MikroTik

Community discussions
https://forum.mikrotik.com/

problem with disconnect radius user from radclient

https://forum.mikrotik.com/viewtopic.php?t=33063

Page 1 of 1

problem with disconnect radius user from radclient

Posted: Tue Jun 30, 2009 8:10 am
by amigota
Hi guys
I'm now using MT OS 2.9.27 with a freeradius server box. I point MT to my radius sever.

MT OS ----------------Freeradius 192.168.2.2
192.168.2.1
|
|
|
Clients

Everything is working well, but i just want to disconnect online user from command (my NAS is 192.168.2.1)
Code: Select all
echo user-name=test | radclient -x 192.168.2.1:1700 disconnect mysecret
The result:
Code: Select all
Sending Disconnect-Request of id 37 to 192.168.2.1 port 1700
        User-Name = "test"
rad_recv: Disconnect-NAK packet from host 192.168.2.1:1700, id=37, length=42
        Error-Cause = Unsupported-Extension
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 192.168.2.1
Why I can't disconnect user??
I read some forum that it MT OS 2.9.. support with the radius diconnect message. Why there is 'Unsupported-Extension', while I use /Radius --> Incomming --> Accept??
How can i do it?

Re: problem with disconnect radius user from radclient

Posted: Tue Jun 30, 2009 3:24 pm
by userman
Are you using HotSpot? Because only HotSpot supports Radius incomming (CoA and Disconnect requests) at the time. PPP does not.

Re: problem with disconnect radius user from radclient

Posted: Thu Jul 02, 2009 6:10 am
by amigota
Yes, i'm using HotSpot. I've tried to use port 1700 or 3799, but there is the same problem.
When i request to disconnect user 'test' once, the Status of Radius Incomming is:
Code: Select all
Requests     : 1
Bad Requests : 0
Acks         : 0
Naks         : 1

Re: problem with disconnect radius user from radclient

Posted: Fri Jul 03, 2009 9:17 am
by userman
can you "dump" (print the details of) request, which is sent from Free Radius to User Manager? Because NAK is sent also, when there is at least one attribute in the request, which is not supported by HotSpot. Such a behavior is defined in RFC5176 (http://www.ietf.org/rfc/rfc5176.txt).

Re: problem with disconnect radius user from radclient

Posted: Sat Jul 04, 2009 5:26 pm
by amigota
In my radius server, i typed:
Code: Select all
echo user-name=test | radclient -x 192.168.2.1:1700 disconnect mysecret
Sending Disconnect-Request of id 37 to 192.168.2.1 port 1700
        User-Name = "test"
rad_recv: Disconnect-NAK packet from host 192.168.2.1:1700, id=37, length=42
        Error-Cause = Unsupported-Extension
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 192.168.2.1

Re: problem with disconnect radius user from radclient

Posted: Mon Jul 06, 2009 1:30 pm
by userman
Disconnect request works for a specific session, not for all the sessions of specified user.

You send only User-Name as session identification attribute. But it is not enough. To identify session correctly, these attributes must be included in Disconnect-Request:
*) IP address
*) NAS Port Type
*) NAS Port
*) Calling Station ID
*) Called Station ID
*) ACCT Session ID
*) NAS Port ID, if it is not empty

Required values for these attributes should be stored in the Radius Server data base. For example, User Manager stores these values for every session to be able to send Disconnect Request for it. In your case these values should be stored in FreeRadius data base.

Re: problem with disconnect radius user from radclient

Posted: Fri Jul 10, 2009 5:11 am
by amigota
Yes, it works. Thank you for your help. :D

Re: problem with disconnect radius user from radclient

Posted: Sat Jul 11, 2009 8:29 pm
by anrichp
hey amigota can you please post your script that you send to the mikrotik to disconnect a user, or rather the packet.txt file

Re: problem with disconnect radius user from radclient

Posted: Mon Jul 13, 2009 8:05 am
by amigota
The command is:
Code: Select all
echo User-Name=test,Framed-IP=192.168.2.199 | radclient -x 192.168.2.1:1700 disconnect mysecret

Re: problem with disconnect radius user from radclient

Posted: Fri Sep 04, 2009 5:09 am
by m4rk0
Hello,

I have FreeRadius + mysql module...

Does anyone have script to disconnect all online users at once?

Thank You in advance!

Re: problem with disconnect radius user from radclient

Posted: Wed Nov 25, 2009 8:58 am
by shivachitta
Hello,

I have FreeRadius + mysql module...

Does anyone have script to disconnect all online users at once?

Thank You in advance!

hi,

i too need the solution
please tel me if u found any answer...

Re: problem with disconnect radius user from radclient

Posted: Sun Jan 03, 2010 10:30 am
by amigota
Hi all

As my young experience, I used to disconnect radius users from Mikrotik by this command below:
Code: Select all
echo User-Name=test,Framed-IP=192.168.2.199 | radclient -x 192.168.2.1:1700 disconnect mysecret
Where:
192.168.2.1 is NAS Address
1700 is your CAO port or disconnect port that you have to enable in Mikrotik

Or you guys can use php code and you have to grant root permission to www user to run this script.
Note: This is very risk usage.

Example:
Code: Select all
	//function to force disconnect a user
	function disconnect_user($username, $framed_ip, $nasaddr, $coaport, $sharedsecret) {
		$command = "sudo echo User-Name=$username,Framed-IP=$framed_ip|/usr/local/bin/radclient -x $nasaddr:$coaport disconnect $sharedsecret";
		exec($command);
	}

        //function to force disconnect all users
	function disconnect_all_users(){
		$sharedsecret = "yourradiussecret";
		$coaport = 1700;
		$nasaddr = "192.168.20.1";
		$r_who_online = "SELECT * FROM radacct WHERE (AcctStopTime is NULL) ORDER BY RadAcctId ASC";
		$who_online = $db->Execute($r_who_online);
		foreach($who_online as $u) {
			$command = "sudo echo User-Name=$u["UserName"],Framed-IP=$u["Framed-IP"]|/usr/local/bin/radclient -x $nasaddr:$coaport disconnect $sharedsecret";
                        exec($command);
		}
	}
Hope this can help you.:)

Re: problem with disconnect radius user from radclient

Posted: Sun May 16, 2010 12:54 am
by sparki
I tried the solutions above and kept getting -

echo "User-Name=username,Framed-IP=192.168.1.101" | radclient -x 192.168.1.2:3799 disconnect secret
Sending Disconnect-Request of id 14 to 192.168.1.1 port 3799
User-Name = "username"
rad_recv: Disconnect-NAK packet from host 192.168.1.2:3799, id=14, length=41
Error-Cause = Unsupported-Extension
NAS-Identifier = "NAS1"
NAS-IP-Address = 192.168.1.2

After some searching I discovered that Framed-IP should read Framed-IP-Address

echo "User-Name=username,Framed-IP-Address=192.168.1.101" | radclient -x 192.168.1.2:3799 disconnect secret

And it works !!!!! Yeeeehhaaaaa

Re: problem with disconnect radius user from radclient

Posted: Mon Mar 21, 2016 5:57 am
by agindanoe
I tried the solutions above and kept getting -

echo "User-Name=username,Framed-IP=192.168.1.101" | radclient -x 192.168.1.2:3799 disconnect secret
Sending Disconnect-Request of id 14 to 192.168.1.1 port 3799
User-Name = "username"
rad_recv: Disconnect-NAK packet from host 192.168.1.2:3799, id=14, length=41
Error-Cause = Unsupported-Extension
NAS-Identifier = "NAS1"
NAS-IP-Address = 192.168.1.2

After some searching I discovered that Framed-IP should read Framed-IP-Address

echo "User-Name=username,Framed-IP-Address=192.168.1.101" | radclient -x 192.168.1.2:3799 disconnect secret

And it works !!!!! Yeeeehhaaaaa

glad to hear that works !

I follow step in this thread, I can't connect to NAS 192.168.10.2 with radclient, but I IP 192.168.10.1 can received remote request, with NAK result in radius debug mikrotik.

when radius server (192.168.10.14) request disconnect, I get radius debug unknown address and IP address request change to
Code: Select all
radius debug received remote request from 192.168.10.1:xxxxxx with unknown address, dropping
it radius debug shouldn't 192.168.10.1 but 192.168.10.14 to be accepted by NAS 192.168.10.2

is anybody can help me with this case? or any something miss in mikrotik configuration. Thanks

Re: problem with disconnect radius user from radclient

Posted: Wed Aug 02, 2017 3:04 pm
by mukeshsh
i'm using same code for disconnecting user but getting below error

array(16) {
[0]=>
string(60) "radclient: Failed to send packet for ID 168: (unknown error)"
[1]=>
string(60) "radclient: Failed to send packet for ID 168: (unknown error)"
[2]=>
string(60) "radclient: Failed to send packet for ID 168: (unknown error)"
[3]=>
string(54) "radclient: no response from server for ID 168 socket 3"
[4]=>
string(63) "Sending Disconnect-Request of id 168 to 192.168.1.240 port 1700"
[5]=>
string(32) " User-Name = "54:14:73:57:DC:C2""
[6]=>
string(34) " Framed-IP-Address = 192.168.0.244"
[7]=>
string(42) "rad_send() failed: Operation not permitted"
[8]=>
string(63) "Sending Disconnect-Request of id 168 to 192.168.1.240 port 1700"
[9]=>
string(32) " User-Name = "54:14:73:57:DC:C2""
[10]=>
string(34) " Framed-IP-Address = 192.168.0.244"
[11]=>
string(42) "rad_send() failed: Operation not permitted"
[12]=>
string(63) "Sending Disconnect-Request of id 168 to 192.168.1.240 port 1700"
[13]=>
string(32) " User-Name = "54:14:73:57:DC:C2""
[14]=>
string(34) " Framed-IP-Address = 192.168.0.244"
[15]=>
string(42) "rad_send() failed: Operation not permitted"
}
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/