Hello,

I use Mikrotik with Router OS 6.34.3 and some 951Ui-2HnD routers for testing.

My set up includes a freeradius server with enabled Mysql extension. The radius server should manage all client sessions on my Mikrotik devices.

Already working
Well, my Mikrotik router uses the hotspot already and the radius is enabled as well as the walled garden IPs. Now if a new client connects to the hotspot, he will be redirected to an external website what requests the user to agree some terms and conditions. When the user has successfully agreed, the website script enables the user in the radius database.
For compatibility reasons I need to use MAC-Authentication as username. The MAC Auth. password is set in the router admin backend.


My problem
My Mikrotik routers check the radius database only when the client sends the first package. If the client already exists as valid user in the radius database, he immediately is in able to use the internet access without any problem.

But if he has to agree the terms first, the Mikrotik router is checking the radius after he has received the first package. Now the user is not valid because he has to agree the terms first so the radius rejects the login request – so far this is perfectly fine.

Let's go a step further, the user meanwhile accepted the terms and conditions and owns a valid radius db entry. But Mikrotik is not goring to check the radius again as long as the users is listed as host in the router os backend.
Same problem the other way round. If I delete a user in the radius database, mikrotik keeps the user active as long as he did not disconnect itself for the idle time.

Can you tell me what I did wrong here. How can I force the Mikrotik device to check the radius server continuously if a user got activated or deleted and also a correct session counting on the radius.

Meanwhile I did a workaround by activating PAP authentication together with MAC authentication and calling the login script on the router with mac as username and previously set mac auth. password. That will force the router to immediately check the radius again if the user is valid. The helps to get a login in time but it's still a dirty solution, because I need to share the password to the client and it only works at login time. Logout (disabled users) still cause headache.

Maybe you can help me with this problem. To cut my long story short: I just need help getting Mikrotik to contentiously checking the radius for new or deleted users. Not only after the first packages.

Thank you

I think http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client maybe of your interest, more specifically CoA.

Hi,

meanwhile I was in able to solve all problems but one.

@pukkita thank you for the link, now I worked through many tutorials and refs. in the web.
It is possible to log out a user if you enable incoming traffic from the radius but therefore the Hotspots-IP must be static and not behind a NAT or anything similar so I dropped that.

I managed to log out users after a given time using Max-All-Session set by the radius and accounting via SQL_Counter.

Well the only problem left is Mac-Login.
As I wrote before, when you use MAC-Autentification the radius gets queried after the first package of a new client hits the hotspot. Now a not authenticated client gets redirected to a website where he can login to the radius than. (so now a valid radcheck entry gets set). But because of the hotspot already sent a auth request what was rejected you will not get an active state on the hotspot, because the hotspot will not request auth. data from the hotspot again.

Meanwhile I found out that it is possible to set the logintime limit in the Hotspot. When the Limit gets hit the not authenticated user gets dropped from the host list and reassigns itself to it with the next package including the radius to get checked again – so it would be possible if I set the limit to 1 second that a user gets immediately authenticated and active on the hotspot as soon as he has accomplished the login on the website.

However, if the hotspot would query the radius each second again for each host in list this would be truly a performance disaster.

All I need is a way to tell the Mikrotik-Hospot to request the radius again with Mac-Autentification as soon as the user accomplishes the login on the website. Calling the hotspots /login or /status link does not help. Only if I use cap than but this is not what I'm looking for.

Any ideas how I can tell the hotspot that the user is now in radius database and that the hotspot should perform the auth. request again?

Thanks

Hmm come on you guys, I have exactly the same problem now for a while and I found many other users in the forum but also anywhere in the web searching the for the same solution, some for years… I mean he Mikrotik-Crew why can't you offer a valid method to tell the Hotspot to request the radius again. It also works with passing password and username to login, why not simply adding another parameter like doradiuschek=true for those who need mac- authentication only.

Is there really no solution to tell the Mikrotik hotspot to send a new auth request to the radius server while using mac-auth? by html servlets, scripts triggered or API?

Is really wired when you use an external service what sets the correct auth entry to freeradius db. Now you need to wait until login-timeout gets reached or use pap insteat of mac auth. Isn't there a easy way do say: "Ey Mikrotik, I entered now valid client credentials in the radius database and I wann to go online now, please contact the radius again and use mac auth. like the previous time …

Lol