[RADIATOR] Radiator+Mikrotik

Nathan Anderson nathana at fsr.com
Mon Dec 8 07:30:26 CST 2014 

On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote:

> Hello all,
> 
> As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request,
> the hook script will send Disconnect-Request to Mikrotik once the session
> exceeds the quota, here is how i send Disconnect-Request:  

[snip]

> This works fine but the problem is that user can't re-authenticate again
> because it reaches Maxsessions although I have this in my config file: 

[snip]

> The user would successfully authenticate again when I manually remove the
> session from RADONLINE by executing the DeleteQuery. 

It has been a while since I have had to look at/think about this, but as I recall, this is how it works:

DeleteQuery doesn't get executed unless the Radiator server receives Accounting-Stop from the MikroTik.

PoD/Disconnect-Request may or may not cause Accounting-Stop to be issued by MikroTik RouterOS; I can't remember and I will have to simulate this later and run a packet capture to see what happens.  (Maybe if you are running an older version of RouterOS, try upgrading?  It could be a bug that got fixed later, and they have definitely had their share of RADIUS client bugs in the past.)

In any case, you can work around a problem where Radiator does not receive Accounting-Stop by having Radiator verify that any active sessions for the user that are recorded in the RADONLINE table are valid at the moment that the user tries to authenticate again.  Radiator does this by executing an SNMP query to the NAS that is on record for each session to see if the Session-ID for that row in the table is still valid.  If the NAS does not return anything for the OID, then Radiator assumes the session is dead and purges that entry from RADONLINE, reducing MaxSessions count by 1.

To enable this functionality, you need to make sure that SNMP is enabled and configured on each MikroTik NAS, you need to make sure that Net-SNMP is installed and configured on the Radiator server, and you need to add these options to your Client clause in your Radiator config file:

<Client DEFAULT>
        [...]
        # MikroTik supports this MIB
        NasType CiscoSessionMIB
        SNMPCommunity public
</Client>

Replace 'public' with the SNMP community string that you have configured on the MikroTik.

We also made a slight change to the Radiator code, because by default, if Radiator does not get a response back from its SNMP "get" to the MikroTik, it gives the benefit of the doubt to RADONLINE.  We have found that more often than not, it is better to give the benefit of the doubt to the user.  That way, a user is not unfairly punished by problems with our NAS or problems on our network that might make it impossible for Radiator to communicate with our NAS.  Here is the patch to make that change in behavior:

diff -r -d -u -N Radius/Nas/CiscoSessionMIB.pm Radius-patched/Nas/CiscoSessionMIB.pm
--- Radius/Nas/CiscoSessionMIB.pm	2009-10-26 15:23:55.000000000 -0700
+++ Radius-patched/Nas/CiscoSessionMIB.pm	2014-12-08 05:20:02.000000000 -0800
@@ -39,7 +39,7 @@
 	 $client->{SNMPCommunity},
 	 "$Radius::Nas::CiscoMIB.9.150.1.1.3.1.2.$session_id");
     
-    return 1 if (!$result || $result =~ /no response/i); # Could not SNMP. Assume still there
+    return 0 if (!$result || $result =~ /no response/i); # Could not SNMP. Give benefit of doubt to user.
     return 0 if $result =~ /no such variable/i;  # Not in the MIB means no such session
     return uc($1) eq uc($name)
 	if ($result =~ /^.*\"([^"]+)".*$/);

Hope this helps,

-- 
Nathan Anderson
First Step Internet, LLC
nathana at fsr.com

More information about the radiator mailing list