User Manager fails to disconnect session by CoA

RouterOS The User Manager
1
  • AP is hAP ac2 and wAP ,ac radius client is set, incoming for port 3799 is set.
  • wireless with WLAN driver. Enterprise security (PEAP) works excellent well.
  • RADIUS is User Manager in ROS 7.12

RADIUS for EAP wireless login and accounting to the User Manager on hAP ax3.
Sometimes the connection between radius client and User Manager seems to have been disturbed.
User MAnager claims NAS rebooted, from then on, for all sessions that are still there and do send intermediate accounting to User Manager
User manager in multiple attempts tries to disconnect that wireless connection, but the hAP just refuses to do it.

Workaround found so far, is to (re-)enable “EAP accounting” in the security profile , what stops all open associations with the RADIUS server .
I used to disable and then enable “EAP-accounting” but by mistake only had put the enable in the script, and that worked also.
Nr 2 in the lazy script is the actual PEAP security profile

Klembord2.jpg
.
Workaround: run this script

:log info  "SCRIPT resetting RADIUS accounting"
/interface wireless security-profiles set radius-eap-accounting=no 2
 /interface wireless security-profiles set radius-eap-accounting=yes 2

Warning: disconnects all those sessions, and even triggers selecting channel with radar detect (if a DFS channel).

2

I did never set a “Framed-IP-address”, as after the association, another DHCP server, depending on VLAN and subnet is leasing an IP address of that subnet.

So is it framed-ip-address missing in the CoA request? https://github.com/lirantal/daloradius/commit/b3e2524220a34e6021a3d106a8c85f8171a354b4

Users associate and roam between 30 AP’s with the same user name on the one and only RADIUS server. For performance reasons the AP’s distributed SSID/subnets are grouped in 3 separate IP subnets.

3

AHA it’s not the Framed-IP-Adress. This seems to be there in RADIUS and is correct
.
Klembord4.jpg
.
Still this is only happening, and even frequently this evening on just hAP14 (one of the 21 hAP ac2 with the same configuration, and in the same campus network)
.
Getting closer to the root cause? “too strong signal” … never seen before
.
Klembord5.jpg
.
Eventually leading to something with error-cause=406 , only on that spot? I don’t see the relation with the disconnect request, unless the "too strong signa"l broke the PEAP sequence.
The request came from UM indeed.
.
Have been fighting the placement of devices just next to the hAP ac2’s this summer. Actually the travel router/hotspot/repeaters are the worst things to have on the same table as the hAP ac2

http://forum.mikrotik.com/t/wireless-interference-between-devices-in-close-vicinity/178432/1

Well it is not the root-cause of the CoA problem, but at least a potential trigger for it.

Error cause 406 .=. “unsupported extension” See: http://forum.mikrotik.com/t/406-error-when-sending-disconnect-request-to-dhcp-radius/141221/1

Not supported … must use “Unsolicited messages” … but then why is MT User Manager not doing that? https://help.mikrotik.com/docs/display/ROS/RADIUS
Where to find these “Disconnect messages” ?

Connection Terminating from RADIUS
Sub-menu: /radius incoming

This facility supports unsolicited messages sent from the RADIUS server. Unsolicited messages extend RADIUS protocol commands, that allow terminating a session that has already been connected from the RADIUS server. For this purpose, DM (Disconnect-Messages) is used. Disconnect messages cause a user session to be terminated immediately. 

RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet that performs a similar function as Disconnect Messages