interface all your others you want you can manage them a name for this router the IP address of the routers they share its secrets and that's it you have the users that are the users that will authenticate using the radios and the common mistake whatever a special slide is to mess up between users and customers because customers are the administrators of the user manager the one that login into user manager the session the active sessions that you can see when connected the logs the interface for with people for example profiles that I will show you later profiles and limitations they are mandatory is the first thing you have to do into a user manager configuration global settings you can also translate using a text file in your language in any language reports active sessions active users and the search and here you can backup the database for maintenance or for special purpose or the restore but it's a very very easy to manage and we have also the common line interface so from inside rather wise under tool user manager you can manage any customer database history log payment provides router session users as you can cap everything because the user manager is separate from rudderless no users in common not configuration income so if you want to export the configuration of the user manager you have to export inside tool user manager and you can I put all the config of the user manager only and here on the wiki you can find almost all the settings of the user manager it's very easy to follow to deploy the first one and now some tips off experience the first thing you have to do is to change the user manager default password because as I said to you before there are not nothing in common with rather OS users and anything so the default user is admin with no password the first thing you have to do is to change or to setup a password for the admin user or to create a new different one I told you that we have to add the routers to be managed and the first thing after that is to create profiles and limitation before adding user because every user should be interpreted so we have a first to create a profile that's it it's a one of the common mistake I start to editing users and obtain errors users are the one that will authenticate and customer the administrators only services that can be managed through user manager or any radius PPP services is one of the most common into the PPP secrets there is this button PPP authentication and accounting pushing this button you can enable the radius to be query for all the a PPP services in this way you can manage authentication or in accounting for pppoe clients PPP TP l2tp Open VPN SSE TP any PPP secrets can be authenticated through a radio servers like user manager this way you can easily manage any VPN authentication via and by one radio server it's a centralized management of VPN servers remember that when a radius reply to the radius client with few attributes they will override the settings into the profile or otherwise for example I'm using a PPP profile for a pppoe or l2tp PTT PPTP SSDP it doesn't matter and you have to use a profile for this kind of service in this example I set up a limits to Meg's upload and a lot but if a user look in today these PPP service authenticated by user manager or any radius and these radios have in the profile the limits of 1 Meg 1 Meg I show you sorry I forgot to delete for you this is the limit set up into the PPP profile but into the user manager I set up one Meg 1 Meg this user will obtain this speed the one that the radius reply if the radius will not reply with any speed limitation the clients will use this one is clear the the logic of work yes n into the profile into the limitation sorry into the user manager here at the bottom what you have yet some constraint okay group name IP pool address list so depend on the services you can provide an IP pool name attributes into the radius reply or an address list name where to put the IP address provided by the radius or the group the group can assume to function different functions for the Rudra's users that we will see later it's the user group name where to put this user or profile for the opt spot users after PPP the second common is for hotspot services you can enable the radius to be use it into a hotspot survey profile radio step use radius in lot of radius client you can also specify location ID Damac format I don't know why make format you can sell it between a pulldown menu the format of the MAC address depending on the radio server and you let your server maybe accept different format you can choose which one you want with the radius or user manager you can easily manage a lot of hotspot with just one user database and this is a centralized management for hotspot servers this is one of my favourite radius client application the authentication of rudder OSC users using radius or user manager and now I have a question for you do you think will be possible to disconnect a rudderless user for whim from wing box or click for example I'm logged in to my router I see me with admin a strange user connected can you disconnect this user raise your hands no one no yes you're right no once connected there is no kill button no minus button when when I wants a users it was connected was impossible to disconnect it yes you can try to force this connection using the firewall dropping the packet against these IP address yes but you can't just Descamps it but you can using the radius the radius client into otherwise support the radius and coming or call into the radius client and coming button you can enable the radius incoming and the port and the radio server should support this in faction like user manager did one set up a router reduce incoming call us a port and the port name and that's it in this way the client I will jump back will accept incoming comments sent by a radio server or user manager so if you want to disconnect any users type from user manager or any radius server you can just select an active session right-click and close session that's it you don't have to connect or to login into win box into the router this is one of the most advantage using radius for enable rather less user authentication you have to go into the users you have the button AAA and then enable use radius this is a great implementation for anyone that manage a network to put into the routers physical otherwise users just for use in case of a major in emergency and all the others technician authenticated by radius so if you one day you will change and employers you have just to close the account and that's it if you want to change the password for one of your technician you have just to change the password into the radio server and that's it DHCP server is one of the less use it application of a radius because it's possible to use the radius for managing DHCP server leases so you can manage Jenya servers in a centralized mode you had to enable into the DHCP server use radius at the end of the box in this case each time a layer 2 device try to request an appeal addressed at this DHCP server he try to ask to a radio server passing not user name and password but the mac address this is the interface into the user manager Emma I create a user for DHCP server putting into the user name the MAC address of the layer 2 device and the IP address that if static the IP address that I want to provide at him for example if there is a pool you don't have to fill this file this static assignment statically is made by radio server and the last one service is Wireless clients is possible to use the radius or the user manager for managing Wireless clients connecting to any access point and with central management we work against the access list remember that in any case rather wise we look first into local user database in this case is the access list first we'll check into the access list then if setup will ask to a radius and would be possible to disconnect any wireless client if the incoming was enabled from the radio server without logging into a single single access points into the security profile into inbox there is a radius tab and make authentication into the Mac into the user manager like DHCP you have just to put username as MAC address of the wireless clients that you have to authenticate but is not finished there because you can also specify opening these windows Wireless you can have different attributes to reply for example you can ask you can enable for these Wireless clients be special pressure the key with this encryption algorithm so in this case you will accept this wireless encryption instead of the one specified into the Wireless profile security profile and also in the Cape's man so if you are using the caps man i will jump back you will not use the access list using the caps man because the caps will have its own access list and you can use the radio server to manage authentication of wireless station against ap managed by a caps man and would be possible discounted them by the radius set up a rule into an access list into the caps man so here we are into the caps man access list we have to create rules and this create different scenario because you can have lot of rules and then these rules maybe you have you want to check different things and only at the end just for example you can create an action that the result the action is query radius so you can do lot of things and then query radius so all the function and this power over otherwise can be run into my devices also obviously you can't compare or the user manager to enterprise radio server of course remember that otherwise can fit best devices and they can run hotspot OSPF MPLS BGP and the user manager this is awesome all this brand can do that and this is a picture that I shot the previous mom in Dallas yes I was running was live running at the IP architect and they made this interesting Labs is war the world's smallest MPLS is B yes and pause running it it's incredible I hope you enjoyed my presentation and from today we start to increase the use of the user manager that it's included and it's free it's a fabulous for a small application for call more than before thank any question no easy yes one so yes yes I will send them and they will publish in few days yes into the mum website so thank you ok so lunch time so lunch will happen the same area when the hotel breakfast on opposite side of the registration of the hotel so see you back in one and a half hour for the next presentation

Info

Channel: MikroTik

Views: 45,975

Rating: 4.818182 out of 5

Keywords: mikrotik, routerboard, routeros, latvia

Id: gvP9Q3VCMbg

Channel Id: undefined

Length: 34min 15sec (2055 seconds)

Published: Thu Jun 02 2016