I’m having a problem transferring hotspot users from my RB1200 to our radius server, which is Radius Manager from DMASoftlab and is based on FreeRADIUS. I have been manually adding users to Radius Manager for a month with no problems. Last night, I performed (via DMASoftlab support) an import of over 300 users into Radius Manager using a CSV file that I created from an export of hotspot users in my Mikrotik. The formatting of the CSV file was fine and the import was successful. Once the users were successfully imported into Radius Manager, I deleted all of the hotspot users in the Mikrotik that had just been imported so they will be forced to authenticate with Radius Manager. The problem is that, from what I could tell, none of the users that were imported we able to authenticate to the radius server and instead were directed to our hotspot splash page. In response to this problem, I re-imported all of the users back into the Hotspot–>Users section of the Mikrotik so their service would be restored. But I need to get them all migrated back to Radius Manager so all of our subscribers are authenticating in the same way.
Since I am currently managing several hundred other users successfully in Radius Manager, I know that there is not a communication problem between my Mikrotik and Radius Manager. My sense is that there was something else I should have done to “clean up” the Mikrotik when the users were imported into Radius Manager so they will authenticate there instead of directly with the Mikrotik. Areas I can think of off the top of my head are:
Due to the problem I experienced yesterday, I don’t want to make any changes without additional information. Any help you can provide would be greatly appreciated.
Thanks. I’ll check it out. In the meantime, are there any entries that I should remove from the Mikrotik as a matter of process when I transfer a user from the Hotspot–>Users section to my external radius server to help ensure that the subscriber will experience little or no service interruption?
Based on your response, it sounds like there isn’t a general rule of thumb when transferring people from the Mikrotik to a radius server, such as clearing their ARP entry or deleting their DHCP lease. That’s primarily what I’m looking for. Thank you for your input.
Well, you just have to read the radius server documentation. What parameter you will need, also Depends on what the radius server should do. There is a minimum of parameters you will have to use. to get it to work, and there is some parameters you can have, to make something happening, not requered, but maybe needed in Your config/setup. A minimum is username/password +++++ and some parameters to the servers that tell the radius Client what to do when connecting to radius server. login to a Device, using radius, need a bit less parameters, than a pppoe Client. A hotspot user, that is supposed to be billed, shaped, get a IP, etc need more information.
When its ARP spesific, it’s common to have the Client to send the arp address to the server, together With username and password. Then its possible to bind the IP (dynamic or static) to the client’s mac address.
As I mentioned, I have been manually adding users to the radius server for over a month with no problems. When the group of users was transferred to the radius server, each was assigned all of the required parameters (as well as some that weren’t required). I followed the same format as the users that I have added manually over the last month. In fact, a support rep at DMA Softlab performed the import himself as bulk imports aren’t supported through the administrator control panel. I spoke with him off and on over a few days after the import and he insists that there was nothing wrong with the users that were imported. I’m inclined to believe him, which is why I started looking at my Mikrotik instead.
I believe that if I had left the imported users alone (leave active in the radius server and deleted from the Hotspot–>Users section of the Mikrotik), all of the users would eventually be able to authenticate, given that DHCP leases, ARP tables, etc. refresh over time. But I don’t think it’s appropriate to leave paying subscribers without access while leases timeout and tables refresh. The purpose of my post was to see if anyone was aware of a rule of thumb when converting a user (using MAC address authentication and having likely already been issued an IP address by the Mikrotik) from a hotspot user in the Mikrotik to a user in an external radius server (meaning, a radius server that isn’t User Manager).
As with most things of this nature, it appears there are no simple answer. I think I need to take your initial advice and pay close attention to my log to determine exactly where the transfer is failing so that I can determine what setting I need to forcibly refresh when transferring active subscribers from one authentication method to another.
I seems to me that there must be a set of procedures that one would follow if they had outgrown User Manager, for example, and needed to migrate all of their active users from the Mikrotik to an external radius server. I would prefer to use User Manager so as to not need another service, but my understanding is that User Manager becomes unreliable after about 500 users, and I need something that can handle many more than that.
I have a freeradius and about 6500 users in the pgsql database. Working like a charm.
If you use anny kind of database, try to look for witch parameters the row using, and import from cvs, to the correct table With New rows. It should not be that big hassle.
Still, its like my post, you need to know withc parameter you need, and what required for Your setup and use. Then you need to have the data correct in the radius database. To figure out this, you should look in the log. (and in debug mode)
We use the DMA RM solution and Mikrotik too.
Have you checked the following:
Radius setup correctly using correct ports, IP Address, and Secret, and you have it setup for the Hotspot service? Does it work for the accounts you added manually?
Hotspot server setup, and a server profile is setup to use Radius and login by whatever method you are using? If you are using username/password, it should be HTTP Chap and maybe Cookie.
RadiusManager has a service setup which is available to the user accounts, and available to the NAS?
I was able to get this working, but not the way I had hoped. The confusion came when I performed a mass import of users into RM from a user export in the Mikrotik. All of the users I created manually worked, but none of the users that were part of this import seemed to work. Since I was still able to add users manually and those users were working properly, I went back to DMA for help and they told me that the import was fine and that I should check the logs. I did that and didn’t see any problems. I know that everything is setup properly in my Mikrotik because I was already managing 500 or so other users in RM with no problems. I just needed these 350 MAC addresses to be transfered from the Mikrotik to RM.
Ultimately, since I wasn’t able to find a solution to my problem and I had to get moving, I ended up deleting all of the users from RM that were part of the import and I created them one by one manually. It took a while to finish, but they’re all working now. One of the things I could have done, but wasn’t sure at the time is that I could have removed all of those users from the Active and Hosts tabs in the Mikrotik Hotspot. I probably should have also killed their DHCP leases so they would have to reauthenticate completely and get a new IP address. That would have been helpful, but I didn’t know for sure whether that’s what I was supposed to do, and I certainly didn’t want to guess. But I really should have migrated one or two over to test the process and then done the rest.
I still don’t know why the import failed, but I got all of the users moved over and I have other projects I have to get to, so I don’t think I’m going to be able to do much more research on this particular event. I have another import of the same kind coming up in the next month or two, so I think the best way to handle this will be to perform the import, remove the corresponding entries on the Active and Hosts tabs in the Mikrotik and kill their DHCP leases and see if that works. I will, of course, test this on a few users before doing the rest. When I’m done with the migration, I’ll check back in and describe how everything went, for the benefit of anyone else who needs to go through this process.
Its always to recomended to have a setup of a test enviroment, to do the Research and test to, and figure out problems before going to the step of changing annything in Production.