Hello,
I use Mikrotik with Router OS 6.34.3 and some 951Ui-2HnD routers for testing.
My set up includes a freeradius server with enabled Mysql extension. The radius server should manage all client sessions on my Mikrotik devices.
Already working
Well, my Mikrotik router uses the hotspot already and the radius is enabled as well as the walled garden IPs. Now if a new client connects to the hotspot, he will be redirected to an external website what requests the user to agree some terms and conditions. When the user has successfully agreed, the website script enables the user in the radius database.
For compatibility reasons I need to use MAC-Authentication as username. The MAC Auth. password is set in the router admin backend.
My problem
My Mikrotik routers check the radius database only when the client sends the first package. If the client already exists as valid user in the radius database, he immediately is in able to use the internet access without any problem.
But if he has to agree the terms first, the Mikrotik router is checking the radius after he has received the first package. Now the user is not valid because he has to agree the terms first so the radius rejects the login request – so far this is perfectly fine.
Let's go a step further, the user meanwhile accepted the terms and conditions and owns a valid radius db entry. But Mikrotik is not goring to check the radius again as long as the users is listed as host in the router os backend.
Same problem the other way round. If I delete a user in the radius database, mikrotik keeps the user active as long as he did not disconnect itself for the idle time.
Can you tell me what I did wrong here. How can I force the Mikrotik device to check the radius server continuously if a user got activated or deleted and also a correct session counting on the radius.
Meanwhile I did a workaround by activating PAP authentication together with MAC authentication and calling the login script on the router with mac as username and previously set mac auth. password. That will force the router to immediately check the radius again if the user is valid. The helps to get a login in time but it's still a dirty solution, because I need to share the password to the client and it only works at login time. Logout (disabled users) still cause headache.
Maybe you can help me with this problem. To cut my long story short: I just need help getting Mikrotik to contentiously checking the radius for new or deleted users. Not only after the first packages.
Thank you