Skip to site navigation (Press enter)

[Mikrotik] Accounting using freeradius

authenticated by MAC address
Andy Rabagliati Sun, 28 Mar 2010 07:33:18 -0700
Folks,
I have inherited a setup that uses three Mikrotik boxes to
service an office building here in South Africa.
Software versions are 2.9.40, 3.20, and 2.9.44.
I installed an Ubuntu box running Radius and a dhcp server.
I bridged ether1 / wlan1 on the Mikrotik NAS's.
The setup successfully authenticates by MAC addresses
stored in mysql on the ubuntu box. IP addresses are then
fetched from the dhcp server.
I did this with "radcheck" containing items like
id
3

username
00:1B:11:0A:8B:C1

attribute
Cleartext-Password

op
:=

value

and "radgroupcheck" containing

id
1
2

groupname
wireless
wireless

attribute
Auth-Type
Password

op
:=
==

value
Local

but I am having no success with accounting. From the 3.20 box I

once got this :Wed Mar 24 11:20:11 2010
Acct-Status-Type = Accounting-On
NAS-Identifier = "TokaiSuites1"
NAS-IP-Address = 172.16.1.1
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "6fbfb93f3bceb43e"
Timestamp = 1269422411
Request-Authenticator = Verified
but I have never seen an honest accounting packet yet.
I have trawled mailing lists, I have googled, I have read rfc2866.
What am I doing wrong, and can I fix it ?
Selected config attached below.
Cheers,

Andy!

radiusd.conf :-

logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions
= yes
extended_expressions
= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime

}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
######################################################################
#################3333
# clients.conf :client localhost {
ipaddr = 127.0.0.1
secret
= whiteroad
require_message_authenticator = no
}
client 172.16.1.1 {
secret = $$ecret
shortname = tokaisuites1
nastype = other
}
client 172.16.1.2 {
secret = $$ecret
shortname = tokaisuites2
nastype = other
}
client 172.16.1.3 {
secret = $$ecret
shortname = tokaisuites3
nastype = other
}
######################################################################
#################3333
# mar/28/2010 16:06:21 by RouterOS 2.9.44
# software id = IGPI-3TT
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:15:80:18
arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface wireless
set wlan1 name="wlan1" mtu=1500 mac-address=00:0B:6B:4F:30:1D
arp=enabled
disable-running-check=no radio-name="tokaisuites2" mode=ap-bridge \
ssid="TokaiSuites2" area="" frequency-mode=manual-txpower
country="south
africa" antenna-gain=0 frequency=2437 band=2.4ghz-b/g scanlist=default \
rate-set=configured supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-ratesa/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=26 tx-power-mode=all-rates-fixed \
noise-floor-threshold=default periodic-calibration=default
periodic-calibration-interval=60 burst-time=disabled dfs-mode=none
antenna-mode=ant-a \
wds-mode=disabled wds-default-bridge=none wds-default-cost=100
wds-cost-range=50-150 wds-ignore-ssid=no update-statsinterval=disabled \
default-authentication=no default-forwarding=no default-ap-txlimit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25 hidessid=no \

security-profile=default disconnect-timeout=3s on-fail-retrytime=100ms

preamble-mode=both compression=no allow-sharedkey=no comment=""
disabled=no
/ interface wireless nstreme
set wlan1 enable-nstreme=no enable-polling=yes framer-policy=none
framer-limit=3200
/ interface wireless manual-tx-power-table
set wlan1
manual-txpowers=1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps
:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17
/ interface wireless security-profiles
set default name="default" mode=none authentication-types="" unicastciphers=""
group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" \
tls-mode=no-certificates tls-certificate=none static-algo-0=none
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none
static-key-2="" \
static-algo-3=none static-key-3="" static-transmit-key=key-0
static-sta-private-algo=none static-sta-private-key=""
radius-mac-authentication=yes \
group-key-update=5m
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssidall=no
frames-per-second=25 \
audio-min=-100 audio-max=-20
/ interface wireless snooper
set multiple-channels=yes channel-time=200ms receive-errors=no
/ interface wireless sniffer
set multiple-channels=no channel-time=200ms only-headers=no receiveerrors=no
memory-limit=10 file-name="" file-limit=10 streaming-enabled=no \
streaming-server=0.0.0.0 streaming-max-rate=0
/ interface bridge
add name="bridge1" mtu=1500 arp=enabled stp=no priority=32768 ageingtime=5m
forward-delay=15s garbage-collection-interval=4s hello-time=2s \
max-message-age=20s comment="" disabled=no
/ interface bridge port
add interface=wlan1 bridge=bridge1 priority=128 path-cost=10
comment=""
disabled=no
add interface=ether1 bridge=bridge1 priority=128 path-cost=10
comment=""
disabled=no
/ radius
add service=wireless called-id="" domain="" address=172.16.1.254
secret="$$ecret" authentication-port=1812 accounting-port=1813
timeout=300ms \
accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=yes port=1700
/ ip accounting
set enabled=yes account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=0.0.0.0/0
/ ip route

add dst-address=0.0.0.0/0 gateway=172.16.1.254 scope=255 targetscope=10

comment="" disabled=no
/ ip address
add address=172.16.1.2/24 network=172.16.1.0 broadcast=172.16.1.255
interface=ether1 comment="" disabled=no
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Main

Links

Forum

Login

Board index RouterOS General

Print view

Register

RouterOS DHCP + Freeradius - Queues

Post a reply
15 posts Page 1 of 1

manson

newbie

Posts: 29
Joined: Thu Feb 14, 2013 10:41 am

RouterOS DHCP + Freeradius - Queues

by manson Tue Sep 16, 2014 11:45 am
Hello,
I have DHCP Server on ROS getting leases and rate limits from freeradius
database, it's working like it should but there is a problem with changing
rate limits to connected users. After lease expire client is getting new lease
but changed in database rate limits are not changed.
Any idea how to make it work?
Kadaf
just joined

Posts: 21
Joined: Tue Jan 18, 2011 6:52 pm

Re: RouterOS DHCP + Freeradius - Queues

by Kadafi Tue Sep 16, 2014 1:48 pm
manson wrote:Hello,
I have DHCP Server on ROS getting leases and rate limits from freeradius
database, it's working like it should but there is a problem with changing
rate limits to connected users. After lease expire client is getting new lease
but changed in database rate limits are not changed.
Any idea how to make it work?

The only way for now create static address lists and write script in scheduler
that makes dynamic leases into static and updates them on new dynamic
entries.
DLNoah

Frequent Visitor

Posts: 80
Joined: Fri Nov 12, 2010 6:33 pm

Re: RouterOS DHCP + Freeradius - Queues

by DLNoah Tue Sep 16, 2014 3:11 pm
manson wrote:Hello,
I have DHCP Server on ROS getting leases and rate limits from freeradius
database, it's working like it should but there is a problem with changing
rate limits to connected users. After lease expire client is getting new lease
but changed in database rate limits are not changed.
Any idea how to make it work?

On a regular renewal (which DHCP clients will typically do at the halfway

point of their current lease), the MT will not re-request information from
RADIUS, as the lease entry still exists in the MikroTik. Similarly, the MT will
always check its own leases frst (e.g. static leases), and will not query
RADIUS if a static lease exists.
In order to force the MT to re-check RADIUS for updated shaping
information, you need to delete the lease from the MT DHCP Server >
Leases tab (either manually or via a script triggered by your FreeRADIUS
backend when the rate limit changes).
lambert
Member

Posts: 344
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

by lambert Wed Sep 17, 2014 1:21 am

Are you specifying the Session-Timeout in your FreeRADIUS reply packet?

We had issues without Session-Timeout where users were only authenticated
once. As long as they kept their lease renewed before it expired, they never
had to authenticate again.
With Session-Timeout set to 3600 seconds, the mikrotik re-authenticates
them every hour and they get their new MikroTik-Access-List value to
change to their new plan speed within an hour of the plan being changed in
the database. They can force a renewal before their current lease expires if
they are in a hurry.
manson
newbie

Posts: 29
Joined: Thu Feb 14, 2013 10:41 am

Re: RouterOS DHCP + Freeradius - Queues

by manson Thu Sep 18, 2014 12:01 pm
And how about same issue but with using User Manager?
Begetan
Frequent Visitor

Posts: 71
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

by Begetan Sat Nov 01, 2014 10:15 pm
I am trying to do shaiping via DHCP and got the same issue.
I think there is an issue in DHCP processing on Mikrotik side.
If station send request frst time mikrotik has no lease and correctly sends
requests to RADIUS.
If station disconnects and resends DHCP request or makes renewal leases,
Mirotik trys to check it's databases for static leases. If it can fnd any kind of

leases it will not process radius request again. I should do it only for radius
leases.
What is the workarounds?
1.
2.
3.
4.

Send Session-Timeout. Is mikrotik consider it unlimited by default?

Regular clean-up of whole lease database.
Script for manual clean up particular lease cause by lease script.
Ask mikrotik to fx a bug?

Begetan
Frequent Visitor

Posts: 71
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

by Begetan Sat Nov 01, 2014 10:46 pm
lambert wrote:With Session-Timeout set to 3600 seconds, the mikrotik reauthenticates them every hour and they get their new MikroTik-Access-List
value to change to their new plan speed within an hour of the plan being
changed in the database. They can force a renewal before their current
lease expires if they are in a hurry.

Are you shure that DHCP radius accept message can provide MikroTikAccess-List atribute?
lambert
Member

Posts: 344
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

by lambert Tue Nov 04, 2014 11:48 pm

Begetan wrote:I am trying to do shaiping via DHCP and got the same issue.
I think there is an issue in DHCP processing on Mikrotik side.
If station send request frst time mikrotik has no lease and correctly sends
requests to RADIUS.
If station disconnects and resends DHCP request or makes renewal leases,
Mirotik trys to check it's databases for static leases. If it can fnd any kind of
leases it will not process radius request again. I should do it only for radius
leases.
What is the workarounds?
1.
2.
3.
4.

Send Session-Timeout. Is mikrotik consider it unlimited by default?

Regular clean-up of whole lease database.
Script for manual clean up particular lease cause by lease script.
Ask mikrotik to fx a bug?

Number 1 works for my 2000 customers.... I would say 2 and 3 are not
necessary if you do 1. 4 is not necessary because it is working as designed.
Authentication is separate from Authorization.
If RADIUS doesn't specify a session timeout, the DHCP server uses MAC
authentication to authenticate the device. If no limits were in the RADIUS
authorization response, the user/device is unlimited. The DHCP server has
it's own concept of Lease Time which is not related to authorization. So,
when an authorized without limits client requests to renew its lease, the
DHCP server looks at it's table of limits and says "00:11:22:33:44:55" is not
beyond its authorized time limit, renew the lease.
If RADIUS returns a Session-Timeout, the DHCP server knows this MAC
address is authenticated and is also authorized for the next ${SessionTimeout} seconds. If the device requests to renew it's lease, the DHCP
server looks at its table and sees "this MAC address already authenticated
and is authorized until ${time}." If the new Lease Time would give the
device access beyond $time, DHCP needs to ask the RADIUS server about
the device's authorization again.
With PPP, if you don't specify a Session-Timeout or other limit, the user can
stay connected forever and never has to re-authenticate. There is no
difference here. It is just the DHCP concept of a default lease-time which is
confusing people.
lambert

Member

Posts: 344
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

by lambert Tue Nov 04, 2014 11:56 pm
Begetan wrote:
lambert wrote:With Session-Timeout set to 3600 seconds, the mikrotik reauthenticates them every hour and they get their new MikroTik-Access-List
value to change to their new plan speed within an hour of the plan being
changed in the database. They can force a renewal before their current
lease expires if they are in a hurry.

Are you shure that DHCP radius accept message can provide MikroTikAccess-List atribute?

Yes. Absolutely. That is what we do for our customers.

DHCP uses MAC authentication to send a RADIUS request to the RADIUS
server. The RADIUS reply packet contains the Session-Timeout and MikroTikAccess-List and Framed-Pool or Framed-Address. If our Session-Timeout is
3600, the customer can be put in a different Access-List with a different IP
pool or static IP address.
You may have to make sure your RADIUS server knows about the MikroTikAccess-List attribute.
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary
Begetan
Frequent Visitor

Posts: 71
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

by Begetan Thu Nov 06, 2014 12:25 am
lambert
Thank you for details. We've implemented Session-Timeout and to i it's
working exactly as we want!
We will try to use Mikrotik-Address-List, we did it for PPP servers, so it's quite
easy.
I am confusing because in the official documentation this parameter is
missing:
http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server
Begetan
Frequent Visitor

Posts: 71
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

by Begetan Thu Nov 13, 2014 11:37 pm
Radius attribute Mikrotik-Address-List is working with DHCP, but has an
issue. Once it got some value from radius it will stay forever and not expires
if lease is updating. Only disconnected and fully expired leases can clean up
address-list.
Looks like behaviour of standart DHCP without attribute Session-Time.
lambert
Member

Posts: 344
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

by lambert Fri Nov 14, 2014 12:42 am
What reply attributes are you returning? It works for us all day every day.
Below are the attributes we use for everyone. Customers with static IP
addresses also get a Framed-IP attribute from the radreply table.
Code: Select all
mysql> select * from radgroupreply where groupname =
"1MbCustomers";
+-----+--------------+-----------------------+---+--------------+
| id | groupname
| attribute
| op | value
|
+-----+--------------+-----------------------+---+--------------+
| 67 | 1MbCustomers | Mikrotik-Address-List | = | 1MbCustomers
|
| 66 | 1MbCustomers | Framed-Pool
| = | CustPub
|
| 107 | 1MbCustomers | Session-Timeout
| = | 7200
|
+-----+--------------+-----------------------+---+--------------+

If a customer switched to another plan, we put them in another group and

the associated address list is returned the next time they renew the lease.
Once they get the new lease, any new connections are matched by the
address-list in the mangle rules. The new connections are then shaped by
the queue tree rules. Existing, long running connections are not affected,
unless the IP changes and, therefore, breaks the connection.
Do you check that the customer's dynamic address-list entry is in /ip frewall
address-list and if it has changed?
lambert
Member

Posts: 344
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

by lambert Fri Nov 14, 2014 12:56 am

Maybe this is a bug after 6.18? http://forum.mikrotik.com/viewtopic.php?

f=1&t=91204#p456196
Begetan
Frequent Visitor

Posts: 71
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

by Begetan Fri Nov 14, 2014 3:37 pm
We are using version 6.18 now.
This issue is about processing of radius atribute.
If we set atribute to some value it will in this state untill we set new value.
For example
1. We send from Radius
Code: Select all
Framed-IP-Address = 172.16.1.1
Mikrotik-Address-List = [b]hotline[/b]
Session-Timeout = 3600

This address staying in hotline flter

2. Now we removed user from hotline list
Code: Select all
Framed-IP-Address = 172.16.1.1
Session-Timeout = 3600

But address-list "hotline" keeps holding IP 172.16.1.1 until you disconnect

device! Every renewal of lease keeps it on list.
The only way to remove atribute dynamically is to provide new value:

Code: Select all

Framed-IP-Address = 172.16.1.1
Mikrotik-Address-List = [b]allow[/b]
Session-Timeout = 3600

I think this is unclear handling of radus atributes.

If we provide Session-Timeout, we hope that all atributes should expire
automaticaly. Exactly the same as DHCP lease. But we have to push new
value to some attribute just for moving out the old one.
Mikrotik DHCP + Radius is using several people at the world I think. So It's
better to update knowlege base than doing changes on soft.
I can do notes on wiki if Mikrotik team provide access.
lambert
Member

Posts: 344
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

by lambert Fri Nov 14, 2014 8:29 pm
Okay, that makes sense and explains why we do not have a problem. On our
network, every user is in an address-list.
You might want to make a feature request of MikroTik to use the sessiontimeout as an address-list timeout. But it would still be there until timeout
expired even if you force the device to get a new lease.
I would just give everyone a default address-list, even if you don't use that
in your confguration on the router.
Display topics from previous:
Sort by
Post a reply
15 posts Page 1 of 1

Who is online
Users browsing this forum: Alright71, ayger, NathanA, yancho and 50 guests
It is currently Fri Jan 23, 2015 2:00 pm
Return to General

Delete all board cookies

All times are UTC + 2 hours [ DST ]

Powered by phpBB Forum Software phpBB Group

MikroTik.com
Karma functions powered by Karma MOD 2007, 2009 m157y

Home

Bullets

Mikrotik

DHCP Server With Usermanager (Radius) Mikrotik

DHCP Server With User manager (Radius) Mikrotik

DHCP router configuration
* Set DHCP to use User Manager for DHCP server leases,
/ ip dhcp-server set dhcp1 use-radius=yes
* Add radius client to consult User Manager for DHCP service.
/ radius add service=dhcp address=y.y.y.y secret=123456
secret is equal to User Manager router secret. y.y.y.y is the User Manager router
address.
* Note, first local router database is consulted, then User Manager database. User will
be unable to obtain DHCP lease, if DHCP router and User Manager server will not
contain any information about users data.
User Manager configuration
* First, you need to download and install User Manager package;
* Create User Manager subscriber;
/ tool user-manager customer add login=MikroTik password=qwerty
permissions=owner
* Add DHCP router information to router list,
/ tool user-manager router add subscriber=MikroTik ip-address=x.x.x.x sharedsecret=123456
x.x.x.x is the address of the DHCP router, shared-secret should match on both User
Manager and DHCP routers.
* Add DHCP user information, that client with MAC address 00:01:29:27:81:95 will
always receive 192.168.100.2 address. User will receive dynamic address from the
DHCP ip pool, if ip-address is not specified.
/ tool user-manager user add add subscriber=MikroTik username=00:01:29:27:81:95
ip-address=192.168.100.2
We discuss only basic configuration example, detailed information about user menu
configuration.

* To make sure, that user is receiving lease from User Manager,

/ ip dhcp-server lease> print
Flags: X disabled, R radius, D dynamic, B blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 R 192.168.100.2 00:01:29:27:81:95 dhcp1 bound
R means that lease has been received from User Manager server.
Source:
Mikrotik Wiki
form
Waseem Anjum
Comentrios
Voc no tem permisso para adicionar comentrios.

Denunciar abuso|Tecnologia Google Sites

Checkout

Training

My Account

Support

DHCP Client and

Server

Home

Hello Guest! Login

Consultancy
ServicesTrai
ning &
Events
Routers

Back to Table Of Contents >>

Back to Table Of Contents >>

RouterBoard
sPoint to
Point
LinksAccess
PointsClient
Units CPE
BracketsAnt
ennas
Power
SuppliesEth
ernet

Re: [ElastixBrasil] IVR ( URA ) Conectar Banco SQL.

Se seu SGBD for MySQL ou PostGres, o Asterisk j fornece o suporte necessrio para
integrao.
Se forem apenas queries simples no banco de dados, no prprio dialplan vc pode usar
comandos para conectar ao Mysql ou Postgres como no exemplo abaixo:
exten => _X.,1,MYSQL(Connect connid localhost dbuser dbpass dbname)
exten => _X.,2,MYSQL(Query resultid ${connid} SELECT\ cpf\ from\ clientes\ where\ cpf=$
{EXTEN})

2013/5/6 Rafael dos Santos Saraiva <rafae...@gmail.com>

- mostrar texto das mensagens anteriores -