hotspot login with multiple radius

RouterOS The User Manager
1

Hi there,

we has about 30 clients spread about hundreds KM from our home town and connected with broadband VSAT.
Most of clients installed with hotspot enable and the radius connected to localhost (127.0.0.1) usermanager.
Till this point, everything working fine.

And today, we add the second radius on all of client routers. Here is the configs :
/radius> pr de
Flags: X - disabled
0 service=hotspot called-id=“” domain=“” address=127.0.0.1 secret=“SECRET” authentication-port=1812 accounting-port=1813 timeout=300ms accounting-backup=no realm=“”

1 service=login,hotspot called-id=“” domain=“” address=192.168.180.2 secret=“SECRET” authentication-port=1812 accounting-port=1813 timeout=1s accounting-backup=no realm=“”

We can login to all routers via winbox using the username & password on 192.168.180.2 userman;
BUT we can not login from hotspot portal.

Is there any other config need to allow us to login via hotspot portal using the username & password from 192.168.180.2 useman ?

Paul

2

Paul, set timeout to 300ms for second RADIUS server too.

3

Hi sergejs,

the first radius timeout is to 300 ms
the second radius timeout is set to 1000 ms cause the vsat latency min 650ms and the second radius at our town.

4

Run /radius monitor for second radius and find out the average reply timeout.

5

Hi Sergejs,

this is just my oppinion that it does not has any relation with reply timeout. The main problem is the auth progress never switch to second radius.

I just try to put realm on first radius…
realm=“test” src-address=192.168.180.2
with this setting I can use my username and password on 2nd radius server but all username and password on first radius can not be used.

Paul

6

realm is used for,

realm (string; Default: ) Explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name

  1. You haven’t told me, the timeout you see in radius monitor (1 second timeout is not too good usually, it could mess few things).

I see your order,

0 service=hotspot called-id=“” domain=“” address=127.0.0.1 secret=“SECRET” authentication-port=1812 accounting-port=1813 timeout=300ms accounting-backup=no realm=“”

1 service=login,hotspot called-id=“” domain=“” address=192.168.180.2 secret=“SECRET” authentication-port=1812 accounting-port=1813 timeout=1s accounting-backup=no realm=“”


0 radius is first RADIUS server.
HotSpot users are authenticated only via 0, when 0 server does not respond only then server1 will be contacted.

Login should work without realm.

7

Hi Sergejs,

so.. if the username could not find on the first radius (localhost), it will not see the second radius.
Unless the first radius giving time out.

is that correct ?

If so, there is no point for me to use my username & password at my town (192.168.180.2) at all client sites.

Paul

8

Hi sergejs,

I can not answer yr question for reply timeout as currently I am not at client side.

for realm (my understanding is for user roam)…
is there anyway for me to use myusername@myradiusintown for username ?
I tried many times but always fail.

Paul

9

You can use a domain with the username.

/ip hotspot profile
set X split-user-domain=yes
set X radius-default-domain=myradiushere

Then set one radius server to one domain, and the other to the other domain.

/radius
set X domain=myradiusintown
set Y domain=myradiushere

Then you can use user@myradiusintown. If you don’t use a domain, the radius-default-domain setting will be used. Only the user is sent to each radius server. The domain is not.

10

Thx SurferTim,

It works as expected.

with this condition, I can send my staff to client sites without worries about username & password for net access

Paul

11

i creat a radius server and hotspot but i can not login to hotspot with the userman vouche, please help