DHCP accounting and RADIUS packets

skylaer · Sun May 06, 2012 5:00 pm

Hi all!
We try to use Mikrotik as router and DHCP server.
Switches send DHCP packets to Mtik, Mtik make req to Radius server and receive
dhcp pool name, speed limits...
All work good, but small problem.. No accounting

And i don't know IP address of user (from pool), traffic.
And don't know when user stops use address

Maybe it's possible:

1. Send Accounting-Start packet with IP address, when lease and queue created and up?
2. Send Accounting-Stop packet with traffic from queue (if created), when lease dropped?

Many people try to use Opt82 instead PPPxx, it's may be a good solution.

pospanko · Mon May 07, 2012 12:13 pm

Hi all!
We try to use Mikrotik as router and DHCP server.
Switches send DHCP packets to Mtik, Mtik make req to Radius server and receive
dhcp pool name, speed limits...
All work good, but small problem.. No accounting
And i don't know IP address of user (from pool), traffic.
And don't know when user stops use address

Maybe it's possible:

1. Send Accounting-Start packet with IP address, when lease and queue created and up?
2. Send Accounting-Stop packet with traffic from queue (if created), when lease dropped?

Many people try to use Opt82 instead PPPxx, it's may be a good solution.

+1

wildbill442 · Mon May 07, 2012 9:03 pm

+1 and Option 82 support.

skylaer · Tue May 08, 2012 12:23 am

It's really simple to develop - 1 packets send when created and 1 then dropped.
But better way - start, stop and keepalive together

Chupaka · Thu May 10, 2012 3:50 pm

and Option 82 support.

it's supported for many years already

skylaer · Thu May 10, 2012 9:57 pm

He talks about native support for DHCP OPT82 without radius.

Chupaka · Tue May 15, 2012 3:27 pm

He talks about native support for DHCP OPT82 without radius.

but this topic IS about RADIUS

I think he should open a new topic (or better a support ticket?) about option82-based (not MAC-based, like now) leases

skylaer · Wed May 16, 2012 5:05 pm

Yes, you right.

After investigation we found a packet from Mikrotik "Accounting = On".
Router send this packet sometimes, but packet not contains any interesting

pospanko · Wed Jun 06, 2012 1:48 pm

Normis, is there a chance to add radius accounting message in DHCP? thx

lambert · Fri Jun 22, 2012 11:38 pm

I just setup DHCP with RADIUS auth yesterday and thought I had done something wrong when I didn't see accounting start packets. I was expecting a start packet on initial assignment and a stop packet when the lease expires. Perhaps an accounting update packet when the lease is renewed.

Also, I thought I would see an auth request every time the lease was renewed, but I haven't seen any auth requests after the initial request unless I delete the dynamic lease on the mikrotik before the lease is renewed.

We need the accounting packets in an ISP setting to tell us who was using a particular IP 3 months ago without trawling through syslog server archives.

Chupaka · Sat Jun 23, 2012 2:45 pm

Also, I thought I would see an auth request every time the lease was renewed, but I haven't seen any auth requests after the initial request unless I delete the dynamic lease on the mikrotik before the lease is renewed.

it's how it works: if you don't set lease timeout in RADIUS Access-Accept, then the value from DHCP server settings is used, and no RADIUS Request is made for lease renewals; if you return timeout from RADIUS, then any renews of that lease will require RADIUS authorization - that's what you're looking for

lambert · Mon Jun 25, 2012 5:08 am

Also, I thought I would see an auth request every time the lease was renewed, but I haven't seen any auth requests after the initial request unless I delete the dynamic lease on the mikrotik before the lease is renewed.
it's how it works: if you don't set lease timeout in RADIUS Access-Accept, then the value from DHCP server settings is used, and no RADIUS Request is made for lease renewals; if you return timeout from RADIUS, then any renews of that lease will require RADIUS authorization - that's what you're looking for

Thank you, that is very helpful to know.

dilnix · Fri Jun 14, 2013 2:38 pm

it's how it works: if you don't set lease timeout in RADIUS Access-Accept, then the value from DHCP server settings is used, and no RADIUS Request is made for lease renewals; if you return timeout from RADIUS, then any renews of that lease will require RADIUS authorization - that's what you're looking for

dear Chupaka, can you give me some example of how to configure RB DHCP Server to resend option82 data of DHCP request (received from some port L2 commutator) to freeRadius server connected directly to RB????
I'm trying to implement MAC-independent PORT-binded connection to every customer.
I mean, for example, any device with any MAC connected to port 1 of commutator will take from DHCP Server (RB) only one IP-address (192.168.0.1 for example), and no another. If the same device (or any) will connect to another port (for ex. 2) so it will take another IP (192.168.0.2 for ex.).
PLZ

Chupaka · Fri Jun 14, 2013 6:13 pm

can you give me some example of how to configure RB DHCP Server to resend option82 data of DHCP request (received from some port L2 commutator) to freeRadius server connected directly to RB????

as far as I can see, you just cannot disable it. if Option82 info exists in DHCP request, it will be sent to RADIUS

so just set 'use-radius=yes' on your dhcp server and then create radius for service=dhcp

Begetan · Fri Jun 14, 2013 8:38 pm

Turn on system->logging->topic dhcp and you will see in og file all information from DHCP request sending to radius. Mikrotik sends probably all information from dhcp request packets, but the correct way to dump and check.

skylaer · Sat Jun 15, 2013 3:43 pm

We know (c)

But the best way is DHCP-Radius packets for start, renew and expire lease.
It;s easy for development and i don't know, why Mikrotik can't do it.

dilnix · Mon Jun 17, 2013 1:11 pm

as far as I can see, you just cannot disable it. if Option82 info exists in DHCP request, it will be sent to RADIUS
so just set 'use-radius=yes' on your dhcp server and then create radius for service=dhcp

Thanks, but what about freeRadius configuration? Do you have/know any examples?? or may be you know who can help me?

But the best way is DHCP-Radius packets for start, renew and expire lease.
It;s easy for development and i don't know, why Mikrotik can't do it.

Yes, why Mikrotik can't do it still???

lambert · Mon Jun 17, 2013 10:24 pm

Has anyone come up with a way to get the radius accounting information without making users change how their equipment is setup by using mac-auth in the hotspot functionality?

It looks to me like it should be possible to enable hotspot on the customer facing interface and deal with their already DHCP assigned IP address without any login popups. I just don't have any experience with hotspot at all and haven't had time to experiment yet.

alexcherry · Mon Aug 18, 2014 8:46 pm

Any news about support of accounting for Radius DHCP ? We are using API for gathering information about DHCP radius sessions, but with Radius accounting it should be simpler and standartized.

santa · Tue Oct 14, 2014 4:29 pm

Yes, I believe there are many people interested in this topic. Any response would be pleased. "We plan to implement" or "We don't plan to implement" would be sufficient

.

janmohammadi · Sat Apr 15, 2017 5:41 pm

Yes, I believe there are many people interested in this topic. Any response would be pleased. "We plan to implement" or "We don't plan to implement" would be sufficient .

+1
Is Mikrotik have any plan to support Accounting requests for DHCP?
Is it possible at all?

pospanko · Tue Aug 29, 2017 4:40 pm

machack · Tue Oct 31, 2017 6:05 pm

rico29 · Wed Oct 24, 2018 4:23 pm

This post is from 2012, and still have no response for mikrotik team.
Sad...

tishri · Sun Feb 17, 2019 1:42 am

What happened to mikrotik? They are selling products without any improvements on features. They are stucked or very slow. Until now they dont have working DHCP accounting. We cannot track the bandwith usage per user based on DHCP leases. It doesn't send to radius server. Useless!

We are now migrating to cisco.

rdelacruz · Wed Mar 06, 2019 3:07 pm

What's the best way to get the accounting data ( Acct-Input-Octets and Acct-Output-Octets) when using DHCP auth without relying on Mikrotik?

rdelacruz · Thu Mar 07, 2019 5:16 pm

It would be best if Mikrotik can send these accounting data to the RADIUS every time the device disconnected or through interim updates.

saskuu · Sat Mar 16, 2019 8:42 am

through interim updates

+1

saskuu · Wed Apr 17, 2019 9:35 pm

It would be best if Mikrotik can send these accounting data to the RADIUS every time the device disconnected or through interim updates.

+1

Kamaz · Mon Apr 22, 2019 2:14 pm

Yes, I believe there are many people interested in this topic. Any response would be pleased. "We plan to implement" or "We don't plan to implement" would be sufficient .

+1

rdelacruz · Wed May 08, 2019 3:38 pm

Yes, I believe there are many people interested in this topic. Any response would be pleased. "We plan to implement" or "We don't plan to implement" would be sufficient .

+1

goabroad · Thu May 09, 2019 10:55 pm

Yes, I believe there are many people interested in this topic. Any response would be pleased. "We plan to implement" or "We don't plan to implement" would be sufficient .

+1

rdelacruz · Fri May 10, 2019 8:35 pm

What's new in 6.45beta42 (2019-May-08 12:44):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) capsman - fixed interface-list usage in access list;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) crs3xx - correctly handle switch reset (introduced in v6.45beta31);
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - show neighbors on actual mesh ports;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) w60g - do not show unused "dmg" parameter;
*) w60g - show running frequency under "monitor" command;
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;

I've noticed it and tested, but it's not working yet. Have you successfully tested this one?

rdelacruz · Wed Jun 19, 2019 1:56 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks

Have you successfully tested this one?

rdelacruz · Wed Jul 17, 2019 12:53 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks
Have you successfully tested this one?

Has anyone tested this feature?

pavelkolchanov · Thu Aug 08, 2019 3:45 pm

Has anyone tested this feature?

I'm trying it on 6.45.3 in combination with radius server from BGBilling. Packets counting working properly, but traffic statistics looks very strange:

08-08/15:35:14  INFO [rdsLstnr-p-7-t-16] InetRadiusProcessor - REQUEST_AFTER_PREPROCESS:
Packet type: Accounting-Request
Identifier: 25
Authenticator: {83 CF 00 41 9C 08 EC 4D E9 BF D9 C3 BE DE FA 1A}
Attributes:
  NAS-Identifier=Core router
  User-Name=00:AD:24:F9:BF:52
  NAS-IP-Address=192.168.16.1
  NAS-Port=-2095054647
  Framed-IP-Address=172.16.58.9
  Acct-Status-Type=3
  Acct-Delay-Time=0
  Acct-Input-Octets=938520311
  Acct-Output-Octets=938520311
  Acct-Session-Id=c9002083
  Acct-Authentic=2
  Acct-Session-Time=259
  Acct-Input-Packets=670430
  Acct-Output-Packets=108219
  Acct-Input-Gigawords=0
  Acct-Output-Gigawords=0
  Event-Timestamp=1565267714
  NAS-Port-Type=15
  Called-Station-Id=client-58
  Calling-Station-Id=1:0:ad:24:f9:bf:52

Снимок экрана_2019-08-08_15-35-41.png

psychoed · Thu Dec 05, 2019 12:17 pm

Some radius servers can't accept Accounting-Request without Сlass attribute. It used to bind Access-request and Accounting-Request. In case with MT hotspot+radius and MT ppp+radius, it works correctly, MT is returning Class attribute in Accounting-Request to radius server, but in case with DHCP+radius does not.
Still not working correctly on v6.45.7..

rizkcharbel · Fri Feb 19, 2021 11:16 am

I have been trying to make accounting work with DHCP but no luck, I think it is useless to enable radius accounting on DHCP level if you don't have the interim-update option, I believe that Mikrotik should solve this problem or just remove radius accounting from DHCP because it's just confusing.

rdelacruz · Sat Aug 14, 2021 2:19 am

The accounting only works during interim updates; not during accounting start and stop. It also requires a simple queue, as data will be coming from simple queue statistics.

Who is online