Hello,

I noticed that in Winbox you can set an uptime limit in hotspot so the user is disconnected after a period of time.

The issue is that it doesn’t seem to be writing them to Radius. It keeps them locally.
I do know that Radius is working becuase when I add a user using Radius Manager (3rd party web interface for freeradius) it works, it even disconnects them once they have downloaded their limit.

In the AAA tab for winbox/hotspot I have checked the “use Radius” and “accounting” boxes, I also added a 1 min update, but still no go.

Can anyone tell me why when I enter the users in winbox they are not talking to Radius ?

Thx !

I assume you set up your freeradius server to authenticate your users from MySQL or PostgreSQL.
Did you set up you sql.conf enabling accounting with INSERT and UPDATE queries and did you enable accounting in your radiusd.conf file?
Also check if you do not block/firewall out port 1813/udp on your radius server which allows it to gather accounting info from your NAS server.

Hi Yazzy

That’s correct it uses mysql.

Here is the sql.conf

======================

Configuration for the SQL module, when using MySQL.

The database schema is available at:

src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql

If you are using PostgreSQL, please use ‘postgresql.conf’, instead.

If you are using Oracle, please use ‘oracle.conf’, instead.

If you are using MS-SQL, please use ‘mssql.conf’, instead.

$Id: sql.conf,v 1.41.2.1 2004/06/10 00:45:01 phampson Exp $

sql {

Database type

Current supported are: rlm_sql_mysql, rlm_sql_postgresql,

rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds

driver = “rlm_sql_mysql”

Connect info

server = “localhost”
login = “xxxxx”
password = “xxxxx”

Database table configuration

radius_db = “xxxxx”

If you want both stop and start records logged to the

same SQL table, leave this as is. If you want them in

different tables, put the start table in acct_table1

and stop table in acct_table2

acct_table1 = “radacct”
acct_table2 = “radacct”

Allow for storing data after authentication

postauth_table = “radpostauth”

authcheck_table = “radcheck”
authreply_table = “radreply”

groupcheck_table = “radgroupcheck”
groupreply_table = “radgroupreply”

usergroup_table = “usergroup”

Remove stale session if checkrad does not see a double login

deletestalesessions = yes

Print all SQL statements when in debug mode (-x)

sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql

number of sql connections to make to server

num_sql_socks = 5

number of seconds to dely retrying on a failed database

connection (per_socket)

connect_failure_retry_delay = 60

Safe characters list for sql queries. Everything else is replaced

with their mime-encoded equivalents.

The default list should be ok

#safe-characters = “@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /”

#######################################################################

Query config: Username

#######################################################################

This is the username that will get substituted, escaped, and added

as attribute ‘SQL-User-Name’. ‘%{SQL-User-Name}’ should be used below

everywhere a username substitution is needed so you you can be sure

the username passed from the client is escaped properly.

Uncomment the next line, if you want the sql_user_name to mean:

Use Stripped-User-Name, if it’s there.

Else use User-Name, if it’s there,

Else use hard-coded string “DEFAULT” as the user name.

#sql_user_name = “%{Stripped-User-Name:-%{User-Name:-DEFAULT}}”

sql_user_name = “%{User-Name}”

#######################################################################

Default profile

#######################################################################

This is the default profile. It is found in SQL by group membership.

That means that this profile must be a member of at least one group

which will contain the corresponding check and reply items.

This profile will be queried in the authorize section for every user.

The point is to assign all users a default profile without having to

manually add each one to a group that will contain the profile.

The SQL module will also honor the User-Profile attribute. This

attribute can be set anywhere in the authorize section (ie the users

file). It is found exactly as the default profile is found.

If it is set then it will overwrite the default profile setting.

The idea is to select profiles based on checks on the incoming packets,

not on user group membership. For example:

– users file –

DEFAULT Service-Type == Outbound-User, User-Profile := “outbound”

DEFAULT Service-Type == Framed-User, User-Profile := “framed”

By default the default_user_profile is not set

#default_user_profile = “DEFAULT”

Determines if we will query the default_user_profile or the User-Profile

if the user is not found. If the profile is found then we consider the user

found. By default this is set to ‘no’.

#query_on_not_found = no


#######################################################################

Authorization Queries

#######################################################################

These queries compare the check items for the user

in ${authcheck_table} and setup the reply items in

${authreply_table}. You can use any query/tables

you want, but the return data for each row MUST

be in the following order:

0. Row ID (currently unused)

1. UserName/GroupName

2. Item Attr Name

3. Item Attr Value

4. Item Attr Operation

#######################################################################

Use these for case sensitive usernames. WARNING: Slower queries!

authorize_check_query = “SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, ‘%{SQL-User-Name}’) = 0 ORDER BY id”

authorize_reply_query = “SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE STRCMP(Username, ‘%{SQL-User-Name}’) = 0 ORDER BY id”

authorize_check_query = “SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = ‘%{SQL-User-Name}’ ORDER BY id”
authorize_reply_query = “SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = ‘%{SQL-User-Name}’ ORDER BY id”

Use these for case sensitive usernames. WANRING: Slower queries!

authorize_group_check_query = “SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE STRCMP(${usergroup_table}.Username, ‘%{SQL-User-Name}’) = 0 AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id”

authorize_group_reply_query = “SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE STRCMP(${usergroup_table}.Username, ‘%{SQL-User-Name}’) = 0 AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id”

authorize_group_check_query = “SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = ‘%{SQL-User-Name}’ AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id”
authorize_group_reply_query = “SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = ‘%{SQL-User-Name}’ AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id”


#######################################################################

Accounting Queries

#######################################################################

accounting_onoff_query - query for Accounting On/Off packets

accounting_update_query - query for Accounting update packets

accounting_update_query_alt - query for Accounting update packets

(alternate in case first query fails)

accounting_start_query - query for Accounting start packets

accounting_start_query_alt - query for Accounting start packets

(alternate in case first query fails)

accounting_stop_query - query for Accounting stop packets

accounting_stop_query_alt - query for Accounting start packets

(alternate in case first query doesn’t

affect any existing rows in the table)

#######################################################################
accounting_onoff_query = “UPDATE ${acct_table1} SET AcctStopTime=‘%S’, AcctSessionTime=unix_timestamp(‘%S’) - unix_timestamp(AcctStartTime), AcctTerminateCause=‘%{Acct-Terminate-Cause}’, AcctStopDelay = ‘%{Acct-Delay-Time}’ WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= ‘%{NAS-IP-Address}’ AND AcctStartTime <= ‘%S’”

accounting_update_query = “UPDATE ${acct_table1}
SET FramedIPAddress = ‘%{Framed-IP-Address}’,
AcctSessionTime = ‘%{Acct-Session-Time}’,
AcctInputOctets = ‘%{Acct-Input-Octets}’,
AcctOutputOctets = ‘%{Acct-Output-Octets}’
WHERE AcctSessionId = ‘%{Acct-Session-Id}’
AND UserName = ‘%{SQL-User-Name}’
AND NASIPAddress= ‘%{NAS-IP-Address}’”

accounting_update_query_alt = “INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values(‘%{Acct-Session-Id}’, ‘%{Acct-Unique-Session-Id}’, ‘%{SQL-User-Name}’, ‘%{Realm}’, ‘%{NAS-IP-Address}’, ‘%{NAS-Port}’, ‘%{NAS-Port-Type}’, DATE_SUB(‘%S’,INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), ‘%{Acct-Session-Time}’, ‘%{Acct-Authentic}’, ‘’, ‘%{Acct-Input-Octets}’, ‘%{Acct-Output-Octets}’, ‘%{Called-Station-Id}’, ‘%{Calling-Station-Id}’, ‘%{Service-Type}’, ‘%{Framed-Protocol}’, ‘%{Framed-IP-Address}’, ‘0’)”

accounting_start_query = “INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values(‘%{Acct-Session-Id}’, ‘%{Acct-Unique-Session-Id}’, ‘%{SQL-User-Name}’, ‘%{Realm}’, ‘%{NAS-IP-Address}’, ‘%{NAS-Port}’, ‘%{NAS-Port-Type}’, ‘%S’, ‘0’, ‘0’, ‘%{Acct-Authentic}’, ‘%{Connect-Info}’, ‘’, ‘0’, ‘0’, ‘%{Called-Station-Id}’, ‘%{Calling-Station-Id}’, ‘’, ‘%{Service-Type}’, ‘%{Framed-Protocol}’, ‘%{Framed-IP-Address}’, ‘%{Acct-Delay-Time}’, ‘0’)”

accounting_start_query_alt = “UPDATE ${acct_table1} SET AcctStartTime = ‘%S’, AcctStartDelay = ‘%{Acct-Delay-Time}’, ConnectInfo_start = ‘%{Connect-Info}’ WHERE AcctSessionId = ‘%{Acct-Session-Id}’ AND UserName = ‘%{SQL-User-Name}’ AND NASIPAddress = ‘%{NAS-IP-Address}’”

accounting_stop_query = “UPDATE ${acct_table2} SET AcctStopTime = ‘%S’, AcctSessionTime = ‘%{Acct-Session-Time}’, AcctInputOctets = ‘%{Acct-Input-Octets}’, AcctOutputOctets = ‘%{Acct-Output-Octets}’, AcctTerminateCause = ‘%{Acct-Terminate-Cause}’, AcctStopDelay = ‘%{Acct-Delay-Time}’, ConnectInfo_stop = ‘%{Connect-Info}’ WHERE AcctSessionId = ‘%{Acct-Session-Id}’ AND UserName = ‘%{SQL-User-Name}’ AND NASIPAddress = ‘%{NAS-IP-Address}’”

accounting_stop_query_alt = “INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values(‘%{Acct-Session-Id}’, ‘%{Acct-Unique-Session-Id}’, ‘%{SQL-User-Name}’, ‘%{Realm}’, ‘%{NAS-IP-Address}’, ‘%{NAS-Port}’, ‘%{NAS-Port-Type}’, DATE_SUB(‘%S’, INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), ‘%S’, ‘%{Acct-Session-Time}’, ‘%{Acct-Authentic}’, ‘’, ‘%{Connect-Info}’, ‘%{Acct-Input-Octets}’, ‘%{Acct-Output-Octets}’, ‘%{Called-Station-Id}’, ‘%{Calling-Station-Id}’, ‘%{Acct-Terminate-Cause}’, ‘%{Service-Type}’, ‘%{Framed-Protocol}’, ‘%{Framed-IP-Address}’, ‘0’, ‘%{Acct-Delay-Time}’)”

#######################################################################

Simultaneous Use Checking Queries

#######################################################################

simul_count_query - query for the number of current connections

- If this is not defined, no simultaneouls use checking

- will be performed by this module instance

simul_verify_query - query to return details of current connections for verification

- Leave blank or commented out to disable verification step

- Note that the returned field order should not be changed.

#######################################################################

Uncomment simul_count_query to enable simultaneous use checking

simul_count_query = “SELECT COUNT(*) FROM ${acct_table1} WHERE UserName=‘%{SQL-User-Name}’ AND AcctStopTime = 0”

simul_verify_query = “SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName=‘%{SQL-User-Name}’ AND AcctStopTime = 0”

#######################################################################

Group Membership Queries

#######################################################################

group_membership_query - Check user group membership

#######################################################################

group_membership_query = “SELECT GroupName FROM ${usergroup_table} WHERE UserName=‘%{SQL-User-Name}’”

#######################################################################

Authentication Logging Queries

#######################################################################

postauth_query - Insert some info after authentication

#######################################################################

postauth_query = “INSERT into ${postauth_table} (id, user, pass, reply, date) values (‘’, ‘%{User-Name}’, ‘%{User-Password:-Chap-Password}’, ‘%{reply:Packet-Type}’, NOW())”

Set to ‘yes’ to read radius clients from the database (‘nas’ table)

#readclients = yes
}

====================

I think I have, whereabouts is it set ?

and in the radiusd.conf

I enabled SQL in the 2 sections, accounting authorisation as stated in the freeradius doco.

Your sql.conf seems fine.
Did you try to run your radius server in debugging mode and see what happens when you run radtest against it?

Try to run that on your radius server:
radtest user@example.tdl user_password 127.0.0.1 1812 radius_password 127.0.0.1
And fire up radius with -xxyzsf -l stdout flags for debugging.

You can also login to your MySQL database and check the status of the accounting table:

mysql -u username -p radius_database

Enter password:
select * from radacct where UserName=‘user@example.tdl’ ORDER BY AcctStartTime;

user@example.tdl can be just user depending on how you store your usernames.

rosst@dude:~$ radtest xxx xxx 127.0.0.1 1812 xxxxx 127.0.0.1
Sending Access-Request of id 25 to 127.0.0.1:1812
User-Name = “xxxx”
User-Password = “xxxx”
NAS-IP-Address = dude
NAS-Port = 1812
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=25, length=62
Reply-Message = “\r\nAccess denied (external check failed).”

\

mysql> select * from radacct where UserName=‘test’ ORDER BY AcctStartTime;
±----------±--------------±-----------------±---------±------±------------
–±-----------±------------±--------------------±--------------------±-----
-----------±--------------±------------------±-----------------±------------
----±-----------------±------------------±------------------±---------------
----±------------±---------------±----------------±---------------±--------
------+
| RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress
| NASPortId | NASPortType | AcctStartTime | AcctStopTime | AcctS
essionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOct
ets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCa
use | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStop
Delay |
±----------±--------------±-----------------±---------±------±------------
–±-----------±------------±--------------------±--------------------±-----
-----------±--------------±------------------±-----------------±------------
----±-----------------±------------------±------------------±---------------
----±------------±---------------±----------------±---------------±--------
------+
| 1 | 8030000c | 18e79c58fe99b572 | test | | 202.0.155.17
3 | 2147483647 | Ethernet | 2005-01-17 11:54:27 | 2005-01-17 11:56:00 |
84 | | | | 116
171 | 2166736 | 00:0C:42:03:2A:42 | 00:0F:1F:DE:80:B5 | NAS-Request
| | | 192.168.20.199 | 0 |
0 |
| 2 | 80300014 | 224e357025b282fb | test | | 202.0.155.17
3 | 2147483647 | Ethernet | 2005-01-17 11:57:13 | 2005-01-17 11:57:13 |
0 | | | |
0 | 0 | 00:0C:42:03:2A:42 | 00:0F:1F:DE:80:B5 |
| | | 192.168.20.199 | 0 |
0 |
±----------±--------------±-----------------±---------±------±------------
–±-----------±------------±--------------------±--------------------±-----
-----------±--------------±------------------±-----------------±------------
----±-----------------±------------------±------------------±---------------
----±------------±---------------±----------------±---------------±--------
------+
2 rows in set (0.00 sec)


not sure what that all means
…

btw that test user was made using radius manager.

First of all, allow 127.0.0.1 in clients.conf or the IP of your local interface and use it to connect to the radius server with radtest.
radtest xxx xxx 202.0.155.17 1812 xxxxx 202.0.155.17
could work.
Then check if you get an answer back from your radius server.
Then login and logout with a ppp client and check the sql table and see if your accounting info got updated.

I suggest you to read the docs as you obviously still have a long way to go…
Also browse the Freeradius mailinglist for the answer.
The FrerRadius mailinglist is a more proper place to ask questions about stuff like that.
And for the future, please don’t paste in all that irrelevant info here as it makes it difficult or even cumbersome to read…

And remember to firewall out your radius server and allow it only from certain IPs.

thx for the tips.

seems to be Exec-Program-Wait issue. If you’re using one check whether the script you are running during authorization process is returning valid values.

Edgars

You’ll need to setup radius to handle the uptime limit by calculating remaining time and sending a session timeout to mikrotik.

With the local user database you won’t get any data sent to radius!

Which radius server?

freeradius

What are you trying to achieve? Users with a fixed total login time? (As in prepaid cards?)

basically simple hotspot functionality.
kinda like prepaid cards yes.


User connects to network
gets IP address
opens browser and gets redirected to a webpage
either log in or pay by CC (only in timelimits, not data)

The reason for the original question was that I noticed when using winbox that you can add a hotspot user with a timelimit.
What I didn’t understand is why the user added by Winbox was not showing up in Radius and vice versa.
I am 100% sure that the Radius server is working 100%, becuase I can add a user via Radius Manager, and that user can login using the mikrotik hotspot page and they get disconnected once they use their MB’s up.

So basically want to automate it all, for a hotel.

but wait - if you added the user with winbox, right?, then this has nothing to do with radius … the user is in the router’s local database. local database and radius database are two different things, they are not being syncronised.

this is what I see now yes, but when adding a user by winbox it gives me the option of specifying a time, I don’t know how to do this with Radius (radius manager has no option either), I was hoping they would syncronise somehow.

you CAN do it in the hotspot manager: http://moon.mt.lv/radius/

when adding the user you can set total uptime there

but how will payments work ?
How would our webpage put in a user automatically inot to the Hotspot manager ?

Will the MT’s use that Radius server instead ?

confusing

http://www.mikrotik.com/hotspot.html

Just reading thru that documentation, it looks like exactly what we need.
WIll it be made available so we can host it sometime soon ?

In the documentation it doesn’t say anything about automating it though.

it is already online and working. make an account and create your users and hosts.

webpage with all info is on your router, that you can customize to what you want.

automating is a different topic, we don’t provide billing with this system, only manual adding and managing of users.