Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

Show Radius Reply/Errors on hotspot login page

Post Reply
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Show Radius Reply/Errors on hotspot login page

Wed Apr 07, 2010 7:59 pm

Currently we are using Hotspot to Auth users against a Radius server (Emerald 5) via MAC address and a common password. The problem I am having is when a customer gets the splash page (meaning they are not authenticated) i want the splash page to show what the radius reply was (ie the reason they are not getting authenticated, Expired, data usage reached, etc, etc). Is there a script for that that I can put in the login.html of the page?

RouterOS 3.30 on RB433AH

Here is a couple snippets of what a radius reply was from some tests I did and is what I would want displayed on the web page for that user.
Code: Select all
16:39:29 hotspot,info,debug 00:12:17:95:6E:B6 (XXX.XXX.XXX.XXX): login failed: Your Account '00:12:17:95:6E:B6' is Inactive
Code: Select all
10:41:54 hotspot,info,debug 00:15:6D:D4:4A:43 (XXX.XXX.XXX.XXX): login failed: Your Account '00:15:6D:D4:4A:43' is over it's credit limit.
Any help is appreciated.
Thanks,
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Show Radius Reply/Errors on hotspot login page

Wed Apr 07, 2010 8:48 pm

http://www.mikrotik.com/testdocs/ros/2. ... hp#7.41.15

That lists all the variables, including how to print attributes returned by RADIUS.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 5:25 pm

I've looked at the page and after messing around with it for a while I am beginning to wounder if i got the syntax right. This is what I am using:
Code: Select all
$(radius<Reply-Message>)
As I am looking to display what the "Reply-Message" is, sent from the radius server.

Anyone steer me in the right direction?

Thanks,
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 5:53 pm

Found this http://forum.mikrotik.com/viewtopic.php?f=9&t=24599 post and mikrotik staff replied and said they had identified the problem and would be fixxed in version 4.4 and I think this post was written before version 3.30 was released. Was this problem also fixxed in version 3.30?

Thanks,
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 6:05 pm

According to an example by sergejs, it should be $(radius18)
Example: http://forum.mikrotik.com/viewtopic.php?f=9&t=39754
The newer versions should be working ok.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 6:38 pm

Gave $(radius18) a try and no go... Here is what I did to test.

On the default login.html page i changed:

This origional line:
Code: Select all
$(if error)<br /><div style="color: #FF8080; font-size: 9px">$(error)</div>$(endif)
To this line to test:
Code: Select all
$(if radius18)<br /><div style="color: #FF8080; font-size: 9px">$(radius18)</div>$(endif)
killed the host i am testing from in the hotspot menu and reconnected. I get splash page but no message as to why I was not authenticated... It should have showed "Your Account '00:12:17:95:6E:B6' is Inactive" as that is what it showed in the log of the box.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 7:59 pm

Gave $(radius18) a try and no go... Here is what I did to test.

On the default login.html page i changed:

This origional line:
Code: Select all
$(if error)<br /><div style="color: #FF8080; font-size: 9px">$(error)</div>$(endif)
To this line to test:
Code: Select all
$(if radius18)<br /><div style="color: #FF8080; font-size: 9px">$(radius18)</div>$(endif)
killed the host i am testing from in the hotspot menu and reconnected. I get splash page but no message as to why I was not authenticated... It should have showed "Your Account '00:12:17:95:6E:B6' is Inactive" as that is what it showed in the log of the box.

also tried <Vnd-id>: As my vendor ID in my radius server is "0" for standard radius attributes
Code: Select all
radius18u
Code: Select all
radius18-0
Code: Select all
radius18-0u
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 8:49 pm

I just ran a test with Reply-Message using cookies. It is about the same login procedure as using the mac address. If there is an error (I used a bad password in the cookie as a test), my login page displays the Reply-Message ("My message") I entered in the SQL radreply table for that user. And that was without any html modifications at all. RB433AH V3.30

Here is my log entry:
12:36:29 hotspot,info,debug tim (192.168.0.249): login failed: My message
and that is what it put just above the user and password form inputs.

ADD: The $error variable is set to the Reply-Message on fail.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 11:24 pm

I just ran a test with Reply-Message using cookies. It is about the same login procedure as using the mac address. If there is an error (I used a bad password in the cookie as a test), my login page displays the Reply-Message ("My message") I entered in the SQL radreply table for that user. And that was without any html modifications at all. RB433AH V3.30

Here is my log entry:
12:36:29 hotspot,info,debug tim (192.168.0.249): login failed: My message
and that is what it put just above the user and password form inputs.

ADD: The $error variable is set to the Reply-Message on fail.

If "$error" is set to display "Reply-Message" then I should have to do no other configuration other than cosmetic to my page. That is not the case, a default login.html does not show "Reply-Message" from the radius server when I open up a browser for a non-authenticated user. I know that a "Reply-Message" is coming back from radius server as is shows it in the log. So is it broken for radius?
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 08, 2010 11:31 pm

I can't say it is broken. It works fine here. But like I said, I am using the cookie login rather than the mac auth. There may be some subtle differences, but not according to everything I have read in the docs. You might consider doing a supout file and email it to support (at) mikrotik.com with a short explanation of the problem.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Fri Apr 09, 2010 1:37 am

Here is a snippet of my log.
Code: Select all
jan/02/1970 00:00:29 wireless,info 00:12:17:95:6E:B6@wlan1: connected 
jan/02/1970 00:00:31 dhcp,info dhcp2 deassigned 10.11.12.254 from 00:12:17:95:6E:B6 
jan/02/1970 00:00:31 dhcp,info dhcp2 assigned 10.11.12.254 to 00:12:17:95:6E:B6 
jan/02/1970 00:00:38 hotspot,info,debug 00:12:17:95:6E:B6 (10.11.12.254): trying to log in by mac 
jan/02/1970 00:00:38 radius,debug new request 3f:22 code=Access-Request service=hotspot called-id=hotspot1 
jan/02/1970 00:00:38 radius,debug sending 3f:22 to 66.xx.xx.xx:1812 
jan/02/1970 00:00:38 radius,debug,packet sending Access-Request with id 4 to 66.xx.xx.xx:1812 
jan/02/1970 00:00:38 radius,debug,packet     Signature = 0x867f64519ce6f03fd34ef47444a3b29f 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Port-Type = 19 
jan/02/1970 00:00:38 radius,debug,packet     Calling-Station-Id = "00:12:17:95:6E:B6" 
jan/02/1970 00:00:38 radius,debug,packet     Called-Station-Id = "hotspot1" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Port-Id = "wlan1" 
jan/02/1970 00:00:38 radius,debug,packet     User-Name = "00:12:17:95:6E:B6" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Port = 2157969408 
jan/02/1970 00:00:38 radius,debug,packet     Acct-Session-Id = "80a00000" 
jan/02/1970 00:00:38 radius,debug,packet     Framed-IP-Address = 10.11.12.254 
jan/02/1970 00:00:38 radius,debug,packet     MT-Host-IP = 10.11.12.254 
jan/02/1970 00:00:38 radius,debug,packet     CHAP-Challenge = 0xbb0a79438611d2b704e0ca3465a6b5cd 
jan/02/1970 00:00:38 radius,debug,packet     CHAP-Password = 0x64a1f268eee6924df2ccae0c212ad885 
jan/02/1970 00:00:38 radius,debug,packet       bd 
jan/02/1970 00:00:38 radius,debug,packet     Service-Type = 1 
jan/02/1970 00:00:38 radius,debug,packet     WISPr-Logoff-URL = "http://10.11.12.1/logout" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Identifier = "MikroTik" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-IP-Address = 172.17.0.55 
jan/02/1970 00:00:38 radius,debug,packet received Access-Reject with id 4 from 66.xx.xx.xx:1812 
jan/02/1970 00:00:38 radius,debug,packet     Signature = 0xcbe411677dba740f233e95556bbfc03b 
jan/02/1970 00:00:38 radius,debug,packet     Reply-Message = "Your Account '00:12:17:95:6E:B6' is Inactive" 
jan/02/1970 00:00:38 radius,debug received reply for 3f:22 
jan/02/1970 00:00:38 hotspot,info,debug 00:12:17:95:6E:B6 (10.11.12.254): login failed: Your Account '00:12:17:95:6E:B6' is Inactive 
jan/02/1970 00:00:41 radius,debug sending 05:00 to 66.xx.xx.xx:1813 
jan/02/1970 00:00:41 radius,debug,packet sending Accounting-Request with id 5 to 66.xx.xx.xx:1813 
jan/02/1970 00:00:41 radius,debug,packet     Signature = 0x1e07a3928be46100c561762bd56aac98 
jan/02/1970 00:00:41 radius,debug,packet     Acct-Status-Type = 7 
jan/02/1970 00:00:41 radius,debug,packet     NAS-Identifier = "MikroTik" 
jan/02/1970 00:00:41 radius,debug,packet     NAS-IP-Address = 172.17.0.55 
jan/02/1970 00:00:41 radius,debug,packet     Acct-Delay-Time = 0 
jan/02/1970 00:00:41 radius,debug,packet received Accounting-Response with id 5 from 66.xx.xx.xx:1813 
jan/02/1970 00:00:41 radius,debug,packet     Signature = 0xe4e2c80933f4d3a877e5b8cbb2dc10db 
jan/02/1970 00:00:41 radius,debug received reply for 05:00
Now look at the Reply-Message from radius server and then a couple lines down in the hotspot, info, debug also says it for hotspot.. problem is... its not making it into the page for the $error variable
Last edited by rebel2234 on Fri Apr 09, 2010 5:27 pm, edited 1 time in total.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Show Radius Reply/Errors on hotspot login page

Fri Apr 09, 2010 1:47 am

The radius server end does not seem to be the challenge. Even your log shows that. The Reply-Message is being sent back. It is apparent the problem is in the router. It works here with the cookie login. I would create a supout.rif file and email it to support (at) mikrotik.com.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Thu Apr 15, 2010 12:35 am

Also tried it on version 4.6 and 3.18 to no avail.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: Show Radius Reply/Errors on hotspot login page

Fri Apr 16, 2010 5:20 pm

Official response from support is.

"Currently it is not possible to display error on the login page, why MAC-address authentication is failed."

So my question is: Is it possible to write a script that pulls the error out of the log of the box and display it to the user?

Example: Write a script that greps the log for that particular users mac address and prints the line to the web page that grep matches.
Top
Post Reply
  4. RouterOS
  5. Scripting