You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Introduction

The introduction of the container feature into the RouterOS made it possible to run all kinds of servers for all sorts of tasks inside the router. This is especially relevant for people, who want to reduce the number of devices in their network. Instead of running a server on a separate device/machine, why not run it inside the router?

Radius is short for Remote Authentication Dial-In User Service. RouterOS has a RADIUS client feature supported that can authenticate for HotSpot, PPP, PPPoE, PPTPL2TP, and ISDN connections. Basically, this feature allows you to connect RouterOS to a Radius Server, and then, utilize the user database from the server for client authentication.

In our example, we will showcase freeradius/freeradius-server image installation.

Summary

Sub-menu: /container

note: container package is required.

Make sure to study our container guide before proceeding with the configuration. Make sure to check the disclaimer and requirements sections to understand all the risks and necessary steps you might be required to do.

At the time, when the guide was published, the image was available for linux/amd64 OS/architecture only. Meaning, you are not able to run this scenario on our arm32-bit and arm64-bit architecture RouterOS devices.

You can only run it on Cloud Hosted Router (CHR).

To help you set up a CHR in a Virtual Box, please check our youtube tutorial.

Configuration

Container mode

Enable container mode:

/system/device-mode/update container=yes

You will need to confirm the device-mode with a cold reboot if using the container on X86.

Networking

Add veth interface for the container:

/interface/veth/add name=veth3 address=172.17.0.2/24 gateway=172.17.0.1

Create a bridge for the container, assign an IP network to it, and add veth to the bridge:

/interface/bridge/add name=dockerfreeradius
/ip/address/add address=172.17.0.1/24 interface=dockerfreeradius
/interface/bridge/port add bridge=dockerfreeradius interface=veth3

Setup NAT for outgoing traffic if required:

/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/24

Getting image

To simplify the configuration, we will get the image from an external library but you can also import it via the .tar file.

Make sure that you have "Registry URL" set accordingly, limit RAM usage (if necessary), and set up a directory for the image:

/container/config/set registry-url=https://registry-1.docker.io tmpdir=pull

Pull image:

/container/add remote-image=freeradius/freeradius-server:latest interface=veth3 root-dir=freeradius

After running the command, RouterOS should start "extracting" the package. Check "File System" for newly created folders and monitor container status with the command /container/print.

Starting the container

After you make sure that the container has been added and the status changed to status=stopped after using /container/print → you can initiate it:

/container/start 0

Altering the server's configuration files

To access the server's configuration files, we will need to use SFTP (file transfer over SSH) protocol, so make sure that SSH service is enabled.

Open your command terminal ("CMD", as Administrator, for Windows users, or "Linux Shell or Command Terminal" for Linux users) and navigate it to the directory where you want to download the configuration file. For example, to "Container" folder on your "Desktop":

C:\WINDOWS\system32>cd C:\Users\Administrator\Desktop\radius
 
C:\Users\Administrator\Desktop\radius>

Initiate SFTP to the device's IP address:

C:\Users\DenissPC\Desktop\radius>sftp admin@10.55.8.53
admin@10.55.8.53's password:
Connected to 10.55.8.53.
sftp>

Go to the server's configuration file folder (use dir or ls command to see the content of the folder you are in and cd command to go to the folder of our choice).

clients.conf

The first file, "clients.conf" allows you to define RADIUS clients. Per the "freeradius" documentation, it should be under the "/etc/freeradius" directory...so, navigate there and use get command to download it:

sftp> dir
freeradius          pub                     pull                    skins                   
tb
sftp> cd freeradius/etc/freeradius
sftp> dir
README.rst          certs               clients.conf        dictionary          experimental.conf   hints               
huntgroups          mods-available      mods-config         mods-enabled        panic.gdb           policy.d            
proxy.conf          radiusd.conf        sites-available     sites-enabled       templates.conf      trigger.conf        
users
sftp> get clients.conf
Fetching /freeradius/etc/freeradius/clients.conf to clients.conf
/freeradius/etc/freeradius/clients.conf                                               100% 8323     1.2MB/s   00:00

Open "clients.conf" via your preferred text editor (notepad or any other), and just overwrite it with two lines shown below (or you could have just created a new/fresh file, named it "mosquitto.conf" and added the two lines there via any text editor → same result):

client localhost {
	#  Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
	#  a client.
	#
	#  ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
	#  notation '/<mask>' to specify ranges.
	#
	#  ipaddr will accept domain names e.g. example.org resolving
	#  them via DNS.
	#
	#  If both A and AAAA records are found, A records will be
	#  used in preference to AAAA.
	ipaddr = 127.0.0.1





  • No labels