API Hotspot Login with multiple RADIUS

RouterOS Scripting
1

Hi, I’m having troubles logging in users to the hotspot which has 3 RADIUS servers, two remotes and one local.

With my application, I create users in the local RADIUS and then try to authenticate (via ip hotspot active login) them in the hotspot. The command allways returns the Code 100 error (not found in RADIUS server). It seems that the login requests do not reach the correct RADIUS as the status do not reflect any request, accepted nor rejected.

I have also tried to use the domain approach (creating users with username@domain in the local RADIUS, activating the Split user domain in the hotspot configuration and defining the domain in the local RADIUS configuration) but didn’t work anyway.

Can someone help me?

Thanks in advance.

2

If you have more than one RADIUS server defined in the configuration, LAC’s will always try to authenticate to the first in the list. Only if the RADIUS request timesout will it attempt the next server. So, you need to make sure that the server you are querying is the one you need to test against.

Do you have any more information as to the process you are trying and wanting?

3

Thanks for your reply. I add some configuration details:

RouterOS version: 6.38.1

Hotspot Server Profile

name="hsprof1" hotspot-address=10.5.50.1 dns-name="info.wifi" html-directory=hotspot html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0 
     smtp-server=0.0.0.0 login-by=mac,http-chap,https,http-pap,mac-cookie mac-auth-mode=mac-as-username mac-auth-password="" ssl-certificate=none 
     split-user-domain=yes use-radius=yes radius-accounting=yes radius-interim-update=received nas-port-type=wireless-802.11 radius-default-domain="default" 
     radius-location-id="" radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX

Radius configured in the router

 #   SERVICE                    CALLED-ID                  DOMAIN                  ADDRESS                   
 0   hotspot                                               default                 aaa.bbb.ccc.ddd            <- remote radius 1
 1   hotspot                                               default                 eee.fff.111.222             <- remote radius 2
 2   hotspot                                               mydomain             127.0.0.1                    <- local radius

The users I create in the local radius look like this:

customer=admin actual-profile="unlimited 30d" username="USERCP58VUZ" password="58adb62045d1a" shared-users=1 wireless-psk="" wireless-enc-key="" 
       wireless-enc-algo=none last-seen=never

Finally, i use this code to login the user in the hotspot through an API command:

$usr = "USERCP58VUZ@mydomain";
$pwd = "58adb62045d1a";
$arp_ip = // the ip i found this user's mac addres have assigned in the ARP
$login_rq = new RouterOSRequest('/ip/hotspot/active/login');
        $login_rq->setArgument('ip',$arp_ip);
        $login_rq->setArgument('user',$usr);
        $login_rq->setArgument('password',$pwd);

        $res = $mikrotik->sendSync($login_rq);

The response to the previous api call is an error code 100, and the number of requests (accepted, rejecter or timedout) in the local radius do not change.

In another router with a similar configuration introducing USERCP58VUZ@mydomain as username and 58adb62045d1a as password results in a successful login, i.e. in the correct radius server, so maybe the api call is not correctly formatted, maybe the domain must be in another argument but I have found no docummentation supporting this theory.

Thanks for the help!

4

I’ve never even attempted to use the “login” command with a RADIUS server in the mix, but I see that there is a separate argument called “domain”. Maybe try to specify the domain there?

So either

$usr = "USERCP58VUZ";
$domain = "mydomain";
$pwd = "58adb62045d1a";
$arp_ip = // the ip i found this user's mac addres have assigned in the ARP
$login_rq = new RouterOSRequest('/ip/hotspot/active/login');
        $login_rq->setArgument('ip',$arp_ip);
        $login_rq->setArgument('user',$usr);
        $login_rq->setArgument('domain',$domain);
        $login_rq->setArgument('password',$pwd);

or perhaps

$usr = "USERCP58VUZ@mydomain";
$domain = "mydomain";
$pwd = "58adb62045d1a";
$arp_ip = // the ip i found this user's mac addres have assigned in the ARP
$login_rq = new RouterOSRequest('/ip/hotspot/active/login');
        $login_rq->setArgument('ip',$arp_ip);
        $login_rq->setArgument('user',$usr);
        $login_rq->setArgument('domain',$domain);
        $login_rq->setArgument('password',$pwd);
5

Thanks that seemed to work, now authenticates to the right radius server. Thanks.

6

For future reference’s sake… Which one of the two?