I am trying to implement:

http://wiki.mikrotik.com/wiki/Payment_Reminders

However, the WIKI entry provides no details about the interworking of the RouterOS PPPoE server and the Radius server.

Before I do a lab set-up, I am pinging the forum for words of advice.

My expectation would be that RouterOS would deny adding entries to the address list 'Mikrotik-Address-List' based on a username/password combination that is tagged as 'payment overdue' in my Radius authentication database.

This way...

... Rather than to place entries in a address-list that is to be HTTP intercepted to a reminder web page ...

... I would set-up the firewall rules as described in the Payment_Reminder WIKI entry such as to only allow through without interception, the IP addresses that show up in the list and send all traffic that does not show up in the 'Mikrotik-Address-List' to the payment reminder web page.

Do I have this right?

Regards,

F.

The wiki page shows how to redirect all traffic from IP addresses that are on an address list to a payment reminder website.

You can manually populate the address list with IPs if you want, or your RADIUS server can do so for you by sending the Mikrotik-Address-List attribute. How exactly it does that depends on both the RADIUS server used and its exact configuration, which is why the wiki doesn't mention that part - there's no way to cover all the different products and ways to set them up.

Viktor from DMA Softlab is saying this in support emails to me:

-----
As of V 3.8, unfortunately the current version of Radius Manager has no such feature. Please note we are continously improving the system and adding new useful
features in all new releases. There is no direct support for Mikrotik-Address-List attribute, but You can add this in radreply or radgroupreply table manually before we release the new version.
-----

OK, so I'm now getting an idea that RouterOS would actually be listening to a Radreply message from the Radius Server containing a 'Mikrotik-Address-List' attribute.

So say that I am about to test this, and I do send such messages from the Radius server 'containing a Mikrotik-Address-List inside a RadReply message' - what I would be able to witness is WHICH address list grow in size containing the IP addresses to redirect to the payment reminder ?

What specifies which address list is to be fed with Radreply messages ?

I'm missing a portion of the message sequence chart... that's all.

F.

The radreply and radgroupreply tables contain attributes to send back to the client.

The Mikrotik-Address-List attribute is for the Mikrotik vendor (14998), with an id of 19 and a type of string. You may need to add that to the RADIUS server's dictionary, contact them to find out how (though going by table names they are just piggybacking on FreeRADIUS). You then add to the reply tables a new attribute for the users that need a reminder, the attribute name is Mikrotik-Address-List and its value will be the string name of an address list. How you add the attribute to the table you should also check with their support just to make sure you get it right.
Once the attribute is sent back to the server you will be able to watch the IP firewall address list section on the CLI or in Winbox and see new items pop up when clients log in that the attribute is sent for - the entries will show the string you sent back as the name of the address list, and the IP of the client. The entries are removed again when the clients log out.

The fact that the reply is in the form of an 'address list' string intrigues me ...

Under the scenario that a single username/password has a single address which needs to be added to the address list table in the firewall entries, the the reply would contain a single address.

a) mus the reply contain ALL of the addresses at which point in time it is being replied back to RouterOS ?

b) RouterOS stores incremental additions of single addresses in WHICH table on RouterOS ?

c) Is the fact that the Radreply is in the format of an 'address list' meant to capture the scenario where a single username/password has multiple concurrent logons thus multiple addresses ?

F.

No, you've got it the wrong way around.

RADIUS sends back a reply when a user logs in. That reply already contains all kinds of data other than just ACCESS-ACCEPT. You just add an extra line to the reply that says, "add this user to the address list named 'whatever'".

The router sees the RADIUS reply it was waiting for when the user tried to log into the router and the router checked with RADIUS. It proceeds to log the user in, and it knows the user's IP address - let's say it's 1.1.1.1 - already. At the end of the login process the router runs the fictional command "/ip firewall address-list add list=whatever address=1.1.1.1"

That is all there's to it. You just specify a name, the router pieces the rest of the information together for you. If you want a second user on that same list you just send back the same list name in the RADIUS ACCESS-ACCEPT message on merit of there being an entry in the radreply table. If you want a third user on a different list you just send back a different list name.

You cannot dynamically add the same user to multiple lists at this time. RADIUS does allow you to send back the same attribute multiple times in one reply and the router could choose to evaluate that to add the user to several lists, but it currently does not. It's a feature that has been requested, though.

Hope that makes more sense.

Where is the 'whatever' name defined ?

a) on the Radius Server
b) on Router OS ?
c) on Both ?

F.

On the RADIUS server. It is the string that is send back as the value for the Mikrotik-Address-List attribute. Just as if you were manually adding an address list RouterOS will see if that address list already exists. If it does, it adds an entry for the client's IP address to it. If it doesn't, it creates the list and the client's IP address becomes the first entry.

If that still doesn't make sense check with your RADIUS vendor on how exactly to add the attribute, make yourself a username and add the attribute with a value of 'whatever' and log in. Once you play with it it'll make sense very quickly.

I'm getting somekind of a Doh! moment here...

Does this mean that the parameter being shipped over the RadReply message is not that of an IP address, but rather that of a 'LIST NAME', as a single ASCII string ?

Then RouterOS simply uses the trigger of the the list name being conveyed in the STRING under the reply option "Mikrotik vendor (14998), with an id of 19 and a type of string" and starts adding IP addresses to the STRING name ?

i.e. there is no 'LIST OF IP ADDRESSES' as '192.168.0.1, 192.168.0.2, ...' being replied.

The reply is much more of a FLAG with a parameter which is a STRING

And then RouterOS runs the equivalent of the /ip firewall command stated above with the STRING name as the address list ...

Then I just do whatever I want to do in the mangle tables on the firewall table with that STRING name....
.
Eureka?!

F.

That is exactly it.

Address lists are a really nice way to not have to worry about details. You write rules that describe general behavior for a group of clients, regardless of their IP addressing, and then just populate address lists with the details - or let the router or RADIUS populate the lists for you.

Hi guys, Did anyone add new attribute "Mikrotik-Address-List" to FreeRadius? I have added new attribute into file Also configured value "Mikrotik-Address-List:=PaymentReminder1". But freeradius shows error "invalid user". I have try to find answer on freeradius forums, but no success.

I am trying to implement:
http://wiki.mikrotik.com/wiki/Payment_Reminders
..........
........
F.

Just to share my way of implementing 'payment reminder' for PPPoE clients. You can setup your own solution similar to this or any other more enhanced version.

I wanted that if the user account have been expired or we want his account blocked and let him know the reason by redirecting his traffic to a local web page showing his account have been expired/blocked, rather then the odd Username/password error.


(In this example I am talking about Mikrotik with Radius Server (In my case its RADIUS MANAGER from DMASOFTLAB, but any radius can be used for this purpose, or it can also be done without the use of Radius)

RADIUS MANAGER CONFIGURATION

The key point is when you create new service plan , there is a option name NEXT MASTER SERVICE, using this option, you can define When the user account service expires, his service plan automatically changes to NEXT MASTER SEVRICE “EXPIRED USERS SERVICE” with expired ip-pool [lets assume 172.16.5.1/24) ,

So when the use account expires , he will still be able to login via dialer but his requests will be redirected by MT firewall rule to MT WEBPROXY which will re-direct request to any local web server page informing "YOUR ACCOUNT HAVE BEEN EXPIRED, PLEASE RENEW AT BLAH BLAH BLAH" and he can only open the self care portal by explicitly allowing them.

MIKROTIK ROS CONFIGURATION

/ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

/ip proxy access add action=deny disabled=no dst-address=!192.168.2.3 redirect-to=192.168.2.3/policy/deny.htm src-address=172.16.5.0/24
[192.168.2.3 is my local web server, you can change it according to your setup]

/ip firewall nat add action=redirect chain=dstnat disabled=yes dst-address=!192.168.2.3 dst-port=80 protocol=tcp src-address=172.16.5.0/24 to-ports=8080

/ip firewall filter add action=reject chain=forward disabled=yes reject-with=icmp-admin-prohibited src-address=172.16.5.0/24

Please read http://wiki.mikrotik.com/wiki/Payment_Reminders for further enhancements and general ideas.

As we all love Screenshots , the result of 'Payment reminder' at client end can be seen here. All internet traffic will be blocked for the expired users, only port 80 traffic is allowed which will be redirected to MT webproxy, and afterwards all http traffic will be denied by webproxy and redirect it to my local webpage
A little tiny tony guide on how I achieved this, can be viewed here.
http://aacable.wordpress.com/2011/07/22 ... ler-users/