3 connection terminating from radius – Allied Telesis AT-WR4500 User Manual

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

133

RouterOS v3 Configuration and User Guide

domain (text; default: "") - Microsoft Windows domain of client passed to RADIUS servers that require
domain validation
realm (text) - explicitly stated realm (user domain), so the users do not have to provide proper ISP
domain name in user name
secret (text; default: "") - shared secret used to access the RADIUS server
service (multiple choice: hotspot | login | ppp | telephony | wireless | dhcp; default: "") - router services
that will use this RADIUS server
hotspot - HotSpot authentication service
login - router's local user authentication
ppp - Point-to-Point clients authentication
telephony - IP telephony accounting
wireless - wireless client authentication (client's MAC address is sent as User-Name)
dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)
timeout (time; default: 100ms) - timeout after which the request should be resend

The order of the items in this list is meaningful.
Microsoft Windows clients send their usernames in form domain\username
When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using shared
secret, secret is used only in authentication reply, and router is verifying it. So if you have wrong shared
secret, RADIUS server will accept request, but router won't accept reply. You can see that with /radius
monitor command, "bad-replies" number should increase whenever somebody tries to connect.

Example

To set a RADIUS server for HotSpot and PPP services that has 10.0.0.3 IP address and ex shared
secret, you need to do the following:

[admin@AT-WR4562] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex
[admin@AT-WR4562] radius> print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp,hotspot 10.0.0.3 ex
[admin@AT-WR4562] radius>
AAA for the respective services should be enabled too:
[admin@AT-WR4562] radius> /ppp aaa set use-radius=yes
[admin@AT-WR4562] radius> /ip hotspot profile set default use-radius=yes
To view some statistics for a client:
[admin@AT-WR4562] radius> monitor 0
pending: 0
requests: 10
accepts: 4
rejects: 1
resends: 15
timeouts: 5
bad-replies: 0
last-request-rtt: 0s
[admin@AT-WR4562] radius>

7.1.3

Connection Terminating from RADIUS

Submenu level: /radius incoming

Description

This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend
RADIUS protocol commands that allow terminating a session which has already been connected from
RADIUS server. For this purpose DM (Disconnect-Messages) are used. Disconnect messages cause a user
session to be terminated immediately

Property Description

accept (yes | no; default: no) - Whether to accept the unsolicited messages