I want to control the access to my Mikrotik APs. I’m using freeradius to do that. The clients are configured with only SSID and static IP address ( no hotspot). I’ve put the mac of every client to the radcheck table
id UserName Attribute op Value ClientName
1 xx:xx:xx:xx:xx:xx Auth-Type = Accept xxx
and the authentication is ok. But when I put Reject as a Value the client remains connected. I have to disconnect it manually so it cannot connect again (delete from the Registration Table of the AP).
How can i manage this to be done automatically. Do I have to configure the database differently?
Maybe I don’t understand your setup. What service is using the radius server for authentication? If you could show me “/radius print” from that box, maybe I could help.
Have you used radtest on your radius server to see what it is returning?
radtest user password 127.0.0.1 0 radiussecret
Substitute the mac address for the user.
If it returns
rad_recv: Access-accept packet from host 127.0.0.1:1812, id=xxx, length=yyy
from the radius server, it will probably allow a connection.
That response will allow a connection. Something is not set correctly in the RADIUS server. If you remove the mac address from the RADIUS database, does it respond with Access-Reject?
If the RADIUS server returns Access-Accept, the client will be able to connect. You need to work on your RADIUS server until it returns Access-Reject for that mac address.
I don’t use the Auth-Type attribute, but I think it should go in the radreply table maybe??? Just a guess tho…
I dont mind changing my configuration. all i wanna do is wireless authentication. so if you could help me with another configuration i would be glad to try
You have the hard part down already. It is returning Access-Accept for the mac addresses entered in the RADIUS database, and Access-Reject for those not in the database, correct? All you need to figure out is how to get your RADIUS server to return Access-Reject for those in the database that haven’t paid their bill. I will presume that is why you want this working.
Have you tried the Auth-Type attribute in the radreply table yet?
I am not certain about the table, but you have confirmed it does not work in radcheck, correct? If it returns Access-Accept, it is not working. You need to play with your RADIUS tables until radtest returns Access-Reject for that mac address.
ADD: I would try leaving the mac address in radcheck. That way you don’t have to remember it and re-enter it later. I do about the same here, but with the hotspot and a date/time expiration.
ADD2: You might want to consider changing the password on the accounts you want to reject. Set the password to “baduser” or something like that. Guaranteed to generate that Access-Reject!
I tried that but the user remained connected. i had to delete it from the registration table at mikrotik to force him do another authentication and be rejected.
I think that once the user has been connected it doesnt request authentication anymore. So the radius has to tell the mikrotik to disconnect that user or it will remain connected. what configuration should be done in mikrotik and in radius to do that
It is returning Access-Accept for the mac addresses entered in the RADIUS database, and Access-Reject for those not in the database, correct? All you need to figure out is how to get your RADIUS server to return Access-Reject for those in the database that haven’t paid their bill. I will presume that is why you want this working.