Enhancing MikroTik Security with Ubuntu RADIUS Server

For WISPs and network administrators, managing access to MikroTik routers at various high sites can be a significant challenge, especially when employees leave an organization. Traditional practices of managing individual login credentials for each device not only become cumbersome but also pose a security risk when employees leave the organization. A practical and efficient solution to this problem is the implementation of a RADIUS server. This centralized approach to managing authentication for network devices streamlines access control and enhances security.

The Role of RADIUS in Network Management

A RADIUS server centralizes the management of user credentials, significantly simplifying the process of updating access permissions.

Setting Up a RADIUS Server on Ubuntu 22.04

This guide will walk you through the process of setting up a RADIUS server on Ubuntu 22.04, using the FreeRADIUS package. We'll then integrate this server with a MikroTik router, treating it as a NAS client for centralized authentication.

Step 1: Install FreeRADIUS on Ubuntu

First, update your package list and install FreeRADIUS:

sudo apt update
sudo apt install freeradius freeradius-utils -y

Step 2: Configure FreeRADIUS

After installation, configure FreeRADIUS to recognize the MikroTik router as a NAS client.

  1. Edit the clients.conf file:
sudo nano /etc/freeradius/3.0/clients.conf
  1. Add your MikroTik router as a NAS client at the end of the file. Replace 10.x.x.x with your MikroTik's private management IP address, and secret with a secure password that will be shared between the RADIUS server and the MikroTik router:
client mikrotik_nas {
    ip_address = 10.x.x.x
    secret     = your_shared_secret
    nas_type   = mikrotik
    shortname  = MikroTikRouter
}
  1. Save and close the file.

Step 3: Add Users to the RADIUS Server

The next step is to configure FreeRADIUS to authenticate users based on a text file. For the purposes of this guide, we will store the authentication information in /etc/freeradius/3.0/users.

  1. Edit the users file:
sudo nano /etc/freeradius/3.0/users
  1. Add users in the following format:
username Cleartext-Password := "password"

For example:

jeff Cleartext-Password := "this_is_jeffs_password"
  1. Save and close the file.

Step 4: Restart FreeRADIUS

Apply the changes by restarting the FreeRADIUS server:

sudo systemctl restart freeradius

Step 5: Configure MikroTik Router

Finally, configure your MikroTik router to use the RADIUS server for authentication.

  1. Access your MikroTik router via WinBox or SSH.
  2. Navigate to the RADIUS settings and add a new RADIUS client. Use the following settings, replacing 10.x.x.x with your RADIUS server's IP address and your_shared_secret with the secret you specified in the clients.conf file:
/radius add service=login address=10.x.x.x secret=your_shared_secret authentication-port=1812 accounting-port=1813
  1. Enable RADIUS authentication for system login:
/system radius add service=login use-radius=yes

Conclusion

By setting up a RADIUS server and integrating it with your MikroTik routers, you can streamline the management of network access credentials. While this guide uses a text file for authentication data, there are numerous GUI/Web-based options and more sophisticated back-end databases that can be integrated with FreeRADIUS for even greater flexibility and scalability.

Was this page helpful?