Mikrotik radius client behind nat

makkan · November 19, 2010, 7:21pm

Hi,

I am facing a problem where I have a radius server and many mikrotik radius clients for hotspot.
The problem is that these MT radius clients are behind a NAT translation so when they authenticate the radius server catches the local ip (nas-ip-address).
Is there any way of solving this? For example by using the /radius set src-address=public ip?

The result is that even if a user has 30min limited online time he can stay online forever since that information obviously isn’t included in the authentication process so that the MT can disconnect the client.

Any help would be appriciated!

Marcus

SurferTim · November 19, 2010, 7:32pm

Are you using NTP to keep the date/time accurate in all routers?
Check “/system ntp client” and “/system clock”.

xxiii · November 19, 2010, 8:27pm

Somewhat confused. radius reply packets can include a session time limit, and this would be part of the authentication process. This would usually be based on the username used to authenticate with. Its then up to the radius client to disconnect the session when the time arrives. Radius authentication requests also contain the IP address of the radius client (independent of any NATting that may have happened to it, unless (possibly) the NATting is happening on the same device).

I guess i’m not clear on what problem you are having. Are you trying to assign a session limit based on the IP address the request is coming from?

makkan · November 19, 2010, 9:51pm

Well, Im not sure what I am doing wrong, but I have set online time per say to 30sec bit i can still browse for 2-3min or more.
I were also Roos that the client will receive the time limit and disconnect the user.

About the ip, the radius server receives 192.168.1.1 (MT local ip) and i also think thats the ip it Will use when sending death messages etc.

what I want to do is that users should be able to login with username and password, and after that they can use the internet for say 3hours. After that they should be disconnected and counters should be reset every 24 hours.
And the problem is that in the “auth-string” to the radius server, the client is sending it’s local IP so the server can’t contact it since they are communicating over the Internet.

Sorry for being so unclear in the description of my problem.

makkan · March 19, 2011, 12:07am

By using my imagination and some awesome tricks, this was finally solved. NAS is now running fully functional behind NATed router.

halim · March 19, 2011, 4:35am

Hello master, I am new,I have a problem with my wifi network, when I use my vpn can not access other network root. but when I turn off my vpn buffer connected to the network root. please enlightenment. thanks…

makkan · March 22, 2011, 4:30pm

I think you should start a new thread, but anyway, first describe your network and then try to express your problem further.

desertadmin · April 11, 2011, 6:35am

How did you resolve your problem?

You are able to get Radius Auth to work through a double nat’d environment? If so please post your solution. Thanks.

As far as I know you can only do this via a VPN tunnel. If so once again post your solution for the community to see. Thanks.

-Sincerely,
DesertAdmin

SurferTim · April 11, 2011, 11:12am

If you mean RADIUS authentication and accounting, that should be no problem. That is what I use. No VPN.

If you want to send a disconnect message from the radius server to the NAS behind a NAT, that won’t work without a dst-nat or VPN.

I use the public ip that the NAS is translated to as the radius client (router) in the radius server (User Manager) setup.