There is a large percentage of Mikrotik customers that are Internet services providers(ISP). Many of us have customers that forget to make there payments from time to time. When this happens most ISP will suspend the customer. This is usually done by having the radius server REJECT request for authentications. Most ISP provide authentication to a PPPoE session established on the Mikrotik.
When a end user customer is not able to connect he or she assumes that the problem is with their equipment at home or at their office. It is human nature to start to figure out why their equipment does not connect, in doing this troubleshooting most will dis-configure their correctly configured setup at home. Eventually the end user will decide to call their ISP to ask for help, when they learn the problem is that they own money. Customer pays and still does not work, because the end user dis-configured something in their setup.
I bet if Mikrotik asks their customer they will find out this is a big problem. Their is two solutions, change to a CISCO router that has a feature that allows to authenticate a rejected radius request and redirects the customer to a wall garden where the end user customer gets informed of the payment problem and allowed to pay via the ISPs web site. The second option is for the community of ISP that use Mikrotik request to have these feature added. I would rather have Mikrotik add this functionality in a not to distance future software release.
I believe the a basic request would be to have a way to configure a PPPoE server be allowed to authorization(override) of REJECTED RADIUS request, with a special pool of IP addresses that belong to a wall garden. I am open to suggestions.
You can already do what you want today, without direct support in RouterOS of allowing for tunnels to be built when the NAS receives Access Reject from RADIUS.
Just configure your RADIUS server to send Access Accept for every authentication request, even invalid ones. But for the invalid ones, also send back an attribute of Framed-Pool that tells RouterOS what IP Pool to assign an address from, and specify a pool of IPs that you have walled off the way you describe. (RouterOS provides you with plenty of tools for constructing the actual walled-garden, so that part I will leave as an exercise for the reader.)
Nathan thank you for your thoughts. In my case and probably lots of others out there modify the source code of a working RADIUS server would be a heavy task. I would suspect that others might find it impossible as they do not have access to the source code of their RADIUS server. In fact what you propose is what I have been thinking of doing, but then I saw there other equipment providers (CISCO) had come up with solutions for this and even more interesting many of the RADIUS solutions out there are taking advantage of the CISCO solution.
Mikrotik has been developing an incredible RouerOS, so versatile it compete toe to toe with the likes of CISCO, & Juniper. There are things that can only be done in a Mikrotik due to its very flexible configuration. I have use Mikrotik since v3.14 and I know its great attributes. There has been very little if any development in the RADIUS modules of Mikrotik for many many years, I think it is time to ask Mikrotik to develop this missing part, and probably many others, like the ability to add/configure Verdor Specific Attributes to scripts or special configurations within the router.
I’m not sure about which RADIUS solution you are using so I don’t know if you have done the research to know that your solution doesn’t allow default rules.
What NathanA suggests is a standard feature on FreeRADIUS (and I am sure many others)
You just add an access accept default rule which when triggered provides that address pool as mentioned.
If you know that your RADIUS server doesn’t support this feature can you advise the type and version of the software you are using as another user may know a way to work this out in that software.