Remote radius Server autheticates, client shows not reponding

briane · June 28, 2017, 7:11am

Hi,

Having a small problem with remote radius operation.

I have hotspots at 3 different locations (school terrain). The main hotspot functions perfectly, using the Mikrotik Hotspot setup and usermanager.

The two remote hostpots have their radius server set to the main hotspot radius server, and the log at the main server shows that authentication and login failures are being processed and logged, but the client devices at the remote hotspots are getting “RADIUS server is not responding” error messages, even thought he main radius server logs them as having successfully authenticated.

What am I missing?

Cheers
Brian

pukkita · June 28, 2017, 10:25am

post the logs and exports. Make sure the other routers radius traffic isn’t being tampered by the main hotspot.

I wonder, why not simply connect the other APs in L2 to the bridge where you’re running the main hotspot? simpler, and easier to manage and troubleshoot…

briane · June 29, 2017, 5:31am

Ok, the main hotspot code is:

/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add dns-name=hotspot.hillcrest.com hotspot-address=192.168.11.254 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=hsprof1 nas-port-type=wireless-802.11 radius-accounting=yes radius-default-domain="" \
    radius-interim-update=received radius-location-id="" radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=5.189.162.245 split-user-domain=no use-radius=yes
/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=2 disabled=no idle-timeout=5m interface=HotSpot keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot ip-binding
add address=192.168.11.253 disabled=no mac-address=68:72:51:66:22:DF to-address=192.168.11.253 type=bypassed
add address=192.168.11.3 disabled=no mac-address=68:72:51:66:24:16 to-address=192.168.11.3 type=bypassed
add address=192.168.11.2 disabled=no mac-address=68:72:51:66:24:7B to-address=192.168.11.2 type=bypassed
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="counters and limits for trial users" disabled=no name=default-trial password=""
add disabled=no name=admin password=********** profile=default

Radius Code

/radius
add accounting-backup=no accounting-port=1813 address=10.10.0.1 authentication-port=1812 called-id="" disabled=no domain="" realm="" secret=******** service=hotspot timeout=300ms
/radius incoming
set accept=no port=3799

The Hotspot Code at the remote Site is:

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add dns-name=hotspot.hillcrest.com hotspot-address=192.168.11.9 html-directory=flash/hotspot name=hsprof1 smtp-server=5.189.161.232 use-radius=yes
/ip hotspot
add address-pool=dhcp_pool5 disabled=no interface=HotSpot name=hotspot1 profile=hsprof1
/ip hotspot ip-binding
add address=192.168.11.253 mac-address=68:72:51:66:22:DF to-address=192.168.11.253 type=bypassed
add address=192.168.11.4 mac-address=68:72:51:66:22:A6 to-address=192.168.11.4 type=bypassed
add address=192.168.11.5 mac-address=68:72:51:66:24:7B to-address=192.168.11.5 type=bypassed
add address=192.168.11.6 mac-address=68:72:51:66:24:CC to-address=192.168.11.6 type=bypassed

Remote Radius code is

/radius
add address=10.10.0.1 secret=******** service=hotspot
/radius incoming
set accept=yes

The remote log shows this error:
jun/28 17:59:17 hotspot,info,debug hillcrestprepschool (192.168.11.26): trying to log in by http-chap
jun/28 17:59:19 hotspot,info,debug hillcrestprepschool (192.168.11.26): login failed: RADIUS server is not responding

Whilst the log page on the userman at the main hotspot shows that the user has been autheticated.

The two hotsspots are at different physical locations and cannot connect wirelessly. I am routing between the two hotspot devices (RB 750’s) with PPTP tunnel over a fibre link

I hope this makes sense
.

pukkita · June 29, 2017, 8:15am

Can you post:

user-managers routers entries
/radius monitor 0 on remote hotspots

briane · June 29, 2017, 9:11pm

At the remote hotspot we have

 /radius monitor 0
           pending: 0
          requests: 13
           accepts: 0
           rejects: 0
           resends: 6
          timeouts: 13
       bad-replies: 0
  last-request-rtt: 0ms

Which is odd, because the userman log at the main radius server is showing that these “time -outs” are in fact being autheticated, just the message is never getting back to clients.

At the main radius server, we have

/tool user-manager router> print
Flags: X - disabled 
 0   customer=admin name="Local router" ip-address=10.10.0.1 shared-secret="snoopdog76" log=auth-ok,auth-fail use-coa=no coa-port=1700 
 1   customer=admin name="Prep1" ip-address=192.168.16.2 shared-secret="snoopdog76" log=auth-ok,auth-fail use-coa=no coa-port=1700 
 2   customer=admin name="Prep2" ip-address=10.127.0.2 shared-secret="snoopdog76" log=auth-ok,auth-fail use-coa=no coa-port=1700

And at the Prep 1 hotspot (remote) we have (Prep1 and Prep 2 are the same hotspot, the two different IP’s are the gateway interface IP and the VPN IP linking back the main radius router)

 /tool user-manager router> print
Flags: X - disabled 
 0   customer=admin name="Local router" ip-address=10.10.0.1 shared-secret="snoopdog76" log=auth-fail use-coa=no coa-port=1700

Regards
Brian