the set up is DMA radius + Mikrotik. Mikrotik runs PPPoE server with “Use Radius” enabled.
all runs fine apart from when PPPoE user goes over their allowed monthly data limit, it does show as Expired on radius but Mikrotik does not change the bandwidht limit on Queue unless the connection drops and reconnect.
Is there a way to make this automatic? On Radius, I have set Disconnect Method to Remote. Should it be ok NAS?
on Mikroitk, I can see traffic coming from the radius server every 20 seconds or so, captured some and it accounting-response (5). so it is speaking to the Mikrotik.
Could anyone shad some light on this?
You have to configure the MikroTik to listen on port 3799 for incoming RADIUS requests (RADIUS->Incoming), and firewall rules will have to allow your RADIUS server to send packets to the MikroTik on that port.
add action=accept chain=forward comment="Accept Radius" src-address=Ip of Radius
add action=accept chain=input comment="Accept Radius" src-address=Ip of Radius
reason for forward chain is there are other Mikrotiks connected behind this router as well.
All PPPoE authentication works fine. just expired users not been moved to the next service.
Did you just make that change? Or did you already have it? If you are accepting RADIUS incoming on port 3799 and it is not disconnecting the customer, check the stat counters on the MikroTik, there are four for RADIUS incoming, Requests, Bad Requests, Acks and Nacks. If nothing is going up, the packet is either not making it there or is not being sent by your RADIUS server. The Requests and Acks should be going up. If Bad Requests is going up, something is wrong in the packet, and if Nacks is going up, it might be trying to disconnect a customer that is already disconnected.
I’ve had this set up working for a while. So PPPoE authentication works fine, Queue limit on Mikrotik is based on the set up on Radius. All good.
but the users which goes over their data limit, were able to carry on at normal speed, until the connection drops and PPPoE authentication takes place again, then they will get the correct, reduced, speed.
In radius status, I can see Requests and Accepts going up nicely. there is1 Resends. I am not sure what they are.
what would be the best way to diagnose this? I can take a dump using packet sniff tool if that is what needed.
the only change is that I’ve enabled API on the radius → NAS confiugration. and enabled (on Mikrotik) API service on IP - Services.
the firewall rule that accept all traffic from radius server should allow all incoming traffic from it.
Resends? I think you are looking at the wrong status. You shouldn’t be looking at the RADIUS client status, but instead at the RADIUS Incoming status, and there is no “Resends” in RADIUS Incoming status. In Winbox go to the RADIUS menu where you see the list of RADIUS servers that your MikroTik is configured to use, at the top there is a button that says Incoming. The Incoming server status is there.
Sorry for the delay in reporting back. The incoming states is all 0, I’ve set up a firewall rule to catch anything that comings into 3899 from Radius IP, nothing.
where do I check if the radius is configured to send disconnect message back?
I have a feeling I am getting closer…
just checked radiusmanager.cfg file, it has Globle POD port for Mik as 1700
changed Mikrotik radius incoming port to 1700. also firewall rule port, tested to disconnect a client from DMA Radius manager,
client not disconnected, firewall rule shows nothing comes in…0 bytes.
add action=accept chain=input comment="Accept Radius Incoming" dst-port=1700 protocol=udp src-address=IP of Radius server
This problem is probably not on the MikroTik side. It is not receiving the packet. Most likely, DMA radius manager is failing to send it. Contact their support.
Thanks for your help. We don’t have DMA support so on our own in this case. Probably will try to start in debug mode and see if it sent is in the first place.
Check the documentation as well, to see if there are other disconnect related settings that are available that you have missed. Some NAS devices allow different disconnect methods than others so there may be some kind of setting available for the method/type of disconnection, or whether it is even enabled or not (ex. with FreeRADIUS, the disconnects do not happen out of the box, it has to be configured).
