I have a Radius configuration that is timing out 1 out of 10 times. It appears I am not able to always see the “Authenticated” reply from the Radius server; however, I know the Radius is replying.
I really suspect something in the firewall.
I followed the Hotspot setup and the NAT/Filter settings are straightforward. I suspect that I need to add some rule which allows all traffic from my RADIUS server to go directly to the Hotspot. What would this rule look like?
Try bumping up the “timeout”..
Depending on the path to the raduis server or just the speed of the boxes in question, it could be timing out before the reply is recieved.. With the bog recieving a reply “most of the time” or even “some of the time” mu bet would be a time out issue..
It may also be caused by a load issue on the net / radius server or client…
Craig
Thank you. We have tried the timeout, and we feel comfortable that is not the problem, as the radius server is receiving the messages within one second, and responding. Our Radius time out is set to 60 seconds.
What we have found out today is the authentication is successful when the request is sent on port 1028 or above.
It is not successful on port numbers below that.
Is there a way to force the radius request to use a particular port or port range?
Yes.
Same place, set the request and acctng ports there..
Just make sure the radius server expects them at the same port.
I need to send to port 1812 and 1813. I would like to send from port 1028.
Is this possible?
If it is possible, please point me to the documentation I need. At this point, I dont’ know if it is at all possible. If it is possible, is it through the use of NAT, filtering, or something else?
Thank you!
You could use a Mangle rule..
IE any traffic destoned for the RADIUS box, mangle the source port.
Two questions with regards to the mangle rule idea:
Mangle only marks the packet locally to be handled by other functions in RouterOS. How would Mangle solve this if all it does is mark?
I would then need to use srcnat to redirect the packet to leave the correct port.
I assume you mean to mangle (or mark) the connection and not mangle the port. Correct?
Correct Mangle only marks the connection/packet, but its what you can do after you’ve marked it.. You can apply src/dst nat rules to mangled traffic to nat to say port 1028 to 1812.. or however you see fit..
You can only mangle connections and packets, but you can identify those conns/packets by their port number and other criteria. Which I assume is what csickles meant. 
Why not just use the same port on both ends and simplify your life!
OK, I understand now the relationship of Magle and NAT.
Now my question has more to do with NAT.
I want my outgoing UDP packets to only go out on port 1028 when the connection is marked “radius-con” by a Mangle rule.
To do this, I understand that I need to use something like this:
chain=srcnat connection-mark=radius-con
action=sec-nat to-addresses=0.0.0.0 to-ports=1028
Is that correct? The only part I don’t really understand is chain=srcnat