skip to content
yuna0x0 yuna0x0 :3

Login to MikroTik device via Synology RADIUS (with LDAP and group mapping)

/ 4 min read

Updated:
sysadmin

Recently, I have been working on setting up our university lab’s new network architecture and MikroTik network equipment.

One of them is we want our network admins to be able to login to MikroTik management interfaces (Eg, WinBox) using their LDAP credentials.

Our lab currently uses Synology’s LDAP and RADIUS servers. (However, I am also experimenting with FreeIPA, FreeRADIUS, and Kanidm, as we might need to migrate to a more scalable and robust solution.)

Therefore, for this article, I’ll be focusing on Synology RADIUS. Still, some of the configurations here might also be applicable with FreeRADIUS, as Synology RADIUS is a FreeRADIUS server with custom configurations.

1. Modify Synology RADIUS server configuration files

Enable and login to SSH on your Synology system using an admin account.

Make sure to disable the SSH after finishing the configuration, as the Synology system allows SSH password login by default, which adds additional security risk if you leave it on.

Switch to root user with sudo and authenticate using the password of your admin account:

Terminal window
sudo -i

The original FreeRADIUS LDAP configuration provided by Synology is missing membership_attribute, which prevents the server from filtering the LDAP group properly.

Fix by adding this new line to Synology RADIUS’ FreeRADIUS LDAP configuration file, located at /var/packages/RadiusServer/target/etc/raddb/mods-enabled/ldap:

ldap
ldap {
        ...
        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }
        ...
}

Then, create a file in /usr/local/synoradius/mikrotik_admin, with the configuration to map the LDAP group to the MikroTik group:

mikrotik_admin
if (Ldap-Group == "YOUR_LDAP_GROUP_NAME") {
        update reply {
                Mikrotik-Group := "YOUR_MIKROTIK_GROUP_NAME"
        }
}

The definition of these RADIUS attributes:

Finally, depending on your settings of “Source for user authentication” in Synology RADIUS, modify the corresponding file located in /usr/local/synoradius/ :

Configuration fileSource for user authentication
rad_site_def_ldapOnly LDAP users
rad_site_def_local_ldapBoth Local users and LDAP users
rad_site_def_localOnly Local users
rad_site_def_adOnly Domain users
rad_site_def_local_adBoth Local users and Domain users

This article focuses on authentication with only LDAP users, though you can still try tinkering with configurations that fit your requirements.

Modify file /usr/local/synoradius/rad_site_def_ldap to include the previously created mikrotik_admin file in the post-auth section:

rad_site_def_ldap
...
post-auth {
#       ldap
        exec
        $INCLUDE /usr/local/synoradius/mikrotik_admin
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
...

Stop and start the Synology RADIUS server in the package center, and you have finished the part of setting up the Synology RADIUS server.

2. Setup MikroTik device for RADIUS Login

Connect to your MikroTik device’s console.

Add the RADIUS server and allow it to login to your MikroTik device:

Terminal window
/radius add service=login address=YOUR_RADIUS_SERVER_IP secret=YOUR_SHARED_SECRET

Enable RADIUS login to your MikroTik device:

Terminal window
/user aaa set default-group=DEFAULT_GROUP_FOR_RADIUS_USER use-radius=yes

I also strongly recommend setting the default-group option to your desired MikroTik user group, it’s for every user that is not mapped by your RADIUS configuration above.

As default-group has a default value read, which, by default, allows every unmapped user to login to your MikroTik device with read group permission. Which might not be the setup you wanted.

And that’s it, you have finished the setup. Try login to your MikroTik device using the LDAP credential \(^▽^)/

Further Reading

Setting up FreeRADIUS to work with MSCHAPv2 with FreeIPA:

See also

FreeIPA and Red Hat IdM Password Auditing:

Blast-RADIUS (CVE-2024-3596):

References

FreeRADIUS Docs:

MikroTik RADIUS:

Synology RADIUS: