0

I have Mikrotik which works like PPTP server and Freeradius for authentication and authorization.

How to assign PPTP user's IP or name in Freeradius (user1 = 10.11.1.145 in my case) with Mikrotik's firewall group?
I need all this stuff because Firewall groups helps to deal with rules better.

I've tried to add this record to the radreply table 

INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Mikrotik-Address-List', ':=', 'remote_managers');

but without results.

After user1 was connected to Mikrotik there is a record in Log that MT-Address-List="remote_managers" but it doesn't appear in Firewall>Address List.

Daniele Santi
  • 2,479
  • 1
  • 25
  • 22
Newbie21231
  • 1
  • 2

1 Answers1

0

Did you refer 'Mikrotik's firewall group' to 'Mikrotik User Group' ?

If so, find the way to make freeradius give 'reply:Mikrotik-Group' in response.

Please read https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Access-Accept

I'm also playing with FreeRadius and Mikrotik, but I take the 'rest' path rather then 'unlang'. Nothing wrong with unlang (it's the default), just make sure you realy know how to read-set some attributes with it.

Bino Oetomo
  • 207
  • 3
  • 10
  • What do you mean speaking "Did you refer 'Mikrotik's firewall group' to 'Mikrotik User Group'" ? I don't need User Groups, my need is such schema: When user user1 (for example) connects to Mikrotik's PPTP server, router puts user's ip address to firewall address list "remote_managers". I know that it's possible but I can not implement that in practice. – Newbie21231 May 10 '19 at 06:19
  • Refering to https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Access-Accept it would be MIKROTIK_ADDRESS_LIST attribute. – Newbie21231 May 10 '19 at 06:23
  • Next interesting thing is Mikrotik understand 'Mikrotik-Address-List' value https://i.imgur.com/z0C4T4k.jpg but new address list doesn't appear in firewall. – Newbie21231 May 11 '19 at 08:43
  • @Newbie21231, what if you pre-define an address list called 'remote_managers' (maybe need 1 fake IP) ? Maybe the access-accept part of mikrotik's radius clients only able to 'add' the IP to existing address list and cant 'create new address list'. – Bino Oetomo May 14 '19 at 04:12
  • Yep, I understand you clearly. I've try such conditions couple days ago but with no luck. – Newbie21231 May 15 '19 at 06:11