RADIUS MikroTik-Rate-Limit and Static IP Addressing

ktw-matt · Fri Jan 26, 2007 7:19 pm

Hi all,

We're already using RADIUS and the MikroTik-Rate-Limit attribute for DHCP customers, but I'm curious if you can rig up RouterOS to do this with static IP customers.. something like this:

Packet comes in on wlan1 (for instance) on the forward chain. The MAC address associated with this packet gets sent to the RADIUS server.
Then...

if (radius_reply == ok)
{
  rate_limit = radius_reply[1]; // for example
  if (static_ip is_not_found_in simple_queue_list)
    add simple queue using rate_limit
  elseif (static_ip is_found_in simple_queue_list)
    check and update, if necessary, the simple queue's rate_limit
}
else
{
  add firewall rule(s) to block their IP on the forward chain.
}

I hope that makes sense. If possible, I want the same level of control for static IP customers, that we have with DHCP customers.

All suggestions are welcome.

wildbill442 · Fri Jan 26, 2007 7:51 pm

I thought I had something for you, but after re-reading my post, it wouldn't work.. (delete post)

savage · Fri Jan 26, 2007 10:01 pm

You should be able to get Radius itself to implement this via something like SSH on the MT via rlm_perl or rlm_exec...

Will be a highly customised auth server though. I don't think you can do this with MT / standard radius itself...

conchalnet · Tue Jan 30, 2007 1:14 am

HI ktw-matt,

did you find a solution to this problem? I want the same: limit the customers speed when the client is associated to my ap and the mac is authenticaded via radius but the interface has a fixed IP address.

Regards,

Fabrício F.: Kammer

ktw-matt · Mon Feb 12, 2007 11:01 pm

I've asked about this kind of thing before, and the obvious solution is to use DHCP and give out static leases, but this seems a bit unnatural. However, by doing so, it would simplify IP assignment and configuration... not to mention the ability to automatically Rate-Limit static IP customers.

Currently, a static IP on portions of our network require: a manual ARP entry in the router, a manual simple queue entry, and of course getting their client device configured to use the assigned IP, subnet, and default gateway.

On the up-side, we don't have too many static IP customers, but that still doesn't justify all the manual modifications that need to be made.

One other possibility: When RouterOS 3.0 comes out, we can make use of the RouterOS API from our customer database application. (Or is the API already available in 2.9.x?)

conchalnet · Tue Feb 13, 2007 1:27 pm

Hi ktw-matt,

I use static IP addresses on all my customers, but I want to concentrate all the informations on the same place to give more security and facility do make de backups.

I'm waiting the API for a long time too... It will be great.

Regards

jonmansey · Sun Feb 18, 2007 10:51 pm

what about using PPPOE? using radius to assign static IP and rate-limit to customers as they authenticate, you can sell them encrypted link also

jm

conchalnet · Mon Feb 19, 2007 1:16 pm

jonmansey,

Hi, I can't use pppoe in my customers, first because I'll have to change all customers configurations, what is a lot of work and second because I've a compromisse with my customers of "PowerOn the computer and start to browser the internet".

Today I do the simples queues by hand. I just want to do this automatically, with out open the Winbox and create the simple queues.

Regards

RADIUS MikroTik-Rate-Limit and Static IP Addressing

RADIUS MikroTik-Rate-Limit and Static IP Addressing

Who is online