Hi; I'm using a Routerboard to set up 3 Hotspot servers in 3 wireless interfaces (one physical, two virtual), and the three hotspots using radius to authenticate. I got this pretty solved, they authenticate and everything. I set up 3 realms, one for each hotspot and they all work fine except for one thing; from time to time the Hotspot interface says 'Radius server is not responding'. This is weird because the server does not go offline, actually it doesn't receive traffic from the mikrotik server when the error is shown at the web interface.
The RB is at 10.200.0.2
the Radius server is at 10.2.0.28
There is a firewall between them but it is not rejecting nor dropping traffic between neither of those hosts, I thouthg there might be a crontab job causing this (because the problem is intermitent), but there's not.

The radius configuration is:

[admin@MikroTik] > radius export
# jun/25/2009 07:31:33 by RouterOS 3.10
# software id = W57B-PTT
#
/radius
add accounting-backup=no accounting-port=1813 address=10.2.0.28 \
authentication-port=1812 called-id="" comment="" disabled=no domain=\
professores realm=professores secret=*** service=hotspot timeout=\
10s
add accounting-backup=no accounting-port=1813 address=10.2.0.28 \
authentication-port=1812 called-id="" comment="" disabled=no domain=\
alunos realm=alunos secret=*** service=hotspot timeout=10s
add accounting-backup=no accounting-port=1813 address=10.2.0.28 \
authentication-port=1812 called-id="" comment="" disabled=no domain=elo \
realm="" secret=*** service=hotspot timeout=10s
/radius incoming
set accept=no port=1700

The timeout is set to 10s because I thought high delays in the network could be the cause, but it still happens.

Hotspot configuration is:

[admin@MikroTik] /ip hotspot> export
# jun/25/2009 07:33:28 by RouterOS 3.10
# software id = W57B-PTT
#
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-pap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name="" hotspot-address=192.168.10.1 html-directory=hotspot \
http-proxy=0.0.0.0:0 login-by=http-pap name=hs_professores nas-port-type=\
cable radius-accounting=yes radius-default-domain=professores \
radius-interim-update=received radius-location-id="" \
radius-location-name="" rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=yes
add dns-name="" hotspot-address=192.168.11.1 html-directory=hotspot \
http-proxy=0.0.0.0:0 login-by=http-pap name=hs_alunos nas-port-type=cable \
radius-accounting=yes radius-default-domain=alunos radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no use-radius=yes
add dns-name="" hotspot-address=192.168.13.1 html-directory=hotspot \
http-proxy=0.0.0.0:0 login-by=http-pap name=hs_elo nas-port-type=ethernet \
radius-accounting=yes radius-default-domain=elo radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no use-radius=yes
/ip hotspot
add address-pool=dhcp_pool_professores disabled=no idle-timeout=none \
interface=wlan_professores keepalive-timeout=none name=professores \
profile=hs_professores
add address-pool=dhcp_pool_alunos disabled=no idle-timeout=none interface=\
wlan_alunos keepalive-timeout=none name=alunos profile=hs_alunos
add address-pool=dhcp_pool_elo disabled=yes idle-timeout=none interface=\
wlan_elo keepalive-timeout=none name=elo profile=hs_elo
/ip hotspot user profile
set default advertise=no idle-timeout=1m keepalive-timeout=1m name=default \
open-status-page=always shared-users=1 status-autorefresh=1m \
transparent-proxy=yes
add advertise=yes advertise-interval=1m advertise-timeout=never \
advertise-url=http://192.168.100.99/aviso.html idle-timeout=none \
keepalive-timeout=2m name=clientes-debito open-status-page=always \
session-timeout=1h shared-users=unlimited status-autorefresh=1m \
transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21

I have already tested this configuration, for each hotspot server (though they were all 3 active), and it works for the 3 of them, but after a while it starts saying 'radius server is not responding'

Do you have any ideas?

Thanks in advance

Perhaps I say a stupid thing.. but.. did you tried to put the Radius server in IP walled garden? I don't remember if it's necessary or not. Also it's possible that you could need to put routes to the radius server.

Try it! : D!

Doesn't walled garden apply only to authenticated hosts using the Hotspot? I think if I put my Radius server in the walled garden it could become accessible to the clients and this could have security implications. And about the routes, I can ping and everything, except when the Radius is not responding error appears.
However, it is not in production yet, so i'll give it a try and post here the results.
Thanks again.

I have the same configuration in one customer. Revised 2 minutes ago and it works. The only difference is Realm in /radius label. Why you need to use realm there?


Thanks,

Note:

No routes or IP walled garden needed.

Thanks for the interest,

I use realm because there are 2 kinds of authentication that radius performs. One is against an Active Directory, and the other as proxy to another Radius.
Hotspot alunos and professores authenticate to the Active Directory, and each user has to belong to a specific group, that is what I use the realm for. If a user 'example' authenticates in hotspot alunos, Radius will receive the realm alunos, and will perform the ntlm_auth as example+alunos, indicating the user example belongs to the group alunos; same thing for the professores Realm.

I hope this helps you help me =D

Note:

No routes or IP walled garden needed.

I tried it already and it didn't make any difference. Thanks

I never used realms. Lot of time ago with other OS.. sorry!

I don't think it has any influence, since it only acts as a parameter I retrieve from radius to perform the ntlm authentication; and the problem also appears in the 3rd hotspot which does not use realms

It could be the ROS version..

Try to update it.

I'll try that, thanks.

Have you increased the radius timeout value to see if that helps?
/radius
print detail
set 0 timeout=1s

Hello. Yes, I have it set to 10s now, I think that's already high enough. Do you think I should increase it?

10 seconds should be more than enough. Have you tried a ping test from the router to the radius server to insure it is not a connection problem? Getting any packet losses?

My bad on the timeout. I see you put that in your first post. I just missed it.

No problem, there was (perhaps) too much info on my post.

I did the ping, sent 200 packages, 0% of loss; min time: 0ms, max: 2ms, average: 0ms.

As I see it, there is no problem with this; I'll keep repeating this test to see if anything changes.
Thanks again.

So it works good at first, then starts the timeouts "after a while"? I noticed you are running an ad page for clients updating once a minute. Could your radius timeouts be connected to your client load? Maybe as your client load increases, the ad pages start using up a lot of bandwidth? Just a thought.

Hmm, that makes sense, but the structure i'm configuring is not in production yet, neither teachers nor students are able to log into the hotspots; however, the students hotspot is on an insecure wifi network (no password needed to connect to it), and anyone can be trying passwords and that stuff. I'll try to reproduce this situation and check if setting up a password for the wireless network solves the problem. If it does, then the problem is related to the user load; if so, how can this be limited? i.e. can I set a network to allow connection to only 30 people? Would 30 ip leases in DHCP be enough? (a /27 network)

Thanks again.

I am not following along here. I thought you said it was all working, then would start to malfunction. Why can't the teachers and students log in?

Sorry I was not clear; this is all in the test phase yet, once it works, the configuration will be replicated to another 14 routerboards and distributed in the campus. It's not in production, that's why no one can login, there is only 1 test user for each hotspot, and students/teachers have no access to them yet. However, each hotspot resides in a wireless interface, one open for everyone to connect to (the students), and the other needs a password (the teachers). I'm sorry if I'm not being too clear, english is not my native language =)

No problem, there was (perhaps) too much info on my post.

I did the ping, sent 200 packages, 0% of loss; min time: 0ms, max: 2ms, average: 0ms.

As I see it, there is no problem with this; I'll keep repeating this test to see if anything changes.
Thanks again.

I repeated this regulary for over 2 hours, and i keep getting the same results.

I think that eliminates a connection challenge. So what about these realms? What is your intent? If you want to use two radius servers (like I do) to authenticate multiple hotspots with VAPs (like I do), I recommend using just the domains and skip the radius proxy server, but I am not aware of other setup requirements you may have.

Also check your dhcp server. Insure your ip leases are not expiring prematurely. Some client computers don't seem to know when to renew the lease. I use 2 days on the lease time. I think default is 3 days. Insure you are not running out of ips to lease to your clients.

I see you have already changed the hotspot idle-timeout to "none". I use 10 minutes. I found that to be a real problem, especially if the client must enter a lot of credit card info when purchasing time. The default 5 minutes was not enough.

ADD: No apology necessary for the language difference. I speak English (American, not King's) as a native language, and I am still not very good at it! Let me know if I need to keep it simple.