Community discussions

MikroTik App
 
owsugde
newbie
Topic Author
Posts: 40
Joined: Thu Oct 06, 2016 5:01 pm

Ways to change NAS-Identifier in RADIUS requests?

Tue Feb 06, 2024 8:28 pm

Hello,

is there any way to change the NAS-Identifier field that is sent through RADIUS hotspot requests? At first glance tt appears to be hardcoded to be the router identity, according to the ROS Wiki.

I need to be able to control this somehow in order to run multiple different hotspots on the same machine. My commercial hotspot backend uses NAS-Identifier as the main distinction between different locations, and that also appears to be hardcoded. It'd be a real hassle to add several small routers (hEX or something) to the setup with different identities just to get this separation working. Also the firewalls would be much less streamlined.

There'd be more than enough optional fields like WISPr-Location-Name to submit a custom string, but sadly the server won't understand that.

Any hints are very much appreciated!
 
savage
Forum Guru
Forum Guru
Posts: 1265
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 9:27 am

Plenty other attributes that can be used, such as NAS-IP-Address ?
 
blingblouw2
just joined
Posts: 17
Joined: Thu May 18, 2023 4:35 pm

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 10:10 am

Nas identifier is system identity.
 
owsugde
newbie
Topic Author
Posts: 40
Joined: Thu Oct 06, 2016 5:01 pm

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 12:19 pm

Plenty other attributes that can be used, such as NAS-IP-Address ?
Definitely, however the external service uses only Nas-Identifier and they likely won't change that just for me. I did ask, though

So it's an unfortunate case of "hardcoded on both ends". Honestly it wouldn't be very hard for MikroTik to get this parametrizable in the software. Some arcane CLI option would suffice. Sadly the RADIUS client as is is super simple.
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 1:16 pm

Would changing the Radius server be possible?
 
savage
Forum Guru
Forum Guru
Posts: 1265
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 4:59 pm

Plenty other attributes that can be used, such as NAS-IP-Address ?
Definitely, however the external service uses only Nas-Identifier and they likely won't change that just for me. I did ask, though
Then it's a lack of functionality on the external service, unfortunately.

Install a AAA proxy in the middle (freeradius comes to mind), and re-write the attribute to the value of your choosing. NAS-Identifier is the hostname of the router, this is not only on Mikrotik, but on most network devices.
 
savage
Forum Guru
Forum Guru
Posts: 1265
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 5:08 pm

https://www.rfc-editor.org/rfc/rfc2138#page-48
5.32. NAS-Identifier

Description

This Attribute contains a string identifying the NAS originating
the Access-Request. It is only used in Access-Request packets.
Either NAS-IP-Address or NAS-Identifier SHOULD be present in an
Access-Request packet.


A summary of the NAS-Identifier Attribute format is shown below. The
fields are transmitted from left to right.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type

32 for NAS-Identifier.

Length

>= 3

String

The String field is one or more octets, and should be unique to
the NAS within the scope of the RADIUS server
. For example, a
fully qualified domain name would be suitable as a NAS-Identifier.

The actual format of the information is site or application
specific, and a robust implementation SHOULD support the field as
undistinguished octets.

The codification of the range of allowed usage of this field is
outside the scope of this specification.
 
owsugde
newbie
Topic Author
Posts: 40
Joined: Thu Oct 06, 2016 5:01 pm

Re: Ways to change NAS-Identifier in RADIUS requests?

Wed Feb 07, 2024 8:18 pm

Install a AAA proxy in the middle (freeradius comes to mind)
That seems like a good idea. Just looked up the proxy function in FreeRADIUS which I wasn't aware of. It should be doable using some combination of realms, domains and custom fields on the ROS side, and some Unlang conversion scripting on the proxy side.

I might actually try that at some point. However even if I make it work, I'll probably run into problems with MAC cookies (this is about hotspots). That's another feature that seems to be more or less bound to the one router. According to the Wiki, apparently a MAC cannot appear twice in the cookies. Will have to look into login by "MAC", not "MAC cookie".
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 3123
Joined: Mon Apr 08, 2019 1:16 am

Re: Ways to change NAS-Identifier in RADIUS requests?

Fri Feb 09, 2024 11:19 am

Would this be a work-around? Add the SSID to the called format.

WLAN driver : "radius-called-format (mac | mac:ssid | ssid; Default: mac:ssid)"
Wifi driver: "called-format (format-string) Format for the value of the Called-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default: II-II-II-II-II-II:S"


Oh yes, I do use wifi authentication (EAP) , not hotspot.

Who is online

Users browsing this forum: kbabioch, seriosha and 31 guests