Hotspot with Radius - ERR_CONNECTION_TIMED_OUT

RouterOS General
1

Dear Forum,

I’m new to RouterOS, tried to setup a Hotspot Server with RADIUS authentication on my Mikrotik Router at my school. I have a server with dhcp, dns, proxy, radius etc services, i placed my Mikrotik Router between the server and the switches, and setup Hotspot Server on it. I use MAC authentiocation for the teachers desktops and laptops. For the students phones with unregistered MAC addresses, they can have internet access after logging in to the Hotspot server.

The problem: Tried to test my the system, i connected to WIFI with my phone, default login page comes up. I enter the correct username, password, the login is succes, but after the login, it looks like it cannot continue, after a while, the following error comes up:

http://connectivitycheck.gstatic.com/generate_204
ERR_CONNECTION_TIMED_OUT

/ip firewall filter

Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!

 1  D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,

 2  D chain=input action=jump jump-target=hs-input hotspot=from-client 

 3  D chain=input action=drop protocol=tcp hotspot=!from-client 
      dst-port=64872-64875 

 4  D chain=hs-input action=jump jump-target=pre-hs-input 

 5  D chain=hs-input action=accept protocol=udp dst-port=64872 

 6  D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 

 7  D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth 

 8  D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 

 9  D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 

10  D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

/ip firewall nat

Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 

 1  D chain=hotspot action=jump jump-target=pre-hotspot 

 2  D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 

 3  D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 

 4  D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80 

 5  D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=44>

 6  D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth 

 7  D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 

 8  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80 

 9  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128 

10  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
2

Hi,

post configuration from hotspot ( server, profiles, etc) and post from logs the address assignment process.

Check this post, maybe you have the same issue:
http://forum.mikrotik.com/t/hotspot-radius-problems-with-user-profile/112246/1

3

Hey!

Sorry for the late reply

# oct/09/2017 08:38:12 by RouterOS 6.35.4
# software id = RZGA-CVCP
#
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot login-by=\
    http-chap,https,http-pap use-radius=yes
add hotspot-address=172.16.7.2 html-directory=flash/hotspot login-by
    name=hsprof1 use-radius=yes
/ip hotspot
add address-pool=pool interface=bridge1 name=hotspot1 profile=hsprof
/ip hotspot ip-binding
add address=172.16.0.0/24 type=bypassed
add address=172.16.1.0/24
add address=172.16.2.0/24 type=bypassed
add address=172.16.3.0/24 type=bypassed
add address=172.16.4.0/24 type=bypassed
add address=172.16.5.0/24 type=bypassed
add address=172.16.6.0/24 type=bypassed
add address=172.16.7.0-172.16.7.4 type=bypassed
add address=172.16.7.5-172.16.7.254
add address=172.16.8.0/24 type=bypassed
/ip hotspot user
add name=test password=test
/ip hotspot walled-garden
add dst-port=67
add dst-port=68

edit:
i have a server with dhcp server service, i configured it to only add IP-s to MAC authenticated users (for devices like teachers desktops, laptops etc). I have a dhcp server on the Mikrotik device too, i tried to configure it to only give addresses for none “registered” devices (IP pool: 172.16.7.5-172.16.7.254). With the Hotspot disabled, connected devices can access the internet, everything seems to work fine. If i enable the Hospot on the Mikrotik device, i got to log in with the login page. The login seems succesfull (from the logs), but i think, the device has no internet connection after logging in, thats why it has this “ERR_CONNECTION_TIMED_OUT”.

08:33:44 dhcp,info dhcp1 assigned 172.16.7.254 to D8:C4:6A:D7:BF:B8 
08:34:08 hotspot,info,debug test (172.16.7.254): trying to log in by http-chap 
08:34:08 hotspot,account,info,debug test (172.16.7.254): logged in