Howto Recover Mikrotik ADMIN account Forgotten Password

Recovery Mikrotik password.

Syed Jahanzaib Personal Blog to Share Knowledge !

Last Updated: 18th April, 2014, 22:04 gmt+5

According to information on MikrotikWIKI and forums, it is not possible to recover the passwords without resetting whole mikrotik box (resulting in loss of all configuration also). However following are few methods to recover the password.

0# Recover password from BACKUP file using a website https://www.mikrotikpasswordrecovery.net/

If you require it on urget basis, you can email me your config, and I will recover it for you, just in case if you dont have linux or urgency is required.

1# Recover password from BACKUP file using Ubuntu or Linux LIVE CD [updated April 2014]

2# Recover password by mounting Mikrotik Hard disk in Linux LIVE CD  and do recovery [not updated since last year, it was tested with 5 version)

 

2# Recover password from BACKUP file using Linux [working as of april 2014]

Login to your Ubuntu / Linux Box,
Download mikrotik…

View original post 447 more words

Install Nagios on a Synology DiskStation DS415+ (Plex Support Also Added)

Instal Nagios on a Sunology

Charles Hooper's Oracle Notes

December 24, 2014 (Modified December 29, 2014 – Added Plex Support Section, January 11, 2015 – Added Nagios Web Status and Fixed Status Logging)

(Back to the Previous Post in the Series)

This article describes how to compile and run Nagios 4.0.8 (with 2.0.3 plugins) on a Synology DiskStation DS415+ (64 bit), which utilizes an Intel Atom Avoton processor (cat /proc/cpuinfo indicates that the unit is using a 2.40GHz Atom C2538, and utilizes the DSM 5.1-5021 (the latest version as of December 24, 2014) operating system.  Nagios is a very useful network monitoring (and even Oracle Database monitoring with plugins) utility that uses email or other communication means to report device or service outages.  Not all Synology DiskStation NAS devices use Intel based CPUs – some of the less expensive DiskStations use ARM type processors (see this link to determine the type of CPU installed in a specific DiskStation).  It may…

View original post 5,245 more words

Fixing and Reverse Engineering Cheap Temperature Controlled Soldering Iron

แกะหัวแร้ง

Oakkar7, another Blog

Last year, I bought a temperature controlled soldering iron from local supplier. I bought a hot air rework station soon and I seldom used this iron because new rework station also has a temperature controlled iron. I like the idea of this iron because of its design. It is not like others temp-controlled soldering stations. See the photo.

Here is close up. You can see inside circuitry.

It is just an iron and temp-control circuit is inside it’s handle.  No dedicated controlled station like famous Weller gun. There is a knob at handle to adjust temperature from 100~400 C.  Yes, it is made  in china. The price is very cheap, about 5$ (do you believe it or not). But the quality and performance is quite good.

One day, I used this iron and it was not working. So, I opened fixed it. Fixing is quite simple and I checked…

View original post 411 more words

การลบภาพไม่ให้ขึ้นใน google search

ให้ลบภาพที่ไม่ต้องการให้ค้นใน google ออกก่อน หากเป็นภาพ โปรไฟ ให้ลบออกก่อนแล้วค่อยเปลี่ยนภาพโปรไฟ เพราะหากเปลี่ยนก่อนภาพตัวอย่างนั้นจะไม่หายไปไหน เพราะ google พบว่าข้อมูลนั้นยังอยู่

Blocking Client ROUTER Access

Syed Jahanzaib Personal Blog to Share Knowledge !

ttl

As requested by a virtual friend, who have a small network in a rural area with lower amount of bandwidth, & he wanted to block access to client who are using WIFI / Client ROUTER and doing sharing with other members. For this reason the operator is loosing ‘POTENTIAL’ customers. Following trick worked like a charm in order to block client router access.

At your main router, add following rule,

The above rule will decrement the TTL by value 1 . This way when the packet will move towards client router, it will not go beyond that point to client. BUT if the client uses normal PC, he will be able to access the internet.

1- block client router

DISCLAIMER:
Do remember one point, the above method is not 100%. There are always workaround for about anything. None of any security is 100% fool proof.
If client uses Mikrotik Router, he can create…

View original post 110 more words

Mikrotik 4 WAN Load Balancing using PCC method. Complete Script ! by zaiB

Syed Jahanzaib Personal Blog to Share Knowledge !

Updated 4th December, 2013

Following is a complete script for Mikrotik to Load Balance 4 WAN links OR DSL links , the script idea is taken from
http://wiki.mikrotik.com/wiki/Manual:PCC#Example

In this example I have used MikrotikT RB750 5 ports router. 4 ports were connected with Four DSL Routers, and 5th port was connected with User LAN. In this particual screenshots example, all DSL lines have un-equal speed. Also don’t forget to rename the interface names accordingly.

In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred.

I also recommend to use SQUID proxy server along…

View original post 324 more words

Load Balancing Failover with Proxy and DNS

Load Balancing Failover with Proxy and DNS

รูปภาพ

1. Defining DNS router and address List on Firewall
Assuming that you install the network according to the arrangement of interface line as in the previous article. So for not make you confusing, I put here the set interface and the ip address on the first script below!
/interface
set name=wan1
set name=wan2
set name=proxy
set name=lan1
set name=not-used
 
/ip address
add address=172.16.1.2/24 interface=wan1
add address=172.16.2.2/24 interface=wan2
add address=172.160.1.1/24 interface=proxy
add address=192.168.1.1/24 interface=lan1
 
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=172.16.1.1,8.8.8.8,8.8.4.4
 
/ip firewall address-list
add address=192.168.1.0/24 comment="" disabled=no list=LocalNET
add address=172.160.1.0/24 comment="" disabled=no list=ProxyNET
Actually mikrotik has a system to save the cache dns request we only need to specify the parent dns. I have made any local dns server side wan1 server with the same ip 172.16.1.1. It does not matter whichever side you want to install local dns server on your network, even if you do not have local dns server you can trusted with your google dns server.

And the next we need to create the name of the address list on firewall that will used when you want redirect the connection from local area network(lan) to the proxy server.

 
2. Masquerade Dual Wan Connection and Redirect Web Proxy
/ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade
 
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address-list=!ProxyNET dst-port=80,8080 in-interface=lan1 protocol=tcp to-addresses=172.160.1.2 to-ports=3128 comment="TRANSPARENT PROXY"

There are two rules for masquerading two source of the internet connections wan that will fix src-addresses for all outgoing packets. If the packet will leave via wan1 it will be NATed to 170.16.1.0/24, if through wan2 will be NATed to 172.16.2.0/24
 
For redirecting connection from lan to the proxy, we use chain=dstnat. This is a transparent web proxy, for that you must be set the squid.conf of your squid proxy server to be http_port 3128 transparent. If no transparent, this rule will not working.
 
3. Proxy Hit and Accepting All Traffic to Connected Networks
 
/ip firewall mangle
add chain=postrouting action=mark-packet new-packet-mark=cache-hits passthrough=no dscp=48 comment="PROXY HIT"
 
/ ip firewall mangle
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16.2.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.160.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=192.168.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16.2.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.160.1.0/24
This is what I have done, to mark the proxy hit packets using dscp(tos)=48 with chain=postrouting that is related with cache hits on squid.conf of the squid proxy server, in order to bypass of the connection packets from proxy to the network. For the plan of local dns server, I must put the next rules to accept all traffic on the networks as overall so that there is no obstruction of the overall network traffic by router. 
 
4. Mangle for The Rule Ecmp Dual Wan Load Balancing
 
/ip firewall mangle
add action=mark-connection chain=input in-interface=wan1 connection-mark=no-mark new-connection-mark=wan1_conn comment="Mark Connection that are Initiated from Outside"
add action=mark-connection chain=input in-interface=wan2 connection-mark=no-mark new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_traf comment="Mark Routing for Router's Replies"    
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan2_traf
The differences of the various methods of load balancing lies atthe last two rules of the above scripts, ie the rules that use chain=output. If you want to use dual wan without load balancing of two source internet that you have, you simply straighten the fourth rule above, becomes:

  • add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_traf
 
5. Route List of ecmp dual wan load balancing with automatic failover
 
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1 check-gateway=ping
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=wan1_traf
add dst-address=0.0.0.0/0 gateway=172.16.2.1 routing-mark=wan2_traf
Look at the mark-routing on the script above that leads to new-routing of the mangle ECMP load balancing, that is wan1-traf. If you have trusted of the both wan connection is quite stable connection and ping, you don’t need to extend this route again on your router, enough to route it. But if you doubt just continue with the following automatic routes failover!
/ip route
add dst-address=128.199.248.105 gateway=172.16.1.1 scope=10
add dst-address=111.67.16.202 gateway=172.16.2.1 scope=10
 
/ip route
add distance=1 gateway=128.199.248.105 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=111.67.16.202 routing-mark=wan2_traf check-gateway=ping
 
/ip route
add distance=1 gateway=111.67.16.202 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=128.199.248.105 routing-mark=wan2_traf check-gateway=ping
 
/ip route
add dst-address=10.129.30.1 gateway=128.199.248.105 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.129.31.1 gateway=111.67.16.202 scope=10 target-scope=10 check-gateway=ping
 
/ip route
add distance=1 gateway=10.129.30.1 routing-mark=wan1_traf
add distance=2 gateway=10.129.31.1 routing-mark=wan2_traf
 
/ip route
add distance=1 gateway=10.129.30.1
add distance=2 gateway=10.129.31.2
To complete the load balancing system with failover, note here the ip 128.199.248.105 and 111.67.16.202 is the ip dns of open nic project. It can be changed with another dns that you trust is always on, with the exception if the ISP is having problems. That means as the indication of state your isp connection. It will be a gateway as shown in group of rules 2 and 3 of the script rules above.
 
Perhaps It’s like trick mathematics formulas rather hard to see how it is work, that is about recursion technique that’s really work. The last three rules of the script above that use virtual gateway, which is actually the ip address does not exist on our network, which is 10.129.30.1 and 10.129.31.2. It’s free you specify, so the route list of your router will be as shown below! 
 
 
6. Simple QOS Implementation of Ecmp Dual Wan Load Balancing    
 
/ip firewall mangle
add action=mark-connection chain=forward in-interface=proxy out-interface=lan1 new-connection-mark=proxy-conn dscp=!48 passthrough=yes comment="DOWNLOAD VIA PROXY"
add action=mark-packet chain=forward connection-mark=proxy-conn new-packet-mark=proxy-pkt passthrough=yes
  
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=wan1 passthrough=yes comment="PUBLIC DOWNSTEAM"
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=wan2 passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=dconn new-packet-mark=dpkt passthrough=yes
  
/ip firewall mangle
add action=mark-connection chain=forward out-interface=wan1 new-connection-mark=uconn passthrough=yes comment="PUBLIC UPSTEAM"
add action=mark-connection chain=forward out-interface=wan2 new-connection-mark=uconn passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=uconn new-packet-mark=upkt passthrough=yes
For the system of Ecmp dual wan load balancing with failover here, we only use chain=forward in marking for the upload and download packets in this QOS (Quality of Service) implementation.

Ok The first rule is a download via proxy, If you unable to capture the cache hit traffic of the proxy as well, the packets of HIT and MISS still join here. Somebody call that this is Hit Proxy. But i think we could not say this as HIT or MISS proxy a long as we can not separate them as well. The most problem that I’ve found, how can we separate HIT and MISS proxy explicitly. MISS Proxy is the packets that requested by the clients (lan) to the proxy, but the proxy does’t have from the cache, and will requested to the internet server directly.

The second and third rules I already provide the comment on the script, the connection packets of download and upload actually from the internet server. So this is the simple qos implementation of dual wan load balancing. After the connection packet has been captured, and finally to set queue tree and queue type rules to manage the bandwidth like the script below!

/queue type
add name=pcq_game kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_browsing kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_hardsteam kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_p2ptorrent kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_residual kind=pcq pcq-rate=0 pcq-classifier=dst-address
 
/queue tree
add name=HIT_PROXY parent=global-out packet-mark=cache-hits queue=sfq_proxy_hit priority=1
add name=UPSTEAM parent=global-out queue=pcq_upsteam packet-mark=upkt priority=8
add name=DOWNSTEAM parent=global-out queue=pcq_downsteam packet-mark=dpkt priority=8
add name=PROXYSTEAM parent=global-out queue=pcq_proxysteam packet-mark=proxy-pkt priority=8
Especially for UPSTEAM as the upload packets queue, it should be use the parent of global-outaccording to the mangle rules that have been defined of the connection packets. For the bandwidth capacity of dual wan load balancing that is not too big, it is going to be a quite simple QOS that effectively in bandwidth management of ecmp dual wan load balancing, and the results you can see as shown below!

 
  
7. Security Access for The System Load Balancing
 
/ip firewall address-list
add address=192.168.1.8 disabled=no list=internet-allowed
add address=192.168.1.11 disabled=no list=internet-allowed
add address=192.168.1.12 disabled=no list=internet-allowed
add address=192.168.1.14 disabled=no list=internet-allowed
add address=192.168.1.15 disabled=no list=internet-allowed
add address=192.168.1.16 disabled=no list=internet-allowed
add address=192.168.1.17 disabled=no list=internet-allowed
add address=192.168.1.20 disabled=no list=internet-allowed
add address=192.168.1.21 disabled=no list=internet-allowed
add address=192.168.1.22 disabled=no list=internet-allowed
add address=172.160.1.2 disabled=no list=internet-allowed
 
/ip firewall filter
add action=accept chain=input comment="Accept Input Established" connection-state=established disabled=no
add action=accept chain=input comment="Accept Input Related" connection-state=related disabled=no
add action=drop chain=input comment="Drop Input Invalid" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept Input Limited ICMP"disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop Input Exceed ICMP" disabled=noprotocol=icmp
add action=accept chain=input comment="Accept Input Winbox" disabled=nodst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept Input Webfig" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="Accept Input Telnet" disabled=no dst-port=23 protocol=tcp
add action=accept chain=input comment="Accept Input SSH" disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="Accept Input DNS" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Accept Input WInbox Discovery"disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="Drop Input Anything Else" disabled=no
add action=accept chain=forward comment="Accept Forward Established"connection-state=established disabled=no
add action=accept chain=forward comment="Accept Forward Related"connection-state=related disabled=no
add action=drop chain=forward comment="Drop Forward Invalid" connection-state=invalid disabled=no
add action=jump chain=forward comment="Accept User Internet and Jump to Port-Filter" disabled=no jump-target=port-filter src-address-list=internet-allowed
add action=accept chain=port-filter comment="Accept Port-Filter HTTP"disabled=no port=80 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter HTTPS AND SNEWS" disabled=no port=443,563 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter rsync"disabled=no port=873 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gopher"disabled=no port=70 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter wais"disabled=no port=210 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter unregistered ports" disabled=no port=1025-65535 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter PROXY"disabled=no port=8000,8080,3128 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter http-mgmt"disabled=no port=280 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gss-http"disabled=no port=488 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter filemaker"disabled=no port=591 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter multiling http"disabled=no port=777 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter cups"disabled=no port=631 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter SWAT"disabled=no port=901 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter Email Ports"disabled=no port=25,587,465,110,143,993,995 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter YM"disabled=no port=5050 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter VPN BCA"disabled=no port=500,10000 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter DNS"disabled=no port=53,8053,35053 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter NTP"disabled=no port=123 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter ICMP"disabled=no protocol=icmp
add action=drop chain=port-filter comment="Drop Port-Filter Anything Else"disabled=no
add action=drop chain=forward comment="Drop Forward Anything Else"disabled=no
It is just as a complement to the ecmp dual wan load balancing bandwidth management system with failover, proxy, dns server that would be very vulnerable to the variety of things we do not want. Therefore, I think we need to add the security on the firewall filter for the network load balancing can work properly. If this Qos still not enough to manage the purpose of the bandwidth management as you desired , I will continue with the specific QoS implementation on the load balancing.

Pejman Moghadam ( پژمان مقدم ): Slackware: Slackware 14.0 – PPPOE Server / FreeRADIUS 2.1.12 / MySQL

Pejman Moghadam ( پژمان مقدم ): Slackware: Slackware 14.0 – PPPOE Server / FreeRADIUS 2.1.12 / MySQL.

Phase 1 – configure PPPOE Server for standalone authentication



Backup

mv /etc/ppp/options{,.bak}
mv /etc/ppp/pppoe-server-options{,.bak}

/etc/ppp/options

lock

/etc/ppp/pppoe-server-options

name pppoes
require-chap
noipdefault
mru 1492
mtu 1492
lcp-max-configure 60
lcp-restart 2
lcp-echo-interval 30
lcp-echo-failure 4
idle 0
noipx
proxyarp
ms-dns 8.8.8.8
#debug dump logfd 2 nodetach

/etc/ppp/chap-secrets

pejman pppoes 123456 *

/etc/ppp/pppoe.conf

LINUX_PLUGIN=/usr/lib/pppd/2.4.5/rp-pppoe.so

pppd incompatibility

cd /etc/ppp/plugins/
[ ! -e rp-pppoe.so-2.4.4 ] && cp rp-pppoe.so rp-pppoe.so-2.4.4
cp /usr/lib/pppd/2.4.5/rp-pppoe.so /etc/ppp/plugins/

/etc/rc.d/rc.pppoe-server

#!/bin/bash
#
# /etc/rc.d/rc.pppoe-server
#

# Configuration
SRVNAME="Linux-PPPOE-Server"
MAXCON=250
LOCALIP=10.0.0.1
STARTIP=10.0.0.10
USRIF=eth1
HOSTNAME=$(hostname)

start ()
{
  modprobe pppoe
  ifconfig $USRIF up
  /usr/sbin/pppoe-server -k -I $USRIF -N $MAXCON -C $HOSTNAME -S $SRVNAME -L $LOCALIP -R $STARTIP
}

case "$1" in
  'start')
    echo 'Starting pppoe-server ...'
    PID=$(pgrep '^pppoe-server$')
    if [ "$PID" == "" ] ; then
      start
    else
      echo 'pppoe-server is already running !!!'
    fi
    ;;
  'stop')
    echo 'Stoping pppoe-server ...'
    killall pppoe-server
    ;;
  'restart')
    echo 'Restarting pppoe-server ...'
    killall pppoe-server
    sleep 2
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
    ;;
esac

Launch

chmod +x /etc/rc.d/rc.pppoe-server
/etc/rc.d/rc.pppoe-server start
  • Test With Client Connection

Phase 2 – configure radius server for in-file authentication



FreeRADIUS

cd /usr/src
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
tar zxf freeradius-server-2.1.12.tar.gz
cd freeradius-server-2.1.12
./configure --prefix=/usr/local/freeradius && make && make install
cp /usr/local/freeradius/etc/raddb/users{,.bak-$(date +%F)}

/usr/local/freeradius/etc/raddb/users

pejman User-Password := "123456"
      Service-Type = Framed-User,
      Framed-Protocol = PPP,
      Framed-Compression = Van-Jacobsen-TCP-IP

Launch

/usr/local/freeradius/sbin/radiusd -X

/etc/rc.d/rc.radiusd

#!/bin/sh
#
# /etc/rc.d/rc.radiusd
#

case "$1" in
  'start')
    echo 'Starting radiusd ...'
    PID=$(pgrep '^radiusd$')
    if [ "$PID" == "" ] ; then
      /usr/local/freeradius/sbin/radiusd
    else
      echo "radiusd is already running (PID: $PID) !!!"
    fi
    ;;
  'stop')
    echo 'Stoping radiusd ...'
    killall radiusd
    ;;
  'restart')
    echo 'Restarting radiusd ...'
    killall radiusd
    sleep 2
    /usr/local/freeradius/sbin/radiusd
    ;;
  *)
    echo "Usage: $0 [start|stop|restart]"
    ;;
esac

Launch

chmod +x /etc/rc.d/rc.radiusd
/etc/rc.d/rc.radiusd start

Test

expand  /usr/local/freeradius/etc/raddb/clients.conf | sed -e 's,#.*,,' -e '/^ *$/d'
echo User-Name = "pejman", User-Password = "123456" | /usr/local/freeradius/bin/radclient 127.0.0.1 auth testing123
/usr/local/freeradius/bin/radtest pejman  123456 127.0.0.1 10 testing123

Phase 3 – Change PPPOE server to use radius authentication



/etc/ppp/pppoe-server-options

.
.
plugin radius.so
plugin radattr.so
.
.

/etc/radiusclient/servers

127.0.0.1       testing123

/etc/radiusclient/dictionary

.
.
ATTRIBUTE       CHAP-Challenge          60      string
INCLUDE /etc/radiusclient/dictionary.microsoft

/etc/ppp/chap-secrets

#pejman pptpd 123456 *

Restart

/etc/rc.d/rc.pppoe-server restart

Phase 4 – Config database server



Mysql Secure Installarion Wizard

/storage/mysql-5.5.22/bin/mysql_secure_installation

/etc/rc.d/rc.mysqld

#SKIP="--skip-networking"

Restart

/etc/rc.d/rc.mysqld restart
nmap 127.0.0.1
netstat -tunapo | grep mysql

radius database

create database radius;
use radius;
source /usr/local/freeradius/etc/raddb/sql/mysql/schema.sql;
show tables;

new group

use radius;
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Framed-Compression','Van-Jacobson-TCP-IP' );
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Framed-Protocol', 'PPP' );
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Service-Type', 'Framed-User' );

new user

use radius;
INSERT INTO radusergroup (UserName, GroupName, priority) VALUES ('pejman', 'normalusers', 1);
INSERT INTO radcheck     (UserName, Attribute, Value)    VALUES ('pejman', 'Password', '123456');
INSERT INTO radreply     (UserName, Attribute, Value)    VALUES ('pejman', 'Framed-IP-Address', '172.16.3.33');

Check tables;

use radius;
select * from radgroupreply;
select * from radusergroup;
select * from radcheck;
select * from radreply;

Phase 5 – Configure radius server to use mysql as backend



/usr/local/freeradius/etc/raddb/users

# pejman Cleartext-Password := "123456"
#      Service-Type = Framed-User,
#      Framed-Protocol = PPP,
#      Framed-Compression = Van-Jacobsen-TCP-IP

/usr/local/freeradius/etc/raddb/radiusd.conf

.
.
$INCLUDE sql.conf
.
.

/usr/local/freeradius/etc/raddb/sql.conf

.
.
  sql {
    database = "mysql"
    driver = "rlm_sql_${database}"
    server = "localhost"
    #port = 3306
    login = "root"
    password = "123456"
    radius_db = "radius"
.
.

Backup

cp /usr/local/freeradius/etc/raddb/sites-available/default{,.bak}

check config file

expand /usr/local/freeradius/etc/raddb/sites-available/default | egrep -v '^#|^ *$|^ *#'
expand /usr/local/freeradius/etc/raddb/sites-available/default | sed -e 's,#.*,,' -e '/^ *$/d'

/usr/local/freeradius/etc/raddb/sites-available/default

authorize {
    preprocess
    chap
    mschap
    suffix
    sql
    expiration
    logintime
    pap
}
authenticate {
    Auth-Type PAP {
            pap
    }
    Auth-Type CHAP {
            chap
    }
    Auth-Type MS-CHAP {
            mschap
    }
}
preacct {
    preprocess
    acct_unique
    suffix
}
accounting {
    detail
    unix
    radutmp
    sql
    attr_filter.accounting_response
}
session {
    radutmp
    sql
}
post-auth {
    sql
    exec
    Post-Auth-Type REJECT {
            attr_filter.access_reject
    }
}
pre-proxy {
}
post-proxy {
    eap
}

Restart

/etc/rc.d/rc.radiusd restart

/etc/rc.d/rc.local

# Start FreeRADIUS server:
if [ -x /etc/rc.d/rc.radiusd ]; then
  /etc/rc.d/rc.radiusd start
fi

# Start PPPOE server:
if [ -x /etc/rc.d/rc.pppoe-server ]; then
  /etc/rc.d/rc.pppoe-server start
fi

/etc/rc.d/rc.local_shutdown

#!/bin/bash

# Stop PPPOE server:
if [ -x /etc/rc.d/rc.pppoe-server ]; then
  /etc/rc.d/rc.pppoe-server stop
fi

# Stop FreeRADIUS server:
if [ -x /etc/rc.d/rc.radiusd ]; then
  /etc/rc.d/rc.radiusd stop
fi

Commands

chmod +x /etc/rc.d/rc.local_shutdown