My setup:
Hotspot configured to use an external RADIUS server and external captive portal pages. Users share a DHCP pool and must authenticate via my RADIUS servers to gain internet access.
Config snippets:
Code: Select all
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-pap name="my hotspot" nas-port-type=wireless-802.11 radius-accounting=yes \
radius-default-domain="" radius-interim-update=5m radius-location-id="" radius-location-name="" radius-mac-format=XX-XX-XX-XX-XX-XX rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=yes
/ip hotspot
add address-pool=dhcp disabled=no idle-timeout=15m interface=ether2-master-local keepalive-timeout=none name=server1 profile="my hotspot"
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=default !parent-queue !queue-type \
shared-users=1 status-autorefresh=1m transparent-proxy=no
/radius
add accounting-backup=no accounting-port=31813 address=XX.XX.XX.XX authentication-port=1812 called-id=foo disabled=no domain="" realm="" secret=bigsecret service=hotspot timeout=5s
I want to be able to set the 'Called ID' in my RADIUS client config to the MAC address of the RouterBoard (specifically the WAN ethernet port MAC).
If I leave this unset then I receive RADIUS traffic on my RADIUS server (and can authenticate and receive accounting data properly), but the Called-Station-ID is not satisfactory for my solution (it is the name of the hotspot service I configured).
If I try to set this variable via the web interface of or CLI then I receive no RADIUS traffic and instead see the following errors in logs:
Code: Select all
==> user.log <==
Oct 16 13:50:22 172.10.10.173 hotspot,info,debug adam@t.com (192.168.88.254): trying to log in by http-pap
Oct 16 13:50:22 172.10.10.173 hotspot,debug adam@test.com (192.168.88.254): local user not found
Oct 16 13:50:22 172.10.10.173 hotspot,debug adam@test.com (192.168.88.254): sending RADIUS authentication request
==> local0.log <==
Oct 16 12:42:28 172.10.10.173 new request 3f:6c code=Access-Request service=hotspot called-id=server1
Oct 16 12:42:28 172.10.10.173 no radius server found for 3f:6c
Oct 16 12:42:28 172.10.10.173 timeout for 3f:6c
==> user.log <==
Oct 16 13:50:24 172.10.10.173 hotspot,info,debug adam@test.com (192.168.88.254): login failed: RADIUS server is not responding
The bug?
This line of logging caught my attention:
Code: Select all
Oct 16 12:42:28 172.10.10.173 new request 3f:6c code=Access-Request service=hotspot called-id=server1If I add that identical string to my RADIUS config as the 'Called Id' then I see RADIUS traffic on my server. It works.
I assume this means that the software is attempting to find a matching RADIUS server entry using the called-id in the internal request, and if the RADIUS server entries have been configured with something else an error is thrown and no RADIUS packet sent.
Workaround
To configure the Called-Station-Id to the MAC address of the RouterBoard I must set the name of my hotspot to the MAC address and leave the 'Called ID' section blank in my RADIUS client config. Presumably this can also be scripted, which is cool.
I notice forum posts up to few years old that talk about similar problems with RADIUS not sent and 'No radius server found' errors in logs, but could not find a fix.
NOTE: The 'No radius server found" error is also thrown if the 'domain' variable is set in the RADIUS client config.
Hope someone can help.
Cheers,
Adam
---------------------
v6.20 on RouterBoard450