MikroTik

Community discussions
https://forum.mikrotik.com/

Radius Incoming

https://forum.mikrotik.com/viewtopic.php?t=12446

Page 1 of 1

Radius Incoming

Posted: Thu Nov 30, 2006 11:42 am
by jscoulter
Hi all.
Can someone point me in the right direction on what to send to port 1700 for the radius incoming so I can disconnect a user?
I cant find a lot of information on the MikroTik website.

Thanks, Jeremy

Posted: Tue Dec 05, 2006 8:26 am
by mneumark
You can use the winbox, goto the interfaces, and client on the client, click delete on the keyboard and that will send a termination request to the mikrotik to disconnect that client.

Is this what you were talking about?

Posted: Tue Dec 05, 2006 10:30 am
by jscoulter
Not even close sorry :-)
Under the Radius section there in an incoming option that listens on port 1700 or 1770...cant remember off had now.

The way now is to use Telnet via our application, which, to behonest works well enough, but its a problem if MikroTik decide to change something like the location of users or something, then, I need to update my code, where as using the other method, its a standard Radius call...well standardish anyway

jeremy

Posted: Tue Dec 05, 2006 11:28 am
by GWISA
/radius incoming

Posted: Tue Dec 05, 2006 11:37 am
by jscoulter
Right....yes thats the location, but doenst really help in any other way.


Anyway, I have found that what I need to send is similar to the accounting stop/start data, so I am going to look at that. I have written my own radius server so I can just use the code I have already written and modify it a bit and go form there.

Posted: Tue Dec 05, 2006 11:54 am
by GWISA
oops - sorry... didn't read the question!

Sorry I don't have more info for you...

Posted: Wed Dec 06, 2006 6:30 pm
by chris-oct
Here is a code snip of what I did in PHP

$cmd = "echo NAS-IP-Address=$nas_ip_address,User-Name=$mac,Framed-IP-Address=$framed_ip_address,Acct-Session-Id=$acct_session_id | radclient $nas_ip_address:1700 disconnect password123";

The only way I could get these values is by enabling Radius Accounting, and grabbing these values out of the database.

Posted: Wed Dec 06, 2006 8:17 pm
by jscoulter
Ok, so what do you do with this line of code.
Do you send it to port directly (once PHP has added values to the tags) ?
Or, are you send this line of code to another application which send the data to the port?

Thanks, Jeremy

Posted: Wed Dec 06, 2006 10:10 pm
by chris-oct
This code uses the "radclient" application on *nix. Here, Let me remove PHP from the equasion. Now its just *nix. Maybe it will make more sense.

echo "NAS-IP-Address=<nas_ip_address>,User-Name=<mac>,Framed-IP-Address=<framed_ip_address>,Acct-Session-Id=<acct_session_id>" | radclient <nas_ip_address>:1700 disconnect <password>

Everything that has <brackets> needs to be replaced.

Posted: Wed Dec 06, 2006 10:46 pm
by jscoulter
yes that was as I expected. I could not remember the name of the app the website I saw mentioned, but this was it.

Unless its availible for Win32 I will jsut have to implemet my own code...sigh...oh well.

Jeremy

Posted: Sun Feb 04, 2007 1:02 pm
by eugenevdm
chris-oct,

Why are you using Acct-Session-Id?

Without Acct-Session-Id user is disconnected but there are errors in the log.

WITHOUT Framed-IP-Address it works, but gives this error:
"Radius disconnect with no ip provided"
The RFC states Framed-IP-Address should be present so this error is obvious.

WITH Framed-IP-Address it works but still reports an error in the log:
Radius disconnect request for unknown IP 192.168.0.50

The IP, 192.168.0.50, it is the IP of the client who is connected to the high site, so I don't understand why it says unknown IP. It's definitely the client's IP address.

Re: Radius Incoming

Posted: Wed Sep 10, 2008 2:19 am
by altere
alright, rather than creating a new topic I'll just try and get my answer here...
Here's what I have in my php script, from command line with the correct values it works just fine. Before the code below I am alos echoing the variables and they are all coming back correct from the database so I know it's pulling the correct information...
Code: Select all
$cmd = "echo NAS-IP-Address=$nasip,User-Name=$macaddr,Framed-IP-Address=$framedip,Acct-Sess
ion-Id=$sessid | /usr/local/bin/radclient $nasip:1700 disconnect somesecret";
exec($cmd);
After this is run, it echos out the correct information (from my echo's for debugging. not included above), pauses and returns: radclient: no response from server for ID 3

Again, this command works just fine from the command problem but I can't get the php script to open radclient and pass the information like it should.. probably a parse error or something the way I have some "'s in the wrong place...

Any help would be appreciated...

Re: Radius Incoming

Posted: Wed Sep 10, 2008 2:49 am
by altere
Not sure what I did but it works now.. Here's the finished code if anyone else wants to use it.. This runs by itself but we run it from a wrapper because of the way Platypus passes information to the daemon, if anyone else wants the wrapper let me know.. This is a basic script, there's no error checking and has not been tested 100%.. This will probably eventually be expanded on and used to collect other information but for now, this is it... You can use it at your own risk.

killradius - Disconnect Radius Script
Code: Select all
#!/usr/local/bin/php -q
<?php

if ($argc != 2 || in_array($argv[1], array('--help', '-help', '-h', '-?'))) {

?>

This will search the radacct table for a mac address and disconnect the user from the appropiate NAS.

   example: <? print $_SERVER['PHP_SELF']; ?> 00:00:00:00:00:00

<?php
} else {
        $macaddr = $argv[1];

// Let's try and connect up to the database....
$link = mysql_connect("localhost", "dbusername", "dbpassword");
if (!$link) {
    die('Could not connect: ' . mysql_error());
    echo 'Error connecting to mysql';
}
mysql_select_db("database") or die(mysql_error());

        $query = "SELECT *  FROM `radacct` WHERE `UserName` LIKE '$macaddr' ORDER BY `RadAcctId` DESC LIMIT 0,1";
        $result=mysql_query($query);
        $num=mysql_numrows($result);
//Close out mysql connection!
mysql_close($link);

$i=0;
while ($i < $num) {
        //All our variables from our query.
        $RadAcctId=mysql_result($result,$i,"RadAcctId");
        $AcctSessionId=mysql_result($result,$i,"AcctSessionId");
        $AcctUniqueId=mysql_result($result,$i,"AcctUniqueId");
        $UserName=mysql_result($result,$i,"UserName");
        $Realm=mysql_result($result,$i,"Realm");
        $NASIPAddress=mysql_result($result,$i,"NASIPAddress");
        $NASPortId=mysql_result($result,$i,"NASPortId");
        $AcctStartTime=mysql_result($result,$i,"AcctStartTime");
        $AcctStopTime=mysql_result($result,$i,"AcctStopTime");
        $AcctSessionTime=mysql_result($result,$i,"AcctSessionTime");
        $AcctAuthentic=mysql_result($result,$i,"AcctAuthentic");
        $ConnectInfo_start=mysql_result($result,$i,"ConnectInfo_start");
        $ConnectInfo_stop=mysql_result($result,$i,"ConnectInfo_stop");
        $AcctInputOctets=mysql_result($result,$i,"AcctInputOctets");
        $AcctOutputOctets=mysql_result($result,$i,"AcctOutputOctets");
        $CalledStationId=mysql_result($result,$i,"CalledStationId");
        $CallingStationId=mysql_result($result,$i,"CallingStationId");
        $AcctTerminateCause=mysql_result($result,$i,"AcctTerminateCause");
        $ServiceType=mysql_result($result,$i,"ServiceType");
        $FramedProtocol=mysql_result($result,$i,"FramedProtocol");
        $FramedIPAddress=mysql_result($result,$i,"FramedIPAddress");
        $AcctStartDelay=mysql_result($result,$i,"AcctStartDelay");
        $AcctStopDelay=mysql_result($result,$i,"AcctStopDelay");

// The 4 lines below are commented out as they were for debugging.
//  echo "Username: $UserName\n";
//  echo "Client IP: $FramedIPAddress\n";
//  echo "NAS IP Address: $NASIPAddress\n";
//  echo "AcctSessionId: $AcctSessionId\n";

        // This is the command we will pass on for php to execute
        $cmd = "echo NAS-IP-Address=$NASIPAddress,User-Name=$UserName,Framed-IP-Address=$FramedIPAddress,Acct-Session-Id=$AcctSessionId | /usr/local/bin/radclient $NASIPAddress:1700 disconnect SomeSecret";
        // Let's actually execute the command now
        exec($cmd);
        $i++;
        }
}
?>

Re: Radius Incoming

Posted: Sun Jan 15, 2012 9:40 am
by chimaster
Hi. I read this with interest...

Does anyone know if Freeradius can send a disconnect to NAS-IP-Address rather than Framed-IP-Address. I have an issue with multiple NAS behind NAT but I do have routeable access to the NAS IP Address used in src-address with in Mikrotik. However due to network design NAT is translating even though the RADIUS is routable.

I will probably end up using VPN and internal IP only for radius and removing NAT from the equation for RADIUS traffic, but I thought short term I could use NAS-IP instead of Framed...

Is this possible?

Re: Radius Incoming

Posted: Tue Jan 17, 2012 12:52 am
by alphahawk
Chimaster,

I it depends on what you are trying to disconnect. I do know with the hotspot radius it checks every few moments to make sure the client should still be allowed access. I believe there is a option in freeradius at that point to disconnect them on next checkup.

Re: Radius Incoming

Posted: Sun Oct 30, 2016 2:29 pm
by mehdisadighian
pppoe coa:
echo User-Name=mehdi,Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret

hotspot coa:
echo User-Name=mehdi,Framed-IP-Address="192.168.20.254",Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret


mehdi.sadighian@hotmail.com
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/