Page 1 of 1

Mikrotik + FreeRadius + MySQL + Hotspot

Posted: Tue Aug 31, 2004 5:43 am
by wjw
Hi all,

I've been googling for a while now and had no luck answering the following:

1. How do I add the mikrotik attributes to my freeradius server? (to limit online time, data download, speed etc) (I jave found this and will try it: http://forum.mikrotik.com/phpbb2/viewto ... freeradius)

2. How do I get the Radius server to log, data totals, time online etc????

3. Can all login files be external? ie can ther servlet, once authed the user redirect to another machine? I've tried the stuff in the manual for the login pages, but would like to go further.

Thanks,

Bill

Posted: Tue Aug 31, 2004 6:13 am
by wjw
okay I've answered 1 and got it working, but when the user logs on it doesnt give them any error messages, the mikrotik logs says Traffic limit reached, but I need the user to get this too...

Posted: Wed Sep 01, 2004 12:08 am
by wjw
Now have a new question, have been going through the Radius Attributes and can't find a time limit one, ie I need to limit people to say a total of 2 hours online.... any ideas on the attribute???

thx

Bill

Posted: Wed Sep 01, 2004 2:54 am
by lastguru
That should be done through Session-Timeout. I.e., the RADIUS server will calculate the appropriate value of Session-Timeout knowing the time the user has already spent, and the time he/she can totally spend.

Posted: Wed Sep 01, 2004 10:26 am
by wjw
Cool will give that a go, thanks... ;)

Posted: Wed Sep 01, 2004 11:59 am
by wjw
Ok have given that a go and it doesn't do what I need :(

Let me explain what I'm doing:

1. Customer buys 2 hours of time
2. Staff create account with 2 hours of time
3. When time is used, account is disabled.

Session-timeout doesn't do thi unfortunately... any ideas on an attribute that does?

Also I can't seem to get the mikrotik box to send an error to the client when their TxLimit, RXLimit or Session-Limit is reached. The mikrotik logs what happens, but doesnt send that info to the client. As far as the clients concerned all they get is a DNS error in their browser.

TIA,

Bill

Posted: Wed Sep 01, 2004 1:31 pm
by wjw
Ok I've got the Max Time limit working, still need the error pages to work tho :(

Eg normally when a user logs on the radius server sends:

rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=28, length=68
HSpot-Location = 1
HSpot-Plan = 0
Ascend-Data-Rate = 128000
Idle-Timeout = 180
Session-Timeout = 416

But when their time expires, it sends:

rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=42, length=104
Reply-Message = "Your maximum never usage time has been reached"
HSpot-Location = 1
HSpot-Plan = 0
Ascend-Data-Rate = 128000

Now what I can't get to work is the Radius Error message to appear in the users web browser.

Posted: Wed Sep 01, 2004 2:52 pm
by cmit
Well, that's not the way it is supposed to work. The Reply-Message attribute is sent to the router (in this case MikroTik) which can do with it whatever it wants to. I'm quite sure MikroTik doesn't take the Reply-Message from RADIUS to display it on a web page (or anywhere at all).

To achieve what you are trying you could for example try the following:
Users having reached the usage limits are given IP addresses from a separate ip pool.
Then create some redirection rule in MikroTik for all requests from this address range to dst port 80 (TCP) to a local web server which is serving the page you want those customers to see (e.g. "your usage limit has been reached"). You would also need to allow DNS traffic from this separate address range, I suppose - otherwise customers won't see you special web page but just get an DNS error.

Sorry, no finished config at hand - you have to fiddle around yourself... :D

Posted: Thu Sep 02, 2004 2:55 am
by wjw
Well, that's not the way it is supposed to work. The Reply-Message attribute is sent to the router (in this case MikroTik) which can do with it whatever it wants to. I'm quite sure MikroTik doesn't take the Reply-Message from RADIUS to display it on a web page (or anywhere at all).
From what I understand in the manual it should do. I will try what you suggest tho ;)

Posted: Thu Sep 02, 2004 9:50 am
by mag
would you like to share an example users-file entry? i am in the process of setting up an microtik / (free)radius / billing-software environment myself.
tia.
From what I understand in the manual it should do. I will try what you suggest tho ;)

Posted: Thu Sep 02, 2004 10:02 am
by wjw
First thing to make sure of is that MYSQL and FreeRadius and working properly. Also to do time limited accounts you'll need to setup sqlcounter, which comes in the /usr/share/freeradius/ folder there are a few things to do to set it up. But you shouldn't have to recompile, or at least on mine I didnt.

Once I got FreeRadius and MySQL running right with sqlcounter, I added the dictionary.mikrotik by putting a #include in the /etc/raddb/radiusd.conf.

$INCLUDE /usr/share/freeradius/dictionary.mikrotik


Then tested the Ascend-Data-Rate (you can only use Rate-Limit MT attribute if using ppp) and other mt specific stuff I wanted. Once that worked, I added my own custom attributes to the mikrotik.dictionary file for Hotspot location and plan (avoids having two db's).

ATTRIBUTE HSpot-Location 9 integer Mikrotik
ATTRIBUTE HSpot-Plan 10 integer Mikrotik

I found that the only complicated part was getting my head around how radius actually works as I've never used it before.

BTW, I used Mandrake 10 with Freeradius 0.9.3 and Mysql ??? cant remember...

I'm now working on the user management system, will will ultimately
be what I use to bill each hotspot location.

If you get stuck try me on icq - 4-746-863

Posted: Thu Sep 02, 2004 1:33 pm
by lastguru
Just curious, what is the point of having additional attributes without support for them on the receiving end?

Posted: Thu Sep 02, 2004 2:17 pm
by wjw
It speeds things up in my user management system because I only have to reference two tables instead of three (ie radreply and readcheck) for creating/editing/deleting users. Also makes my coding easier....

They must be specified as attributes or freeradius stops reading the radreply table when it hits one.

Posted: Fri Sep 03, 2004 3:38 pm
by ofasa
Hi,

If all you need to do is sell prepaid internet access, take a look at quick-r (http://www.qlinux.net/software/quick-r). That's what I'm using with my hotspot setup.

Posted: Fri Sep 03, 2004 4:40 pm
by ofasa

Posted: Sat Sep 04, 2004 6:42 am
by wjw
Thanks for that, it seems to struggle on Mandrake.... hmm RH10 again... I think