Hi all.
Can someone point me in the right direction on what to send to port 1700 for the radius incoming so I can disconnect a user?
I cant find a lot of information on the MikroTik website.
Thanks, Jeremy
Not even close sorry 
Under the Radius section there in an incoming option that listens on port 1700 or 1770...cant remember off had now.
The way now is to use Telnet via our application, which, to behonest works well enough, but its a problem if MikroTik decide to change something like the location of users or something, then, I need to update my code, where as using the other method, its a standard Radius call...well standardish anyway
jeremy
Under the Radius section there in an incoming option that listens on port 1700 or 1770...cant remember off had now.
The way now is to use Telnet via our application, which, to behonest works well enough, but its a problem if MikroTik decide to change something like the location of users or something, then, I need to update my code, where as using the other method, its a standard Radius call...well standardish anyway
jeremy
Right....yes thats the location, but doenst really help in any other way.
Anyway, I have found that what I need to send is similar to the accounting stop/start data, so I am going to look at that. I have written my own radius server so I can just use the code I have already written and modify it a bit and go form there.
Anyway, I have found that what I need to send is similar to the accounting stop/start data, so I am going to look at that. I have written my own radius server so I can just use the code I have already written and modify it a bit and go form there.
Here is a code snip of what I did in PHP
$cmd = "echo NAS-IP-Address=$nas_ip_address,User-Name=$mac,Framed-IP-Address=$framed_ip_address,Acct-Session-Id=$acct_session_id | radclient $nas_ip_address:1700 disconnect password123";
The only way I could get these values is by enabling Radius Accounting, and grabbing these values out of the database.
$cmd = "echo NAS-IP-Address=$nas_ip_address,User-Name=$mac,Framed-IP-Address=$framed_ip_address,Acct-Session-Id=$acct_session_id | radclient $nas_ip_address:1700 disconnect password123";
The only way I could get these values is by enabling Radius Accounting, and grabbing these values out of the database.
This code uses the "radclient" application on *nix. Here, Let me remove PHP from the equasion. Now its just *nix. Maybe it will make more sense.
echo "NAS-IP-Address=<nas_ip_address>,User-Name=<mac>,Framed-IP-Address=<framed_ip_address>,Acct-Session-Id=<acct_session_id>" | radclient <nas_ip_address>:1700 disconnect <password>
Everything that has <brackets> needs to be replaced.
echo "NAS-IP-Address=<nas_ip_address>,User-Name=<mac>,Framed-IP-Address=<framed_ip_address>,Acct-Session-Id=<acct_session_id>" | radclient <nas_ip_address>:1700 disconnect <password>
Everything that has <brackets> needs to be replaced.
chris-oct,
Why are you using Acct-Session-Id?
Without Acct-Session-Id user is disconnected but there are errors in the log.
WITHOUT Framed-IP-Address it works, but gives this error:
"Radius disconnect with no ip provided"
The RFC states Framed-IP-Address should be present so this error is obvious.
WITH Framed-IP-Address it works but still reports an error in the log:
Radius disconnect request for unknown IP 192.168.0.50
The IP, 192.168.0.50, it is the IP of the client who is connected to the high site, so I don't understand why it says unknown IP. It's definitely the client's IP address.
Why are you using Acct-Session-Id?
Without Acct-Session-Id user is disconnected but there are errors in the log.
WITHOUT Framed-IP-Address it works, but gives this error:
"Radius disconnect with no ip provided"
The RFC states Framed-IP-Address should be present so this error is obvious.
WITH Framed-IP-Address it works but still reports an error in the log:
Radius disconnect request for unknown IP 192.168.0.50
The IP, 192.168.0.50, it is the IP of the client who is connected to the high site, so I don't understand why it says unknown IP. It's definitely the client's IP address.
Re: Radius Incoming
alright, rather than creating a new topic I'll just try and get my answer here...
Here's what I have in my php script, from command line with the correct values it works just fine. Before the code below I am alos echoing the variables and they are all coming back correct from the database so I know it's pulling the correct information...
After this is run, it echos out the correct information (from my echo's for debugging. not included above), pauses and returns: radclient: no response from server for ID 3
Again, this command works just fine from the command problem but I can't get the php script to open radclient and pass the information like it should.. probably a parse error or something the way I have some "'s in the wrong place...
Any help would be appreciated...
Here's what I have in my php script, from command line with the correct values it works just fine. Before the code below I am alos echoing the variables and they are all coming back correct from the database so I know it's pulling the correct information...
Code: Select all
$cmd = "echo NAS-IP-Address=$nasip,User-Name=$macaddr,Framed-IP-Address=$framedip,Acct-Sess
ion-Id=$sessid | /usr/local/bin/radclient $nasip:1700 disconnect somesecret";
exec($cmd);Again, this command works just fine from the command problem but I can't get the php script to open radclient and pass the information like it should.. probably a parse error or something the way I have some "'s in the wrong place...
Any help would be appreciated...
Re: Radius Incoming
Not sure what I did but it works now.. Here's the finished code if anyone else wants to use it.. This runs by itself but we run it from a wrapper because of the way Platypus passes information to the daemon, if anyone else wants the wrapper let me know.. This is a basic script, there's no error checking and has not been tested 100%.. This will probably eventually be expanded on and used to collect other information but for now, this is it... You can use it at your own risk.
killradius - Disconnect Radius Script
killradius - Disconnect Radius Script
Code: Select all
#!/usr/local/bin/php -q
<?php
if ($argc != 2 || in_array($argv[1], array('--help', '-help', '-h', '-?'))) {
?>
This will search the radacct table for a mac address and disconnect the user from the appropiate NAS.
example: <? print $_SERVER['PHP_SELF']; ?> 00:00:00:00:00:00
<?php
} else {
$macaddr = $argv[1];
// Let's try and connect up to the database....
$link = mysql_connect("localhost", "dbusername", "dbpassword");
if (!$link) {
die('Could not connect: ' . mysql_error());
echo 'Error connecting to mysql';
}
mysql_select_db("database") or die(mysql_error());
$query = "SELECT * FROM `radacct` WHERE `UserName` LIKE '$macaddr' ORDER BY `RadAcctId` DESC LIMIT 0,1";
$result=mysql_query($query);
$num=mysql_numrows($result);
//Close out mysql connection!
mysql_close($link);
$i=0;
while ($i < $num) {
//All our variables from our query.
$RadAcctId=mysql_result($result,$i,"RadAcctId");
$AcctSessionId=mysql_result($result,$i,"AcctSessionId");
$AcctUniqueId=mysql_result($result,$i,"AcctUniqueId");
$UserName=mysql_result($result,$i,"UserName");
$Realm=mysql_result($result,$i,"Realm");
$NASIPAddress=mysql_result($result,$i,"NASIPAddress");
$NASPortId=mysql_result($result,$i,"NASPortId");
$AcctStartTime=mysql_result($result,$i,"AcctStartTime");
$AcctStopTime=mysql_result($result,$i,"AcctStopTime");
$AcctSessionTime=mysql_result($result,$i,"AcctSessionTime");
$AcctAuthentic=mysql_result($result,$i,"AcctAuthentic");
$ConnectInfo_start=mysql_result($result,$i,"ConnectInfo_start");
$ConnectInfo_stop=mysql_result($result,$i,"ConnectInfo_stop");
$AcctInputOctets=mysql_result($result,$i,"AcctInputOctets");
$AcctOutputOctets=mysql_result($result,$i,"AcctOutputOctets");
$CalledStationId=mysql_result($result,$i,"CalledStationId");
$CallingStationId=mysql_result($result,$i,"CallingStationId");
$AcctTerminateCause=mysql_result($result,$i,"AcctTerminateCause");
$ServiceType=mysql_result($result,$i,"ServiceType");
$FramedProtocol=mysql_result($result,$i,"FramedProtocol");
$FramedIPAddress=mysql_result($result,$i,"FramedIPAddress");
$AcctStartDelay=mysql_result($result,$i,"AcctStartDelay");
$AcctStopDelay=mysql_result($result,$i,"AcctStopDelay");
// The 4 lines below are commented out as they were for debugging.
// echo "Username: $UserName\n";
// echo "Client IP: $FramedIPAddress\n";
// echo "NAS IP Address: $NASIPAddress\n";
// echo "AcctSessionId: $AcctSessionId\n";
// This is the command we will pass on for php to execute
$cmd = "echo NAS-IP-Address=$NASIPAddress,User-Name=$UserName,Framed-IP-Address=$FramedIPAddress,Acct-Session-Id=$AcctSessionId | /usr/local/bin/radclient $NASIPAddress:1700 disconnect SomeSecret";
// Let's actually execute the command now
exec($cmd);
$i++;
}
}
?>
Re: Radius Incoming
Hi. I read this with interest...
Does anyone know if Freeradius can send a disconnect to NAS-IP-Address rather than Framed-IP-Address. I have an issue with multiple NAS behind NAT but I do have routeable access to the NAS IP Address used in src-address with in Mikrotik. However due to network design NAT is translating even though the RADIUS is routable.
I will probably end up using VPN and internal IP only for radius and removing NAT from the equation for RADIUS traffic, but I thought short term I could use NAS-IP instead of Framed...
Is this possible?
Does anyone know if Freeradius can send a disconnect to NAS-IP-Address rather than Framed-IP-Address. I have an issue with multiple NAS behind NAT but I do have routeable access to the NAS IP Address used in src-address with in Mikrotik. However due to network design NAT is translating even though the RADIUS is routable.
I will probably end up using VPN and internal IP only for radius and removing NAT from the equation for RADIUS traffic, but I thought short term I could use NAS-IP instead of Framed...
Is this possible?
Re: Radius Incoming
Chimaster,
I it depends on what you are trying to disconnect. I do know with the hotspot radius it checks every few moments to make sure the client should still be allowed access. I believe there is a option in freeradius at that point to disconnect them on next checkup.
I it depends on what you are trying to disconnect. I do know with the hotspot radius it checks every few moments to make sure the client should still be allowed access. I believe there is a option in freeradius at that point to disconnect them on next checkup.
-
-
mehdisadighian
just joined
- Posts: 8
- Joined:
Re: Radius Incoming
pppoe coa:
echo User-Name=mehdi,Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret
hotspot coa:
echo User-Name=mehdi,Framed-IP-Address="192.168.20.254",Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret
mehdi.sadighian@hotmail.com
echo User-Name=mehdi,Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret
hotspot coa:
echo User-Name=mehdi,Framed-IP-Address="192.168.20.254",Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret
mehdi.sadighian@hotmail.com
Who is online
Users browsing this forum: No registered users and 22 guests