DHCP+Radius fun

madman22 · March 23, 2018, 2:57pm

We setup a Radius server that responds to the Mikrotik DHCP server. If the mac is not in the “allowed” list on the Radius server, it responds with a different ip pool. The allowed mac addresses get a bandwidth limit for dynamic queueing and the “unauthorized” devices get redirected to a web page to contact support. This portion seems to work flawlessly.

There are 2 main issues:

The DHCP server is not respecting the shorter lease time of the unauthorized leases. I am sending radius attribute 27 (Session-Timeout) with a value of 60. I expect this would change the lease time to 60 seconds.

The DHCP server doesn’t seem to be sending Radius requests on the leases renewing. When an unauthorized device requests to renew the ip, it gets the same ip, even if it is now in the “allowed” list, and the Radius counters in the mikrotik do not change. Is there way to force the Mikrotik DHCP server to send Radius requests even if the leases are renewing?

Any ideas?

RavenWing71 · August 15, 2018, 7:45pm

I’m battling essentially this same situation. I have verified that if I release the IP and then renew, the IP pool changes based on wether or not the account is enabled. But if the DHCP lease is not released and the account is changed to disabled, DHCP renewals don’t change pools. I’m running on v6.42.6.

madman22 · July 12, 2019, 12:22am

In case anyone has this problem, my solution was to send the Session-Timeout as a uint32 instead of a string. This also seems to have solved the problem of lease renewals re-authenticating.