Wireless AP RADIUS problem

cleaver · July 29, 2014, 8:45am

Hi,
I am using a RB951Ui-2HnD as a wireless AP using FreeRADIUS with SQL backend for authentication and accounting.
RouterOS is version 6.17, but I’ve been having the same problem with previous versions.

Authentication works OK but the problem is with accounting. The AP fails to provide the Calling-Station-Id (wifi station’s MAC address) property to the radius server in the Accounting-Request packet. So the session record in the accounting table contains an empty field for Calling-Station-Id. I need this field to do stale session cleanup, but I can’t figure out how to make the AP provide it with the Accounting-Request to the radius server.

As a matter of fact, the AP does provide Calling-Station-Id in the Access-Request packet, here’s the relevant freeradius debug log excerpt:

rad_recv: Access-Request packet from host 192.168.13.4 port 41720, 
id=192, length=219
  Service-Type = Framed-User
  Framed-MTU = 1400
  User-Name = "cleaver"
  NAS-Port-Id = "wlan1"
  NAS-Port-Type = Wireless-802.11
  Acct-Session-Id = "82000027"
  Acct-Multi-Session-Id = 
"D4-CA-6D-F6-55-C1-CC-FA-00-C6-4A-A6-82-00-00-00-00-00-00-1F"
--->>> Calling-Station-Id = "CC-FA-00-C6-4A-A6" //emphasys mine
  Called-Station-Id = "D4-CA-6D-F6-55-C1:datamax"
  EAP-Message = 0x0200000c01636c6561766572
  Message-Authenticator = 0x434e50ee2a38b4327019b1f023d7006e
  NAS-Identifier = "MikroTik"
  NAS-IP-Address = 192.168.13.4

The above shows a description of the Access-Request packet and as you can see, it does contain the Calling-Station-Id attribute. This is fine.

But here’s the debug output for the Accounting-Request sent to the radius server, where this attribute disappears:

rad_recv: Accounting-Request packet from host 192.168.13.4 port 51157, 
id=205, length=153
  Service-Type = Framed-User
  NAS-Port-Id = "wlan1"
  NAS-Port-Type = Wireless-802.11
  User-Name = "cleaver"
  Acct-Session-Id = "82000027"
  Acct-Multi-Session-Id = 
"D4-CA-6D-F6-55-C1-CC-FA-00-C6-4A-A6-82-00-00-00-00-00-00-1F"
  Acct-Authentic = RADIUS
  Acct-Status-Type = Start
  NAS-Identifier = "MikroTik"
  Acct-Delay-Time = 0
  NAS-IP-Address = 192.168.13.4

The Calling-Station-Id attribute is missing here, and that’s why it doesn’t get recorded in the accounting table where I need it to be.

This behavior is rather strange because the RouterOS documentation about radius says that:

The accounting request carries the same attributes as Access Request, plus these ones:
…
…

So the AP is expected to provide the Calling-Station-Id attribute in Accounting-Request too, but it does not. It only provides it in Access-Accept.

Is there a way to configure my routerboard so that it provides the Calling-Station-Id attribute in the Accounting-Request packet to the radius server? I really need this attribute for accounting, and according to the documentation, it should be there.

Any suggestions?

Thanks!

awacenter · July 29, 2014, 10:32am

Hi cleaver
In the wireless authenticacion you are working in layer 2 of OSI model http://en.wikipedia.org/wiki/OSI_model. In this layer, there is no IP address but It is suppossed that there is a MAC address.
And the accounting request has to represent which MAC produced the successfull authentication.

I am with you, the 802.1x auth doesnot have the correct ‘accounting request’

Santiago

awacenter · August 7, 2014, 8:39am

Cleaver, I sent an email to support@mikrotik.com.
We wait their response.

cleaver · August 7, 2014, 9:01am

Thank you, I hope they’ll do something about this issue.

awacenter · August 11, 2014, 12:15pm

Support Mikrotik said:

Called-station-id and calling-station-id are used only in access-request attributes.

This is not really true because in MT hotspot service, the accounting works fine.
Called-station-id and calling-station-id attributes are normally stored in the database using Accounting Request. RADIUS server stores all the details of the account which is just to authenticate. It is the only way to store the MAC address of customer and NAS.

I wait his reply.

awacenter · August 13, 2014, 8:13am

Hi,
I test repeatly the authentication of my tablet and in my freeradius DB does not appear the MAC addresd of my tablet.
In the previous post, we attach one Accounting packet for the wireless accounting.
I think it is necessary to depuerate the accouting request that MT device sends to RADIUS server. It works fine for the hotspot service.
I asked to support@mikrotik.com without a satisfactory answer.

Sincerely,
Santiago