mikrotik does not recieve incoming messages from radius

vadood · September 2, 2010, 12:33pm

I have a freeradius server and my mikrotik device as a hotspot. authentication and accounting works fine, but when I want to use radclient, does not work.

how can i troubleshoot this? i tested a few other port numbers as well as 3779 but it did not work

# echo 'User-Name=test1' | radclient -x x.x.x.x:31340 status somesecret
Sending Status-Server of id 162 to x.x.x.x port 31340
        User-Name = "test1"
Sending Status-Server of id 162 to x.x.x.x port 31340
        User-Name = "test1"
Sending Status-Server of id 162 to x.x.x.x port 31340
        User-Name = "test1"
radclient: no response from server for ID 162 socket 3

[admin@HOTSPOT] > radius incoming print
  accept: yes
    port: 31340

SurferTim · September 2, 2010, 12:54pm

I don’t use radclient, but I can maybe help you get started troubleshooting this. Have you enabled radius logging in the router? This enables logging.
/system logging
add topic=radius action=memory

Try radclient again and see what the log in the router says about it.
Nothing in the firewall filter rules that would block this, is there?

vadood · September 2, 2010, 1:11pm

yes logging is enabled and the only logs i see is for accounting request and response

17:33:32 radius,debug,packet sending Accounting-Request with id 9 to x.x.x.x:1813
...
17:33:32 radius,debug,packet received Accounting-Response with id 9 from x.x.x.x:1813
17:33:32 radius,debug,packet     Signature = 0x154cff257cc9b8009cd6815ed7a56f04
17:33:32 radius,debug received reply for 3f:30
17:33:32 radius,debug request 3f:30 processed

SurferTim · September 2, 2010, 1:30pm

I noticed in the radclient docs that it is a radius client program designed to communicate with a radius server. The router is a radius client. Could that be the problem?
http://wiki.freeradius.org/Radclient

fewi · September 2, 2010, 1:34pm

I don’t think the Mikrotik RADIUS client supports status messages. It only implements Disconnect-Messages and CoA.

Last time I tried I couldn’t make CoA work with the FreeRADIUS radclient from the 2.x tree, only 1.x would work.

vadood · September 2, 2010, 2:05pm

yes it seems you are right, i found this in another thread

only HotSpot supports Radius incomming (CoA and Disconnect requests) at the time. PPP does not.

http://forum.mikrotik.com/t/problem-with-disconnect-radius-user-from-radclient/29612/1

now I am trying to send a disconnect command to Mikrotik. this time mikrotik says:

 18:30:56 radius,debug received remote request 46 code=Disconnect-Request from y.y.y.y:54728
 18:30:56 radius,debug sending Disconnect-NAK to remote request 46
 18:30:56 radius,debug,packet sending Disconnect-NAK with id 218 to y.y.y.y:54728
 18:30:56 radius,debug,packet     Signature = 0xa11b6a474ad3ef7a26f6b79e6847a9a4
 18:30:56 radius,debug,packet     Error-Cause = 406
 18:30:56 radius,debug,packet     NAS-Identifier = "Port10"
 18:30:56 radius,debug,packet     NAS-IP-Address = x.x.x.x

and hotspot error info debug in MT says

radius disconnect with no ip provided

and radclient says

 echo 'User-Name=taghi' | radclient -x x.x.x.x:3799 disconnect secret
Sending Disconnect-Request of id 144 to x.x.x.x port 3799
        User-Name = "taghi"
rad_recv: Disconnect-NAK packet from host x.x.x.x port 3799, id=144, length=40
rad_verify: Received Disconnect-NAK packet from client x.x.x.x port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)
radclient: no response from server for ID 144 socket 3

SurferTim · September 2, 2010, 2:39pm

It appears the shared secret is incorrect. At least radclient thinks so.

roadracer96 · September 2, 2010, 10:45pm

FWIW, I use it to disconnect stale sessions on a VPN when they try to reconnect. Works fine. In my case, because the radius server has multiple IPs, I had to add another radius server in the MT with nothing checked (no login, hotspot, anything) with the ip and secret that radclient is coming from.