[Mikrotik] Radius MAC Authentication with both DHCP and static IPs

Butch Evans butche at butchevans.com
Tue Mar 15 15:01:40 CDT 2011

On 03/14/2011 04:38 PM, Jim Rice wrote:
> Sorry, I should have been more specific ...
> We are doing MAC authentication from a MySQL database, not local.
> The DHCP request triggers the Radius Access-Request, and receives the Access-Accept reply.  For Static IPs, there is nothing to trigger the Radius request.  So for those, I have to default to Accept them.
> (Unacceptable.)
> I do not know if this is version dependent or not.
> But devices configured with static IPs do not generate a Radius request when connecting.
> I want to configure Radius to provide the DHCP Group and Rate-Limit attributes, perhaps others as well, based on Username (MAC).
You can trigger the radius request from wireless auth, hotspot or DHCP.  
Depending on what services you want to provide, there are both pros and 
cons to each approach.  You can, if you like, use radius auth for all 3 
at the same time.  Assuming you don't want (or need) hotspot, I'd do this:

1. Configure dynamic clients in radius to get a radius reply that 
includes the "ip-pool" attribute
2. Configure clients with static IP addresses to get the 
"framed-ip-address" attribute (I think that's the right one)
3. Configure a default "unknown" client pool to get the ip-pool 
attribute pointing to a pool of IPs that is NOT your "normal access" range

All 3 of the above can include a rate-limit attribute of whatever is 
appropriate for the customer.  You would have to configure the "static" 
clients to get an IP from the DHCP server, but you will always be 
providing them with the SAME IP (static lease) via the framed-ip-address 
attribute.  Once you have done this, you would configure the DHCP server 
to "add arp for leases" and configure the interface for 
"arp=reply-only".  You would redirect traffic from the group 3 above so 
that those clients can only see a web page that says "If you can see 
this, call us for service..." (or whatever).  By setting the arp options 
mentioned above, you will prevent anyone from setting up a manual static 
IP to bypass your authentication mechanism.

* Butch Evans                   * Professional Network Consultation*
* http://www.butchevans.com/    * Network Engineering              *
* http://store.wispgear.net/    * Wired or Wireless Networks       *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *
*                NOTE THE NEW PHONE NUMBER: 702-537-0979           *

More information about the Mikrotik mailing list