Mikrotik-Rate-Limit attribute

promind · December 7, 2007, 10:59am

Hi all,
I have my own version of freeradius plugin and added mikrotik-rate-limit attribute to it.
How to configure the PPPoE server under mikrotik to bring up dynamic queue?

sergejs · December 7, 2007, 12:08pm

You have to enable RADIUS client for PPP,
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php
Then if you have correct RADIUS server configuration, router should set dynamic queue from received attribute.

promind · December 7, 2007, 12:43pm

I’ve done that, but still no luck

sergejs · December 7, 2007, 12:49pm

You have to ensure that local PPP database is not configured (not used).
As firstly local PPP data (ppp secret) is checked and only then RADIUS server is consulted.

promind · December 7, 2007, 12:54pm

using radius server as primary , local database is untouched.
but I cannot figure if user is receiving the Mikrotik-Rate-Limit attribute at all…
when I do radiusd -X I see pair extra add PW_MIKROTIK_RATE_LIMIT → so it should be sent when the user tries to connect to the mikrotik’s PPPoE server.

sergejs · December 7, 2007, 1:28pm

Enable ‘radius,debug’ logs as ‘system logging’.
Post the snip from logs, when user is authorizing.

promind · December 7, 2007, 2:28pm

radius_xlat: ‘’
rlm_nibs (nibs_fill_user): end for user promind' ------------ rlm_nibs (nibs_add_attrs): begin for user promind’ ------------
rlm_nibs (nibs_add_attrs): add PW_PASSWORD
rlm_nibs (nibs_add_attrs): add PW_SESSION_TIMEOUT
rlm_nibs (nibs_add_attrs): add PW_PORT_LIMIT
rlm_nibs (nibs_add_attrs): add all other params
rlm_nibs (nibs_add_attrs): add PW_POOL_NAME
rlm_nibs (nibs_add_attrs): add PW_MIKROTIK_RATE_LIMIT
rlm_nibs (nibs_add_attrs): end for user `promind’ ------------
modcall[authorize]: module “nibs” returns ok for request 60
rlm_mschap: Found MS-CHAP attributes. Setting ‘Auth-Type = mschap’
modcall[authorize]: module “mschap” returns ok for request 60
modcall[authorize]: module “chap” returns noop for request 60
modcall: leaving group authorize (returns ok) for request 60
rad_check_password: Found Auth-Type MS-CHAP
auth: type “MS-CHAP”
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 60
rlm_mschap: Told to do MS-CHAPv2 for promind with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module “mschap” returns ok for request 60
modcall: leaving group MS-CHAP (returns ok) for request 60
Login OK: [promind] (from client test port 15 cli 00:19:DB:D6:20:CE)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 60
modcall[post-auth]: module “main_pool” returns noop for request 60
rlm_ippool: Searching for an entry for nas/port: 212.73.134.253/15
rlm_ippool: Allocating ip to nas/port: 212.73.134.253/15
rlm_ippool: num: 1
rlm_ippool: Allocated ip 87.121.2.200 to client on nas 212.73.134.253,port 15
modcall[post-auth]: module “ospf_pool1” returns ok for request 60

No Mikrotik-Rate-Limit can be seen in radius debug

promind · December 7, 2007, 3:03pm

Fri Dec 7 16:08:44 2007
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 14
NAS-Port-Type = Ethernet
User-Name = “promind”
Calling-Station-Id = “00:19:DB:D6:20:CE”
Called-Station-Id = “elitsat”
NAS-Port-Id = “ether1”
Acct-Session-Id = “81000000”
Framed-IP-Address = 87.121.2.157
Framed-IP-Netmask = 255.255.255.128
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Identifier = “test”
NAS-IP-Address = 212.73.134.253
Acct-Delay-Time = 0
Client-IP-Address = 212.73.134.253
Acct-Unique-Session-Id = “a3d726b6516d46cb”
Timestamp = 1197036524
Fri Dec 7 16:09:44 2007
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 14
NAS-Port-Type = Ethernet
User-Name = “promind”
Calling-Station-Id = “00:19:DB:D6:20:CE”
Called-Station-Id = “elitsat”
NAS-Port-Id = “ether1”
Acct-Session-Id = “81000000”
Framed-IP-Address = 87.121.2.157
Framed-IP-Netmask = 255.255.255.128
Acct-Authentic = RADIUS
Acct-Session-Time = 60
Acct-Input-Octets = 26244
Acct-Input-Gigawords = 0
Acct-Input-Packets = 228
Acct-Output-Octets = 104
Acct-Output-Gigawords = 0
Acct-Output-Packets = 8
Acct-Status-Type = Interim-Update

savage · December 7, 2007, 7:37pm

Firstly, you didn’t post the entire debug output of radiusd -X (Radius will show you the exact contents of the packet sent back to the MT after authentication).

Secondly, don’t bother with accounting stuff… You problem happens before accounting and therefore accounting is irralevent

Thirdly, I have no idea what this custom module of yours is (I presume, rlm_nibs?), but I am 99% confident that the problem lies in your custom plugin rather than in the Radius Server, or the MT Software. MT-Rate-limit does work, thousands of people use it every single day.

promind · December 8, 2007, 8:37pm

rlm_nibs (nibs_add_attrs): add PW_MIKROTIK_RATE_LIMIT
that was my mistake.
I fixed it using PW_TYPE_STRING_PTR