User-Manager Radius Timeout problem

RouterOS The User Manager
1

Hi all,

I have a setup that was on another router, the router is not 100% and needed replacing. I have since replaced it with another router, and taken the exact same setup to the new router.

I now have a problem with radius authentication, all local radius requests from the router with userman installed get radius timeout response both on hotspot and pppoe connections, but other mikrotik devices are able to authenticate on the exact same router.

I have had this problem once before, where the mikrotik rb600 with v3.30 installed, would not authenticate requests from itself, was able to correct by redoing the setup several times, but it’s not working now.

I have attached an export
exported.rsc (29.6 KB)

2

Instead of using your ether1 address for internal authentication, use 127.0.0.1. Also set up 127.0.0.1 as a NAS within User Manager.

3

I have tried this with no success. Still does the same thing!

4

I have the old router setup so I can match the settings, both, are setup exactly the same, yet new RB600 has radius timeout.

I can get it to work for pppoe, by removing hotspot, and ip addresses associated to the hotspot interfaces, then radius responds again.

What can cause this.

5

Do you have radius logging enabled?

/system logging
add topics=radius action=memory

You are certain the secret is correct?
In User Manager, the Router section for 127.0.0.1 is entered correctly?
http://wiki.mikrotik.com/wiki/User_Manager/QA/How_to_make_HotSpot_and_User_Manager_on_the_same_router

6

Yes, and have found the reason for it not working.

It came down to a firewall rule:

/ip/firewall/nat/

1 chain=srcnat action=masquerade

I removed the above rule and added one with src-address, and it worked, but for every network I have to add a separate rule, never had to do this before.

Discovered this by setting up each section bit by bit and checked when the failure occurs, and as soon as I included the masquerade rule without src-address, failure!

Well it’s at least working now :slight_smile:

7

I use a masquerade like this:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

This should masquerade only when needed (out the wan interface). If ether1 is not the wan, change that.

8

will try that, busy with tests at the moment as no one is active on my network at this time of the morning 1am.

9

It works to access the internet, but when I connect to wireless I can then not access the other routers on the network, only the main one.

Whereas with individual routes I can access them, and with the the old way src-nat masquerade rule, when it was working like on the older routerboard, I can access all routers on the network.

Thanks.