Community discussions

MikroTik App
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Mikrotik radius client behind nat

Fri Nov 19, 2010 9:21 pm

Hi,

I am facing a problem where I have a radius server and many mikrotik radius clients for hotspot.
The problem is that these MT radius clients are behind a NAT translation so when they authenticate the radius server catches the local ip (nas-ip-address).
Is there any way of solving this? For example by using the /radius set src-address=public ip?

The result is that even if a user has 30min limited online time he can stay online forever since that information obviously isn't included in the authentication process so that the MT can disconnect the client.

Any help would be appriciated!

Marcus
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Mikrotik radius client behind nat

Fri Nov 19, 2010 9:32 pm

Are you using NTP to keep the date/time accurate in all routers?
Check "/system ntp client" and "/system clock".
 
xxiii
Member Candidate
Member Candidate
Posts: 234
Joined: Wed May 31, 2006 12:55 am

Re: Mikrotik radius client behind nat

Fri Nov 19, 2010 10:27 pm

Somewhat confused. radius reply packets can include a session time limit, and this would be part of the authentication process. This would usually be based on the username used to authenticate with. Its then up to the radius client to disconnect the session when the time arrives. Radius authentication requests also contain the IP address of the radius client (independent of any NATting that may have happened to it, unless (possibly) the NATting is happening on the same device).

I guess i'm not clear on what problem you are having. Are you trying to assign a session limit based on the IP address the request is coming from?
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Mikrotik radius client behind nat

Fri Nov 19, 2010 11:51 pm

Well, Im not sure what I am doing wrong, but I have set online time per say to 30sec bit i can still browse for 2-3min or more.
I were also Roos that the client will receive the time limit and disconnect the user.


About the ip, the radius server receives 192.168.1.1 (MT local ip) and i also think thats the ip it Will use when sending death messages etc.

what I want to do is that users should be able to login with username and password, and after that they can use the internet for say 3hours. After that they should be disconnected and counters should be reset every 24 hours.
And the problem is that in the "auth-string" to the radius server, the client is sending it's local IP so the server can't contact it since they are communicating over the Internet.

Sorry for being so unclear in the description of my problem.
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Mikrotik radius client behind nat

Sat Mar 19, 2011 2:07 am

By using my imagination and some awesome tricks, this was finally solved. NAS is now running fully functional behind NATed router.
 
halim
just joined
Posts: 1
Joined: Sun Mar 07, 2010 7:14 am

Re: Mikrotik radius client behind nat

Sat Mar 19, 2011 6:35 am

Hello master, I am new,I have a problem with my wifi network, :( when I use my vpn can not access other network root. but when I turn off my vpn buffer connected to the network root. please enlightenment. thanks.... :)
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Mikrotik radius client behind nat

Tue Mar 22, 2011 6:30 pm

I think you should start a new thread, but anyway, first describe your network and then try to express your problem further.
 
User avatar
desertadmin
Member Candidate
Member Candidate
Posts: 232
Joined: Tue Jul 26, 2005 6:09 pm
Location: Las Vegas, New Mexico
Contact:

Re: Mikrotik radius client behind nat

Mon Apr 11, 2011 9:35 am

How did you resolve your problem?

You are able to get Radius Auth to work through a double nat'd environment? If so please post your solution. Thanks.

As far as I know you can only do this via a VPN tunnel. If so once again post your solution for the community to see. Thanks.

-Sincerely,
DesertAdmin
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Mikrotik radius client behind nat

Mon Apr 11, 2011 2:12 pm

If you mean RADIUS authentication and accounting, that should be no problem. That is what I use. No VPN.

If you want to send a disconnect message from the radius server to the NAS behind a NAT, that won't work without a dst-nat or VPN.

I use the public ip that the NAS is translated to as the radius client (router) in the radius server (User Manager) setup.

Who is online

Users browsing this forum: No registered users and 11 guests