MikroTik

Hi,
I've setup Hotspot on RB750G and cannot get UserManager to authenticate. I can login with any of the users in the Hotspot database but can't get any of the users created in UserManager to login.
I keep getting "radius server not responding".
I've enabled Subscriber, Customer, credits, etc...
I can create a user via the new user signup page and get to paypal, make the purchase and get return to my URL.
But can't get a user created in UserManager to be authenticated on login page.
I've configured the static Public Ip in routers in UserManager,tried the local Hotspot IP tried everything. Put anything and everything in Walled garden, don't know what else to do.
Possibly a firewall/NAT issue?
I have the static Public IP on ether1-gateway.
And the Hotspot running on ether2-local-master. 192.168.88.0/24
I have a Wireless Access Point1 attached to MT router's ether2 via ethernet.
AP1-----wirelessPtP------Station1-------ethernet----------WirelessAP2----Wireless----clients.
Here's a pic of the user page.
So, do I need to make the deal complete through paypal to activate the radius server usermanager?
As It shows in the pic, it's "awaiting login".
But, if I try to login with that users name and password in the Hotspot/Captive portal page, I still get the "radius server not responding?

Please help.
Here's a pic and print.

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 98.173.**.17 1
1 ADC 98.173.**.0/24 98.173.**.28 ether1-gateway 0
2 ADC 192.168.88.0/24 192.168.88.1 ether2-local-ma... 0

==================================================================

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 ether2-local-master
1 98.173.**.28/24 98.173.40.0 98.173.**.255 ether1-gateway

=========================================================================

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; Rocket AP
chain=dstnat action=dst-nat to-addresses=192.168.88.98 to-ports=80 protocol=tcp
dst-address=98.173.**.28 dst-port=8098

2 ;;; NSM5 (Mast)
chain=dstnat action=dst-nat to-addresses=192.168.88.97 to-ports=80 protocol=tcp
dst-address=98.173.**.28 dst-port=8097

3 ;;; Bullet 2.4 Hotspot wireless
chain=dstnat action=dst-nat to-addresses=192.168.88.99 to-ports=80 protocol=tcp
dst-address=98.173.**.28 dst-port=8099

4 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=ether1-gateway

======================================================================

[admin@MikroTik] /ip dhcp-server> print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 default ether2-local-master default-dhcp 2d

=======================================================================

[admin@MikroTik] /ip dhcp-server network> print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; default configuration
192.168.88.0/24 192.168.88.1 192.168.88.1

=======================================================================

Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 D 192.168.88.253 00:26:9E:47:3C:F8 XxyYL default bound
1 D 192.168.88.10 C4:17:FE:00:0A:59 XxyYL default bound
2 D 192.168.88.12 60:FB:42:E1:3E:B6 fvg-b default bound
3 D 192.168.88.13 00:1C:B3:B3:33:9A Macintosh-6 default bound

==================================================================
[admin@MikroTik] /tool user-manager user> print
Flags: X - disabled, A - active, I - incomplete
0 subscriber=ocean name="Tim" password="*****" last-seen=never credit-count=0 credit-left=0s
credit-duration=0s credit-price=0 credit-time-added=0s

1 subscriber=ocean name="Tim1" password="*****" last-seen=never credit-count=0 credit-left=0s
credit-duration=0s credit-price=0 credit-time-added=0s

2 subscriber=ocean name="oceankym4r" password="*****" last-seen=never credit-count=1 credit-left=1d
credit-duration=1d credit-price=595 credit-time-added=1d
===============================================================
[admin@MikroTik] /tool user-manager router> print
Flags: X - disabled
0 subscriber=ocean name="ocean" ip-address=192.168.88.1 shared-secret="*****"
log=auth-ok,auth-fail,acct-fail
==================================================================
[admin@MikroTik] /tool user-manager customer> print
Flags: X - disabled
0 subscriber=ocean login="ocean" password="****" date-format="%b/%d/%Y" currency="USD"
user-prefix="ocean" public-id="ocean" public-host="ocean.*****.com" time-zone=-08:00
permissions=owner parent=ocean signup-allowed=yes signup-email-subject="Account info"
signup-email-body="Your authorization data:\r\nlogin: %login%\r\npassword: %password%\r\n\r\nTo
check your status and buy extended time go to address %link%\r\n"
paypal-business-id="tim@*****.com" paypal-allowed=yes paypal-secure-response=yes
paypal-accept-pending=yes

1 subscriber=ocean login="customer" password="****" company="****" city="*****" country="USA"
date-format="%b/%d/%Y" email="tim@*****i.com" currency="USD" user-prefix="ocean" time-zone=-08:00
permissions=full parent=ocean signup-allowed=yes signup-email-subject="Account info"
signup-email-body="Your authorization data:\r\nlogin: %login%\r\npassword: %password%\r\n\r\nTo
check your status and buy extended time go to address %link%\r\n"
paypal-allowed=no paypal-secure-response=no paypal-accept-pending=no

Thanks

Use 127.0.0.1 for /tool user-manager router and /radius client configuration.
What do you have at /radius configuration?

Use 127.0.0.1 for /tool user-manager router and /radius client configuration.
What do you have at /radius configuration?

Here's the configs for User-manager router and radius client config.
I've tried 127.0.0.1 on the radius client but not on user-manager router.
As you can see I'm using the static public IP.
---------------------------------------------
[admin@MikroTik] /radius> print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 login ocean ocean.******.com 98.173.**.28 654321
hotspot

---------------------------------------------
[admin@MikroTik] /tool user-manager> router print
Flags: X - disabled
0 subscriber=ocean name="ocean" ip-address=98.173.**.28 shared-secret="654321"
log=auth-ok,auth-fail,acct-fail

Hey Sergejs
I GOT IT!!!
YYYYYYEEEEEEEEEEEEEESSSSSSSSSSSSSSSSS!!!!!!!

I had been using the first part of my domain name in the Location ID and Location name spot.
I thought for whatever reason, something needed to be in there.
I took them out and bam... It works. Wow.. what a relief.
So, what is that used for? Mac address?
I thought it might be for the customer location?

radius-location-id (text) - Raduis-Location-Id attribute value to be sent to the RADIUS server
radius-location-name (text) - Raduis-Location-Name attribute value to be sent to the RADIUS server

Specific attributes to be used by RADIUS server.

radius-location-id (text) - Raduis-Location-Id attribute value to be sent to the RADIUS server
radius-location-name (text) - Raduis-Location-Name attribute value to be sent to the RADIUS server

Specific attributes to be used by RADIUS server.

So why would one need to send location Id to Radius server?
Is this needed?
I will be using one central Authentication Radius server with different hostposts located throughout city.
Nothing to do with customer prefix if enabled in signup page to know from which hostpot any particular user is signing on to?

ID is not needed, when you are not using it.
For the old User Manager customer prefix is explained here,
http://wiki.mikrotik.com/wiki/User_Manager/User_sign_up

(snip) I will be using one central Authentication Radius server with different hostposts located throughout city.
Nothing to do with customer prefix if enabled in signup page to know from which hostpot any particular user is signing on to?

I use FreeRADIUS, but there should be some way to get to this data in User Manager. I set the hotspot name to unique values, usually the location name. In FreeRADIUS MySQL database radacct table (accounting), that hotspot name shows under CalledStationId.

/ip hotspot
set 0 name=ThisLocationName

The radius-location-name in the "/ip hotspot profile" on the router allows you to restrict a users login location in conjunction with WISPr-Location-Name in the RADIUS database radcheck table. If there is an entry for WISPr-Location-Name in radcheck for that user, the radius-location-name must match or login fails as if the wrong password was entered.

Like I said, I don't use User manager, but if you can't find where this data is stored, maybe someone familiar with User Manager will know.

Thanks guys,
Really appreciate the info/help.
This is really a great hardware/software package, RB750G with a UBNT radios, haven't tried any MT radios.
I'm now about 95% finished (need SSL cert.) getting the User Manager/PayPal working well with the HotSpot package.
It really is a bit of a learning curve putting it all together, but once you get it, in retrospect (at least to a WiFi/RF guy) it seems
like paint by numbers. One step at a time.

ID is not needed, when you are not using it.
For the old User Manager customer prefix is explained here,
http://wiki.mikrotik.com/wiki/User_Manager/User_sign_up

So, I'm using 4.10 package. You consider 4.10 to be the old user manager, correct?
I was under the impression anything newer as far as User manager was not stable.
You recommend using the "test package" or anything newer in a production environment?
I'd like to use the Webfig and whatever else comes with the newer stuff, which I thought was all Beta.

4.10 "test" package contains the same functionality features, as 4.10 regular package.
There could be few issues, but generally test package should work very stable.

(snip) I will be using one central Authentication Radius server with different hostposts located throughout city.
Nothing to do with customer prefix if enabled in signup page to know from which hostpot any particular user is signing on to?

I use FreeRADIUS, but there should be some way to get to this data in User Manager. I set the hotspot name to unique values, usually the location name. In FreeRADIUS MySQL database radacct table (accounting), that hotspot name shows under CalledStationId.

Hello I am interested in how you got freeradius to work with mikrotik hotspot. Could you provide layman proceed. Do you also by any chance integrate, your freeradius with LDAP?