problem with disconnect radius user from radclient

amigota · June 30, 2009, 5:10am

Hi guys
I’m now using MT OS 2.9.27 with a freeradius server box. I point MT to my radius sever.

MT OS ----------------Freeradius 192.168.2.2
192.168.2.1
|
|
|
Clients

Everything is working well, but i just want to disconnect online user from command (my NAS is 192.168.2.1)

echo user-name=test | radclient -x 192.168.2.1:1700 disconnect mysecret

The result:

Sending Disconnect-Request of id 37 to 192.168.2.1 port 1700
        User-Name = "test"
rad_recv: Disconnect-NAK packet from host 192.168.2.1:1700, id=37, length=42
        Error-Cause = Unsupported-Extension
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 192.168.2.1

Why I can’t disconnect user??
I read some forum that it MT OS 2.9.. support with the radius diconnect message. Why there is ‘Unsupported-Extension’, while I use /Radius → Incomming → Accept??
How can i do it?

userman · June 30, 2009, 12:24pm

Are you using HotSpot? Because only HotSpot supports Radius incomming (CoA and Disconnect requests) at the time. PPP does not.

amigota · July 2, 2009, 3:10am

Yes, i’m using HotSpot. I’ve tried to use port 1700 or 3799, but there is the same problem.
When i request to disconnect user ‘test’ once, the Status of Radius Incomming is:

Requests     : 1
Bad Requests : 0
Acks         : 0
Naks         : 1

userman · July 3, 2009, 6:17am

can you “dump” (print the details of) request, which is sent from Free Radius to User Manager? Because NAK is sent also, when there is at least one attribute in the request, which is not supported by HotSpot. Such a behavior is defined in RFC5176 (http://www.ietf.org/rfc/rfc5176.txt).

amigota · July 4, 2009, 2:26pm

In my radius server, i typed:

echo user-name=test | radclient -x 192.168.2.1:1700 disconnect mysecret
Sending Disconnect-Request of id 37 to 192.168.2.1 port 1700
        User-Name = "test"
rad_recv: Disconnect-NAK packet from host 192.168.2.1:1700, id=37, length=42
        Error-Cause = Unsupported-Extension
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 192.168.2.1

userman · July 6, 2009, 10:30am

Disconnect request works for a specific session, not for all the sessions of specified user.

You send only User-Name as session identification attribute. But it is not enough. To identify session correctly, these attributes must be included in Disconnect-Request:
*) IP address
*) NAS Port Type
*) NAS Port
*) Calling Station ID
*) Called Station ID
*) ACCT Session ID
*) NAS Port ID, if it is not empty

Required values for these attributes should be stored in the Radius Server data base. For example, User Manager stores these values for every session to be able to send Disconnect Request for it. In your case these values should be stored in FreeRadius data base.

amigota · July 10, 2009, 2:11am

Yes, it works. Thank you for your help.

anrichp · July 11, 2009, 5:29pm

hey amigota can you please post your script that you send to the mikrotik to disconnect a user, or rather the packet.txt file

amigota · July 13, 2009, 5:05am

The command is:

echo User-Name=test,Framed-IP=192.168.2.199 | radclient -x 192.168.2.1:1700 disconnect mysecret

m4rk0 · September 4, 2009, 2:09am

Hello,

I have FreeRadius + mysql module…

Does anyone have script to disconnect all online users at once?

Thank You in advance!

shivachitta · November 25, 2009, 6:58am

hi,

i too need the solution
please tel me if u found any answer…

amigota · January 3, 2010, 8:30am

Hi all

As my young experience, I used to disconnect radius users from Mikrotik by this command below:

echo User-Name=test,Framed-IP=192.168.2.199 | radclient -x 192.168.2.1:1700 disconnect mysecret

Where:
192.168.2.1 is NAS Address
1700 is your CAO port or disconnect port that you have to enable in Mikrotik

Or you guys can use php code and you have to grant root permission to www user to run this script.
Note: This is very risk usage.

Example:

	//function to force disconnect a user
	function disconnect_user($username, $framed_ip, $nasaddr, $coaport, $sharedsecret) {
		$command = "sudo echo User-Name=$username,Framed-IP=$framed_ip|/usr/local/bin/radclient -x $nasaddr:$coaport disconnect $sharedsecret";
		exec($command);
	}

        //function to force disconnect all users
	function disconnect_all_users(){
		$sharedsecret = "yourradiussecret";
		$coaport = 1700;
		$nasaddr = "192.168.20.1";
		$r_who_online = "SELECT * FROM radacct WHERE (AcctStopTime is NULL) ORDER BY RadAcctId ASC";
		$who_online = $db->Execute($r_who_online);
		foreach($who_online as $u) {
			$command = "sudo echo User-Name=$u["UserName"],Framed-IP=$u["Framed-IP"]|/usr/local/bin/radclient -x $nasaddr:$coaport disconnect $sharedsecret";
                        exec($command);
		}
	}

Hope this can help you.

sparki · May 15, 2010, 9:54pm

I tried the solutions above and kept getting -

echo “User-Name=username,Framed-IP=192.168.1.101” | radclient -x 192.168.1.2:3799 disconnect secret
Sending Disconnect-Request of id 14 to 192.168.1.1 port 3799
User-Name = “username”
rad_recv: Disconnect-NAK packet from host 192.168.1.2:3799, id=14, length=41
Error-Cause = Unsupported-Extension
NAS-Identifier = “NAS1”
NAS-IP-Address = 192.168.1.2

After some searching I discovered that Framed-IP should read Framed-IP-Address

echo “User-Name=username,Framed-IP-Address=192.168.1.101” | radclient -x 192.168.1.2:3799 disconnect secret

And it works !!! Yeeeehhaaaaa

agindanoe · March 21, 2016, 3:57am

glad to hear that works !

I follow step in this thread, I can’t connect to NAS 192.168.10.2 with radclient, but I IP 192.168.10.1 can received remote request, with NAK result in radius debug mikrotik.

when radius server (192.168.10.14) request disconnect, I get radius debug unknown address and IP address request change to

radius debug received remote request from 192.168.10.1:xxxxxx with unknown address, dropping

it radius debug shouldn’t 192.168.10.1 but 192.168.10.14 to be accepted by NAS 192.168.10.2

is anybody can help me with this case? or any something miss in mikrotik configuration. Thanks

mukeshsh · August 2, 2017, 12:04pm

i’m using same code for disconnecting user but getting below error

array(16) {
[0]=>
string(60) “radclient: Failed to send packet for ID 168: (unknown error)”
[1]=>
string(60) “radclient: Failed to send packet for ID 168: (unknown error)”
[2]=>
string(60) “radclient: Failed to send packet for ID 168: (unknown error)”
[3]=>
string(54) “radclient: no response from server for ID 168 socket 3”
[4]=>
string(63) “Sending Disconnect-Request of id 168 to 192.168.1.240 port 1700”
[5]=>
string(32) " User-Name = “54:14:73:57:DC:C2"”
[6]=>
string(34) " Framed-IP-Address = 192.168.0.244"
[7]=>
string(42) “rad_send() failed: Operation not permitted”
[8]=>
string(63) “Sending Disconnect-Request of id 168 to 192.168.1.240 port 1700”
[9]=>
string(32) " User-Name = “54:14:73:57:DC:C2"”
[10]=>
string(34) " Framed-IP-Address = 192.168.0.244"
[11]=>
string(42) “rad_send() failed: Operation not permitted”
[12]=>
string(63) “Sending Disconnect-Request of id 168 to 192.168.1.240 port 1700”
[13]=>
string(32) " User-Name = “54:14:73:57:DC:C2"”
[14]=>
string(34) " Framed-IP-Address = 192.168.0.244"
[15]=>
string(42) “rad_send() failed: Operation not permitted”
}