Radius server offline - enable ppp secrets!

n21roadie · March 11, 2014, 11:42am

Using radius server with pppoe and have set the clients with ppp secret disabled but if radius server goes offline clients cannot authenticate, so I would like to use netwatch to monitor the IP address of radius server and if unreachable to run script to enable ppp client secrets , any advice is most welcome

rextended · March 11, 2014, 10:38pm

Simply: use two radius with redundancy!!!

n21roadie · March 12, 2014, 12:19am

Any examples of this?

aacable · March 12, 2014, 4:11am

You can create a for i loop and add it in netwatch.
Example: (copy paste version)

/tool netwatch
add comment="Netwatch script to detect Radius status and act accordingly" disabled=no down-script=":log error \"RADIUS not responding, enabling local users in SECRET section of PPP/zaib\"\r\
    \n/ppp secret\r\
    \n:foreach i in=[find] do={\r\
    \n/ppp secret enable \$i\r\
    \n}\r\
    \n:log warning \"All PPP acounts are now enabled.\"" host=192.168.1.2 interval=1m timeout=2s up-script=":log warning\"RADIUS is now ONLINE. DISABLING local users in SECRET section of PPP/zaib\"\r\
    \n/ppp secret\r\
    \n:foreach i in=[find] do={\r\
    \n/ppp secret disable \$i\r\
    \n}\r\
    \n:log warning \"All local PPP accounts are now DISABLED.\""

host=192.168.1.2 [change this ip to match your local ip address]
You can adjust the timings and timeout values as per your requirements.

But do remember this is just an workaround with some manual overhead management of keeping all users accounts replica to local mikrotik. As rextended mentioned, If resources allows, you should consider in having a cluster base radius , so in case of any single server failure, its replica or other clsuter node should reply to mirkotik seamless. Also Virtualization is very best for clustering like ESXI base High Availability or something like this.

rextended · March 12, 2014, 8:48am

Fast way to enable:
/ppp secret enable [find]Fast way to disable:
/ppp secret disable [find]But… it check only if the radius are ping-able or not.
The machine can be responsive at the ping, but have radius not working.

Better way are to use 2 radius and insert 2 radius on /radius menu, each are failover of another.
For sync, every x hour master radius can export config in slave radius and slave radius can load maste config for sync.

Set 2 Radius NOT find user in both, but the system excahnge radius on full fail, not on user not found.

n21roadie · March 12, 2014, 10:01am

Many thanks to both rextended and aacable for your replies, I have given Karma for the helpful solutions