Hotspot Problems with Mac Authentication

Seccour · January 17, 2007, 4:54pm

I have a few hotspot problems and unfortunately its forcing me to not use Hotspot until I can get it fixed. Here are the two problems. one of them I’ve sent into Mikrotik but they unfortunately ignored my support request. I’ll be more than happy to send it in again if they happen to see this thread.

Problem One :

I use mac authentication against a Freeradius server for my clients. My clients are mostly fixed wireless (we use the hotspot for easy bandwidth management and account access) and connect using Wireless Bridges to the Mikrotik or via a third party AP/Client which connect via Ethernet. Initial authorization works just fine, as it should, creates queues, etc. However if they idle time-out, there are cases where they are unable to login again via mac authentication and they are given the login page.

The Logs vary in what they are saying the problem is (not helpful i know.) They usually say that the Radius Server rejects their login, but sometimes it just says that it couldn’t contact the radius server.

These are occuring on current accounts, and all I ever need to do is remove them from the host list and they will immediately authenticate correctly, without fail. Always. So I know that the router IS able to communicate with the Radius server, and that the radius server is giving them correct date. This only happens with Mac authenticated clients. The other login methods appear to work just fine.

Problem Two :

In hotspot, where the hosts show up I am starting to get a few selected clients who are showing up with an IP that is their private/local IP on their network behind their router. I do not use NAT or Masquerading and all my clients have Public IP’s. This causes problems with authentication and passing traffic because often in Hotspot, it will authenticate their Private IP address to their correct MAC and they can’t surf.

I’ve tried setting the shared users to a higher number (such as 5) however that only fixes multiple authentications issue, clients often still do not pass traffic. This only occurs with clients who use routers.

I understand that this may be a isolated problems with their routers (since they shouldn’t be passing their local traffic onto my network with a router) but most of these clients aren’t willing to buy a MT or higher quality router.

Perhaps I should use a firewall rule to plot common router IP subnets off preventing them from appearing as the host on my hotspot ?

MT I have done a supout on an effected router so I’d be ecstatic if I could get you look at it for me.

Thx

reliableComputer · March 8, 2007, 1:15pm

I am also seeing the same problem. I have yet to identify why some of the clients become de-authorized, but then do not re-send authentication because they are already in the Hosts list on the Mikrotik.

Is there a way to have people automatically kicked from the hosts lists every few minutes if they’re not authorized, in order for them to send a complete authorization request to the radius server?

Thanks
-Keith-

sergejs · March 9, 2007, 12:46pm

Seccour

Please, provide complete log errors, when users are unable to authenticate in HotSpot+RADIUS.
The problem is lied on used routers, however HotSpot should translate their to correct address, when Universal client is enabled.
Could you check for the HotSpot logs, when they are unable to send any data.

reliableComputer
Since you are using MAC-address authetnication, user is not participating in HotSpot authorization directly, HotSpot checks for the MAC-address and if it is matches authorize user by itself.

Seccour · March 21, 2007, 8:47pm

Seccour

Please, provide complete log errors, when users are unable to authenticate in HotSpot+RADIUS.

I’ve since disabled the hotspot (clients were getting way to mad at me.) I’ll dig up the info and paste it here. I also have a supout i should be able to send. I’ve not tried the hotspot since 2.9.40 was released but I made enough clients mad at me. I’ll try and duplicate the problem in the lab so i can give you as much info as possible. I’d love to have hotspot working for me again in this manner.

The problem is lied on used routers, however HotSpot should translate their to correct address, when Universal client is enabled.
Could you check for the HotSpot logs, when they are unable to send any data.

I do not use universal client as we had some gamers and VPN users who broke when we used it.

The logs didn’t show any additional information other than the original authentication (either the one that should work, or the other that authenticated via the bad IP/mac )

I’ll try and get my lab to give me the same results I was experiencing.

Thanks for the reply on this!

reliableComputer · March 21, 2007, 11:07pm

#1) You probably are missing the Auth-Type := Check attribute for your radius user with login value of . Becuase MT doesn’t send in a password, so you need to tell radius to authorize them. I suggest doing this at a group level, so it’s easy to de-authorize them if they don’t pay.

#2) This is probably due to the router. Some seem to “leak” out the internal IP address. My suggestion would be to dhcp them addresses, and simply take the mac address of their router or outermost device and use the IP Binding feature of the hotspot under the hosts menu. You can them force the mac to get the correct address, rather than relying on what comes from them.

-Keith-

Seccour · March 22, 2007, 6:06am

Nope, I’m not missing that.

#1) Users authenticate just fine, if you read my first message again you will see that they authenticate the first time fine, but if they Idle out then some of them aren’t able to reauthenticate without removing them from the host list in the hotspot on the MT.

#2) We are using DHCP already. The problem is occuring when it appears that their internal IP (which shows up on their correct external MAC) shows up and it will authenticate correcly, because of mac authentication. When this happens the MT starts to not want to see the real IP and like the first, sometimes if we just remove them from the host list then the MT will suddenly show correct IP/mac combo and they work okay. I’m try to avoid any static configs on these to reduce how much maintenance and little things that need to be attended to. I’ve yet to try the new version 2.9.40 as I had to drop hotspot because I was making too many clients upset. I already know that ultimately its their router that is leaking their local traffic onto my network, but good luck convincing linksys to fix their routers

Do you think setting my ARP to reply-only would work, though it kills the whole dynamic of the system as those rare clients who can’t do DHCP for whatever reason then need to be statically added into the ARP table ?

sbromulo · March 19, 2019, 2:47am

@Seccour, did you find a solution for your problem of mac authentication? I have the same problem, with rb2011uias all updated (firmware and packages).

bobcopro · October 20, 2020, 6:43pm

I too and having this exact issue. I use all static IP addresses. Same setup, free radius and MT cloud core router as hotspot. Has worked perfectly for 7 years and is suddenly doing the same thing. There are like 12 customers out of 200 that keep doing it. Same issue you described - leaking internal IP addresses show up and customer gets the hotspot logon screen. I can find no common denominator in the customers. Most are using UBNT CPE, but different models and firmware. I’ve got neighbors with identical equipment. It happens to one and not the other?

Anyone find the cause?