DHCP-Server with Radius

chris-oct · April 5, 2006, 7:56pm

Using DHCP-Server with Radius we can make it so only authenticated MAC addresses can get a DHCP lease. All non-authenticated MAC addresses cannot get a IP.

Is there a way to make it so authenticated users grab a lease from “pool1”, and non-authenticated users grab from “pool2”?

This way we can have a sign-up screen or some other notification for non-authenticated users.

I found this which is a similar question
http://forum.mikrotik.com/t/dhcp-radius-hotspot/5810/1

normis · April 6, 2006, 8:12am

Non-authenticated users will not get any IP. There is no way to change that.
But instead of sending Access-Reject, Radius server can send Access-Accept
with Framed-Pool = “pool2”.

chris-oct · April 6, 2006, 2:21pm

Great! I saw that freeradius can set a default Acces-Accept which is exactly what we are looking for. Thanks

variable · April 7, 2006, 4:19pm

how would you make the pool2 display a login page?

chris-oct · April 10, 2006, 2:53pm

You could make the DNS server for pool2 send all DNS requests to the same IP number which is a login page.

Or you could set up transparent proxy on pool2 which sends all requests to login page.

variable · April 10, 2006, 4:12pm

how would you set the dns server to send all requests to a single ip?

__

chris-oct · April 10, 2006, 10:14pm

I dont know off the top of my head but anything is possible. Time to google

savage · April 11, 2006, 5:27am

Forwarders

Options {
  Forward {
    x.x.x.x;
    x.x.x.x;
  };
};

From the top of my head. Syntax should not be 100%.

chris-oct · April 11, 2006, 3:23pm

For this configuration I found this works best:

Set DHCP Server to use pool-2. Lease Timeout something short like 240.

Set Radius to send DEFAULT Access-Accept on failure. Send no other default responses.

On Radius success, have Radius send Framed-Pool=pool-1, Session-Timeout = 1200 (or something longer).

This will send to pool-1 on success, pool-2 on failure. The only issue now with this configuration is that the client likes to keep the same IP number. So if the client was on pool-2, then you authenticate them, they dont like to grab the new number from pool-1. Usually a restart or something like that will clear it up and make them grab from pool-1.

I am now experimenting with a single pool pool-1, but using Queues to block access. Set a default Queue that can pass (almost) no traffic 100bits/100bits. On success, have Radius send a Rate-Limit of 5M/5M that overrides the default queue. This looks promising.

Another problem with DHCP-Radius as opposed to Hotspot-Radius is that with DHCP-Radius we cannot get the user’s MAC address programatically into the signup pages. With hotspot, we have the MAC variable on the html pages. With DHCP-Radius, the radius server knows the mac, but the web page does not.

It would be nice if we could go to the IP address of the mikrotik and have it show the current MAC address to the user. Such as:

http://xxx.xxx.xxx.xxx/show-mac/

Your MAC is 00:11:33:22:11:33