Show Radius Reply/Errors on hotspot login page

Currently we are using Hotspot to Auth users against a Radius server (Emerald 5) via MAC address and a common password. The problem I am having is when a customer gets the splash page (meaning they are not authenticated) i want the splash page to show what the radius reply was (ie the reason they are not getting authenticated, Expired, data usage reached, etc, etc). Is there a script for that that I can put in the login.html of the page?

RouterOS 3.30 on RB433AH

Here is a couple snippets of what a radius reply was from some tests I did and is what I would want displayed on the web page for that user.

16:39:29 hotspot,info,debug 00:12:17:95:6E:B6 (XXX.XXX.XXX.XXX): login failed: Your Account '00:12:17:95:6E:B6' is Inactive

10:41:54 hotspot,info,debug 00:15:6D:D4:4A:43 (XXX.XXX.XXX.XXX): login failed: Your Account '00:15:6D:D4:4A:43' is over it's credit limit.

Any help is appreciated.
Thanks,

http://www.mikrotik.com/testdocs/ros/2.9/ip/hotspot_content.php#7.41.15

That lists all the variables, including how to print attributes returned by RADIUS.

I’ve looked at the page and after messing around with it for a while I am beginning to wounder if i got the syntax right. This is what I am using:

$(radius<Reply-Message>)

As I am looking to display what the “Reply-Message” is, sent from the radius server.

Anyone steer me in the right direction?

Thanks,

Found this http://forum.mikrotik.com/t/problem-with-radius-id/21740/1 post and mikrotik staff replied and said they had identified the problem and would be fixxed in version 4.4 and I think this post was written before version 3.30 was released. Was this problem also fixxed in version 3.30?

Thanks,

According to an example by sergejs, it should be $(radius18)
Example: http://forum.mikrotik.com/t/radius-attributes-on-alogin-html/35879/1
The newer versions should be working ok.

Gave $(radius18) a try and no go… Here is what I did to test.

On the default login.html page i changed:

This origional line:

$(if error)<br /><div style="color: #FF8080; font-size: 9px">$(error)</div>$(endif)

To this line to test:

$(if radius18)<br /><div style="color: #FF8080; font-size: 9px">$(radius18)</div>$(endif)

killed the host i am testing from in the hotspot menu and reconnected. I get splash page but no message as to why I was not authenticated… It should have showed “Your Account ‘00:12:17:95:6E:B6’ is Inactive” as that is what it showed in the log of the box.

also tried : As my vendor ID in my radius server is “0” for standard radius attributes

radius18u

radius18-0

radius18-0u

I just ran a test with Reply-Message using cookies. It is about the same login procedure as using the mac address. If there is an error (I used a bad password in the cookie as a test), my login page displays the Reply-Message (“My message”) I entered in the SQL radreply table for that user. And that was without any html modifications at all. RB433AH V3.30

Here is my log entry:
12:36:29 hotspot,info,debug tim (192.168.0.249): login failed: My message
and that is what it put just above the user and password form inputs.

ADD: The $error variable is set to the Reply-Message on fail.

If “$error” is set to display “Reply-Message” then I should have to do no other configuration other than cosmetic to my page. That is not the case, a default login.html does not show “Reply-Message” from the radius server when I open up a browser for a non-authenticated user. I know that a “Reply-Message” is coming back from radius server as is shows it in the log. So is it broken for radius?

I can’t say it is broken. It works fine here. But like I said, I am using the cookie login rather than the mac auth. There may be some subtle differences, but not according to everything I have read in the docs. You might consider doing a supout file and email it to support (at) mikrotik.com with a short explanation of the problem.

Here is a snippet of my log.

jan/02/1970 00:00:29 wireless,info 00:12:17:95:6E:B6@wlan1: connected 
jan/02/1970 00:00:31 dhcp,info dhcp2 deassigned 10.11.12.254 from 00:12:17:95:6E:B6 
jan/02/1970 00:00:31 dhcp,info dhcp2 assigned 10.11.12.254 to 00:12:17:95:6E:B6 
jan/02/1970 00:00:38 hotspot,info,debug 00:12:17:95:6E:B6 (10.11.12.254): trying to log in by mac 
jan/02/1970 00:00:38 radius,debug new request 3f:22 code=Access-Request service=hotspot called-id=hotspot1 
jan/02/1970 00:00:38 radius,debug sending 3f:22 to 66.xx.xx.xx:1812 
jan/02/1970 00:00:38 radius,debug,packet sending Access-Request with id 4 to 66.xx.xx.xx:1812 
jan/02/1970 00:00:38 radius,debug,packet     Signature = 0x867f64519ce6f03fd34ef47444a3b29f 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Port-Type = 19 
jan/02/1970 00:00:38 radius,debug,packet     Calling-Station-Id = "00:12:17:95:6E:B6" 
jan/02/1970 00:00:38 radius,debug,packet     Called-Station-Id = "hotspot1" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Port-Id = "wlan1" 
jan/02/1970 00:00:38 radius,debug,packet     User-Name = "00:12:17:95:6E:B6" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Port = 2157969408 
jan/02/1970 00:00:38 radius,debug,packet     Acct-Session-Id = "80a00000" 
jan/02/1970 00:00:38 radius,debug,packet     Framed-IP-Address = 10.11.12.254 
jan/02/1970 00:00:38 radius,debug,packet     MT-Host-IP = 10.11.12.254 
jan/02/1970 00:00:38 radius,debug,packet     CHAP-Challenge = 0xbb0a79438611d2b704e0ca3465a6b5cd 
jan/02/1970 00:00:38 radius,debug,packet     CHAP-Password = 0x64a1f268eee6924df2ccae0c212ad885 
jan/02/1970 00:00:38 radius,debug,packet       bd 
jan/02/1970 00:00:38 radius,debug,packet     Service-Type = 1 
jan/02/1970 00:00:38 radius,debug,packet     WISPr-Logoff-URL = "http://10.11.12.1/logout" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-Identifier = "MikroTik" 
jan/02/1970 00:00:38 radius,debug,packet     NAS-IP-Address = 172.17.0.55 
jan/02/1970 00:00:38 radius,debug,packet received Access-Reject with id 4 from 66.xx.xx.xx:1812 
jan/02/1970 00:00:38 radius,debug,packet     Signature = 0xcbe411677dba740f233e95556bbfc03b 
jan/02/1970 00:00:38 radius,debug,packet     Reply-Message = "Your Account '00:12:17:95:6E:B6' is Inactive" 
jan/02/1970 00:00:38 radius,debug received reply for 3f:22 
jan/02/1970 00:00:38 hotspot,info,debug 00:12:17:95:6E:B6 (10.11.12.254): login failed: Your Account '00:12:17:95:6E:B6' is Inactive 
jan/02/1970 00:00:41 radius,debug sending 05:00 to 66.xx.xx.xx:1813 
jan/02/1970 00:00:41 radius,debug,packet sending Accounting-Request with id 5 to 66.xx.xx.xx:1813 
jan/02/1970 00:00:41 radius,debug,packet     Signature = 0x1e07a3928be46100c561762bd56aac98 
jan/02/1970 00:00:41 radius,debug,packet     Acct-Status-Type = 7 
jan/02/1970 00:00:41 radius,debug,packet     NAS-Identifier = "MikroTik" 
jan/02/1970 00:00:41 radius,debug,packet     NAS-IP-Address = 172.17.0.55 
jan/02/1970 00:00:41 radius,debug,packet     Acct-Delay-Time = 0 
jan/02/1970 00:00:41 radius,debug,packet received Accounting-Response with id 5 from 66.xx.xx.xx:1813 
jan/02/1970 00:00:41 radius,debug,packet     Signature = 0xe4e2c80933f4d3a877e5b8cbb2dc10db 
jan/02/1970 00:00:41 radius,debug received reply for 05:00

Now look at the Reply-Message from radius server and then a couple lines down in the hotspot, info, debug also says it for hotspot.. problem is… its not making it into the page for the $error variable

The radius server end does not seem to be the challenge. Even your log shows that. The Reply-Message is being sent back. It is apparent the problem is in the router. It works here with the cookie login. I would create a supout.rif file and email it to support (at) mikrotik.com.

Also tried it on version 4.6 and 3.18 to no avail.

Official response from support is.

“Currently it is not possible to display error on the login page, why MAC-address authentication is failed.”

So my question is: Is it possible to write a script that pulls the error out of the log of the box and display it to the user?

Example: Write a script that greps the log for that particular users mac address and prints the line to the web page that grep matches.