AAA with Mikrotik + Microsoft IAS(Internet Authentication Service) & Active Directory

Posted by Admin Tuesday, March 22, 2011 0 comments


Topolog

Step by step :

1) Set Radius Client to Active Directory Server, in this case IAS is for Radius Server.


[admin@MikroTik] /radius> add service=login,hotspot address=[ip address AD server] secret=123456 authentication-port=1812 accounting-port=1813

2) Make 2 groups, admin and viewer

Admin :
[admin@MikroTik] /user group> add name=admin policy=ftp,password,read,sensitive,ssh,test,winbox ,local,policy,reboot,sniff,telnet,web,write

Viewer :
[admin@MikroTik] /user group> add name=viewer policy=read,telnet,winbox

3) Activate the radius function.

[admin@MikroTik] /user aaa> set use-radius=yes

4) Windows configuration : make active directory full with dns local, than add IAS within Control Panel => Add or Remove Programs => Add/Remove Windows Components => choose Networking Services => click Details => choose Internet Authentication Servive. (note: do the same for DNS)





5) After IAS installed, next configuration is IAS that used for Radius Server and linked to mikrotik. (note: register IAS to active directory first).

i) Setting Radius Clients :
a. Create new radius clients
b. Input values below, with IP address is ip router mikrotik that directly connected to IAS. (note: shared secret must equal to IAS and at mikrotik)



ii) Setting Connection Requst Policies
a. Create new connection request policy , than next and choose custom policy.

b. Di policy conditions, klik add pilih opsi Client-IP-Address. Input IP Address to router mikrotik. Connection request policies used to authentication proccess between mikrotik with Microsoft IAS.

c. Click edit, choose advanced and remove attribt in advanced tab.



iii) Setting Remote Access Logging
a. Go to remote access logging, than click Local File. Set value as below or with your own config.



iv) Set remote access policies. This Configuration is for user authentication proccess and user authorization.

a. First we make admin authentikasi and authorization for admin user. Create new remote access policy. Choose custom policy, than custom for name. Than Click add, atribut,Windows-Groups atribut, After that, choose group from domain group that we make at active directory. group scope must global





b.Step two is , set profile from access policy. choose Edit Profile,uncheck MS-CHAPv2, MS-CHAP, CHAP. Just check PAP, SPAP. In Encryption tab uncheck No encryption.








c.Step trhee is authorization proccess. Go to the advanced tab, at list atribut choose Vendor-Specific. click add input value at Enter Vendor Code 14988 with status Yes. It conforms. click configure attribute, input vendor-assigned number : 3, at Attribute value input admin (note: attribute value same with group name in mikrotik yang telah dibahas pada tahap awal).





d.We got AAA Mikrotik with Active Directory + Microsoft IAS config.



(sky16 / fm)

0 comments:

Post a Comment