MikroTik

Hi,

I'm looking for a complete listing of attributes a user (i.e. in file users or DB) can have.
Some, like Cleartext-Password are listed in users, but there are many more. Does anyone
can point me to such a list.

Even more in detail, what I'm looking for is the attribute to set the max online time and traffic
volume.

Any pointers are welcome, search didn't bring up any helpful results.

Thanx, Matthias

Are you talking about RADIUS attributes to send back?

http://www.mikrotik.com/testdocs/ros/2. ... radius.php

Are you talking about RADIUS attributes to send back?

http://www.mikrotik.com/testdocs/ros/2. ... radius.php

Thanx. That is a good portion of it, but in the users file I still find options that arn't in that list, i.e. "Reply-Message", "Callback-Number" and others. Where to find those?

I'm not sure I understand the question, but the list I posted is the definitive list of RADIUS attributes supported by RouterOS. Anything else sent between the RADIUS server and RouterOS will be ignored. RADIUS is used for lots of things, and not all attributes that exist in the total of dictionaries available apply to all situations.

I'm not sure I understand the question, but the list I posted is the definitive list of RADIUS attributes supported by RouterOS. Anything else sent between the RADIUS server and RouterOS will be ignored. RADIUS is used for lots of things, and not all attributes that exist in the total of dictionaries available apply to all situations.

Maybe I'm wrong, but lets take the following two cases:

1. Similar as in the users file, what attribute does it need in the radreply table to send a text back, similar to the example in the users file
lameuser Auth-Type := Reject
Reply-Message = "Your account has been disabled."

2. What to reply to the request to dictate "max. uptime 1h"? The "WISPr-Session-Terminate-Time" expects a fixed timestamp.

Thanx for any advise or pointer,
Matthias

You need to do that on radius side, mikrotik has nothing to do with that. Look at freeradius documentation, search for counter module.

You need to do that on radius side, mikrotik has nothing to do with that. Look at freeradius documentation, search for counter module.

I guess you want to point out that this isn't a freeradius forum, am I right?

Of course isn't it, but I expected that many users here use freeradius too. Seems that I'm partly wrong (if I count the answers).

br Matthias

What are you talking about? If you've read my post carefuly you would see that i told you what exact feature to search for in radius setup. But, i guess it is lot easier to feal sorry for your self and try to gain some simpaty that way? Or do you expect me to search for it? Ok, here it is:

# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}

#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The 'sqlmod_inst' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 3
# parameters that can be used in the query:
# %k 'key' parameter
# %b unix time value of beginning of reset period
# %e unix time value of end of reset period
#
# The 'check-name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radcheckgroup tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#

Should i also read it for you?

What are you talking about? If you've read my post carefuly you would see that i told you what exact feature to search for in radius setup. But, i guess it is lot easier to feal sorry for your self and try to gain some simpaty that way? Or do you expect me to search for it?

I know the counter section of the freeradius section, but you may (or may not) accept, that there is sometimes a little gap between an abstract description and a practical and working solution.

Ok, here it is:

[...]

Should i also read it for you?

Even when I cannot avoid to say thank you (I learned it at school), I will not continue on the same level.

Thanx for helping, cool man.

nr Matthias

This is why i hate this kind of conversation. Maybe you didn't mean to sound like you sounded to me. But, i felt like i was occused of being rude and telling you "go away". Maybe you didn't mean that, maybe you did. I don't know. You should have been more precise in what you want. I am sorry if this was a missunderstanding, but, i sure did wanted to help. Sorry for my bad grammar, english is not my native language.

You can find examples here: http://wiki.freeradius.org/Rlm_sqlcounter

It's not important if you are using Mikrotik as you NAS or Cisco or Juniper etc. This is why i told you that you have to do it on freeradius side. Because feature is not tied to any particular NAS. Freeradius will use counter to remember how many seconds user was online during one day. For every connection radius will send Session-Timeout attribute to, in your case, Mikrotik. After receving Session-Timeout attribute Mikrotik will start counting backwards from Session-Timeout value to zero. When counter reaches zero Mikrotik will disconnect user. In case user disconnect himself before counter reaches zero freeradius will remember how many seconds user has left. Next time user connects radius will use that value as starting point.
Again, sorry for my bad english. It would be preatier to read otherwise and maybe more understandable.

... but, i sure did wanted to help.

What you def. did and do. Thanx.

It's not important if you are using Mikrotik as you NAS or Cisco or Juniper etc. This is why i told you that you have to do it on freeradius side. Because feature is not tied to any particular NAS. Freeradius will use counter to remember how many seconds user was online during one day. For every connection radius will send Session-Timeout attribute to, in your case, Mikrotik. After receving Session-Timeout attribute Mikrotik will start counting backwards from Session-Timeout value to zero.

Thanx for that detailed explanation. You hit the point I still couldn't figure out until now: The parameter to be set in radreply to set the users session-timeout. With your pointers I found that Session-Timeout is the parameter I looked for.

The only thing left is:

Actually I did set a fixed value in radcheck "insert into radreply (username,attribute,op,value) VALUES ("matt","Session-Timeout","=","600");
Could you give me a hint how to I replace the 600 with the query result of these sql_counters? I still miss how to get the link.

Again, sorry for my bad english. It would be preatier to read otherwise and maybe more understandable.

Yea, yea, now YOU excuse for something that doesn't need any excuse.

Huh, you got it wrong again, but at least your question was precise this time

counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}

at the end of authorize, accounting and instaantiate sections add

authorize {
...
...
...
daily
}

instantiate {
...
...
...
daily
}

accounting {
...
...
...
daily
}

in your database, in radcheck table insert this:

INSERT into radcheck VALUES ('','username','Max-Daily-Session','10800',':=');

Restart freeradius and of you go...
Now look at the bolded text, do you see the pattern?

your "daily" module will count Acct-Session-Time values and check those values against Max-Daily-Session. Counter will use "username" as key for counting, so he can only have one value for each user. Value is reset every day. Max-Daily-Sesion value is something module should check so it resides in radcheck table (obviously, table name is radcheck). We've inserted username and Max-Daily-Session, key and check value. Counters will be saved in db.daily file. Counter will also pay attention to type of service, in this case Framed-User. So, in case you have some other data in your database, or for example you are billing telnet sessions also, telnet session will not be affected by the counter, because of different type of service.

Your user will be allowed to be connected 10800 seconds per day in total, no matter how many times connected.
Freeradius will take care of session timeout value, not you, otherwise it wouldn't make any sense.

Huh, you got it wrong again, but at least your question was precise this time

So you see, also a 42 year young guy can develope...

Now look at the bolded text, do you see the pattern?

I do. The missing part was, that the link between the result of SQL-query and the radcheck table is the check-name of the counter.

As I need to care that the user doesn't use more than the ordered time, I guess I have to use reset=never, but that's it. Will give it a try.

Thanx, for your help.

Br, Matthias

You need to limit user monthly? Or you are selling internet time and user has no time limit to spend it?
Maybe you don't need this, it depends on what you exactly want to accomplish...

You need to limit user monthly? Or you are selling internet time and user has no time limit to spend it?
Maybe you don't need this, it depends on what you exactly want to accomplish...

All options are possible. Of course is it more realistic to restrict the time the voucher is valid, not that it runs endless. In most cases I will run it with "month".

Your user will be allowed to be connected 10800 seconds per day in total, no matter how many times connected.

As I understood your example, the user is able to connect the next day again. That is not what is wanted in the actual concept. After an account ran out, it would not be used anymore, that is what I think I achieve with reset = never.

What I also wonder with the sample conf you gave, is that it looks very much as it would be made for not using a database, but I will find that out.

Thanx, Matthias

Results:

The following is in radcheck:

"id","username","attribute","op","value"
3,"matthias","Cleartext-Password",":=","pwd"
7,"matthias","Max-Daily-Session",":=","3600"

When I try to login with this user the radius gives the following debug:
When I remove 7,"matthias","Max-Daily-Session",":=","3600" without any password change, login works again.

In every section (authorize,instantiate,accounting) daily counter is at the end? It looks like you have daily counter before chap, pap etc. modules?

In every section (authorize,instantiate,accounting) daily counter is at the end? It looks like you have daily counter before chap, pap etc. modules?

Did it again from scratch...

In instantiate in needs to be only if is isn't loaded anywhere else, so I removed it there, in accounting it isn't accepted with an error message that sql_counters do not support this. So it is available in authorize.

Finally I have:
That looks fantastic so far. Further down the debug it shows:
and WinBox shows an active radius user with the correct time.

So I have no idea what I did different this time, but it works. Thank you very much (lets look for the next question...)

br Matthias

Good, i am glad you got it working Good luck with your service

br