Freeradius PoD

kostil · Wed Feb 04, 2009 6:48 pm

hi

I've read forum to find how can i disconnect user then it's need. One of method is radclient PoD.
But i have some trouble. savage wroute here that for PoD without errors i need send to mikrotik not only User-Name

so the question: how can i take this parameters from my freeradius server and give them to my script?

kostil · Thu Feb 05, 2009 12:29 pm

any ideas?

mandrade · Thu Feb 05, 2009 4:38 pm

Here to disconnect a user, i use this shell script made by me and works fine :

#!/bin/bash
/usr/bin/radwho -r -i -U $1 > /tmp/tmp-derruba-$1.txt
LOGIN=`cat /tmp/tmp-derruba-$1.txt |cut -d, -f1`
SECTIONID=`cat /tmp/tmp-derruba-$1.txt |cut -d, -f2`
NASADDR=`cat /tmp/tmp-derruba-$1.txt |cut -d, -f6`
rm /tmp/tmp-derruba-$1.txt
echo "Acct-Session-Id="$SECTIONID > /tmp/packet-$LOGIN.txt
echo "User-Name="$LOGIN >> /tmp/packet-$LOGIN.txt
cat /tmp/packet-$LOGIN.txt | radclient -q $NASADDR:1700 disconnect sharesecret
rm /tmp/packet-$LOGIN.txt

The uniqe parameter passed to script is login name....
BR

Mauricio

kostil · Fri Feb 06, 2009 6:39 pm

thnx so much!
it's work, i've modify it for my own.
it disconnect users fine, but i'm still have an error message from mikrotik

rad_recv: Disconnect-ACK packet from host 10.100.1.31 port 3799, id=17, length=33
rad_verify: Received Disconnect-ACK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)

and then

rad_recv: Disconnect-NAK packet from host 10.100.1.31 port 3799, id=17, length=39
rad_verify: Received Disconnect-NAK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)

here is parameters for radclient which i'm used

        User-Name = "test_user"
        Acct-Session-Id = "811030a8"
        NAS-IP-Address = 10.100.1.31
        NAS-Port = 34857
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 172.16.32.45

how can i fix this error?

Chupaka · Sat Feb 07, 2009 11:20 am

maybe, in

cat /tmp/packet-$LOGIN.txt | radclient -q $NASADDR:1700 disconnect w36rpztp

w36rpztp should be your shared secret? mandrade, change your secret, if you did not change it when copypasted your script =)

kostil · Sat Feb 07, 2009 12:57 pm

if u look carefully what i'm talking about u see this

rad_recv: Disconnect-ACK packet from host 10.100.1.31 port 3799, id=17, length=33
rad_verify: Received Disconnect-ACK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)

and how you think NAS send Disconnect-ACK thirst if i've tryed to use wrong radius secret?

in my mikrotik debug log i saw this

Feb  6 18:50:22 radius,debug,packet received Disconnect-Request with id 14 from billing:61589
Feb  6 18:50:22 radius,debug,packet     Signature = 0x326061c93a16e745419ee36312d048b8
Feb  6 18:50:22 radius,debug,packet     User-Name = \"test_user\"
Feb  6 18:50:22 radius,debug,packet     Acct-Session-Id = \"811030a8\"
Feb  6 18:50:22 radius,debug,packet     NAS-IP-Address = 10.100.1.31
Feb  6 18:50:22 radius,debug,packet     NAS-Port = 34857
Feb  6 18:50:22 radius,debug,packet     Service-Type = 2
Feb  6 18:50:22 radius,debug,packet     Framed-Protocol = 1
Feb  6 18:50:22 radius,debug,packet     Framed-IP-Address = 172.16.32.45
Feb  6 18:50:22 radius,debug received remote request 101 code=Disconnect-Request from billing:61589
.....
Feb  6 18:50:22 radius,debug sending Disconnect-ACK to remote request 101
Feb  6 18:50:22 radius,debug,packet sending Disconnect-ACK with id 14 to billing:61589
Feb  6 18:50:22 radius,debug,packet     Signature = 0xc11492017056563ffdf4c4b1ac476718
Feb  6 18:50:22 radius,debug,packet     NAS-Identifier = \"NAS18\"
Feb  6 18:50:22 radius,debug,packet     NAS-IP-Address = 10.100.1.31

maybe trouble in this signature?

Feb  6 18:50:22 radius,debug,packet     Signature = 0x326061c93a16e745419ee36312d048b8
Feb  6 18:50:22 radius,debug,packet     Signature = 0xc11492017056563ffdf4c4b1ac476718

Chupaka · Sun Feb 08, 2009 12:07 pm

no, signature is unique for every request

mandrade · Mon Feb 09, 2009 1:23 pm

maybe, in
Code: Select all
cat /tmp/packet-$LOGIN.txt | radclient -q $NASADDR:1700 disconnect w36rpztp
w36rpztp should be your shared secret? mandrade, change your secret, if you did not change it when copypasted your script =)

i changed my secret on paste here, i just only not explain it..

BR

kostil · Mon Feb 09, 2009 6:35 pm

so, any ideas about mistake?

savage · Thu Feb 12, 2009 1:27 pm

framed-protocol = 1 ??? service-type = 2???

Uhm, as far as the RFC goes, these things have pretty set and fixed values... I suggest you see why you are not sending the correct values to your NAS...

kostil · Thu Feb 12, 2009 5:57 pm

i try to remove this parameters from request but without result

User-Name = "test_user"
Acct-Session-Id = "811030a8"
NAS-IP-Address = 10.100.1.31
NAS-Port = 34857
Framed-IP-Address = 172.16.32.45

it's all the same

savage · Fri Feb 13, 2009 8:39 am

When the PPP user is online:
1) Send info of /ppp active print where name=...
2) Send the Radius ACCOUNTING data for the ACTIVE ppp session (if you are using mysql, select * from radacct where ... )
3) Send the details of the Disconnect message as you would send it to MT

I suspect you are thumb sucking these values, and not using the correct values like you should

kostil · Mon Feb 16, 2009 11:46 am

mikrotik nas output

/ppp active print detail where name=user_test
Flags: R - radius 
 0 R name="user_test" service=pppoe caller-id="00:17:59:E6:BD:9F" address=172.16.32.45 uptime=1m33s encoding="" session-id=0x8140763A limit-bytes-in=0 
     limit-bytes-out=0

radius server output. my accounting data is in radutmp.

# radwho -RU user_test
User-Name = "user_test"
Acct-Session-Id = "8140763a"
NAS-IP-Address = 10.100.1.31
NAS-Port = 40878
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.32.45
Acct-Session-Time = 25
Calling-Station-Id = "00:17:59:E6:BD:"

# cat pod
User-Name = "user_test"
Acct-Session-Id = "8140763a"
NAS-IP-Address = 10.100.1.31
NAS-Port = 40878
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.32.45

# cat pod | radclient -x 10.100.1.31:3799 disconnect mysecret
Sending Disconnect-Request of id 98 to 10.100.1.31 port 3799
        User-Name = "user_test"
        Acct-Session-Id = "8140763a"
        NAS-IP-Address = 10.100.1.31
        NAS-Port = 40878
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 172.16.32.45
rad_recv: Disconnect-ACK packet from host 10.100.1.31 port 3799, id=98, length=33
rad_verify: Received Disconnect-ACK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)
Sending Disconnect-Request of id 98 to 10.100.1.31 port 3799
        User-Name = "user_test"
        Acct-Session-Id = "8140763a"
        NAS-IP-Address = 10.100.1.31
        NAS-Port = 40878
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 172.16.32.45
rad_recv: Disconnect-NAK packet from host 10.100.1.31 port 3799, id=98, length=39
rad_verify: Received Disconnect-NAK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)
Sending Disconnect-Request of id 98 to 10.100.1.31 port 3799
        User-Name = "user_test"
        Acct-Session-Id = "8140763a"
        NAS-IP-Address = 10.100.1.31
        NAS-Port = 40878
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 172.16.32.45
rad_recv: Disconnect-NAK packet from host 10.100.1.31 port 3799, id=98, length=39
rad_verify: Received Disconnect-NAK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)
Sending Disconnect-Request of id 98 to 10.100.1.31 port 3799
        User-Name = "user_test"
        Acct-Session-Id = "8140763a"
        NAS-IP-Address = 10.100.1.31
        NAS-Port = 40878
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 172.16.32.45
rad_recv: Disconnect-NAK packet from host 10.100.1.31 port 3799, id=98, length=39
rad_verify: Received Disconnect-NAK packet from client 10.100.1.31 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)

counters from mikrotik

/radius incoming monitor once 
requests: 4
bad-requests: 0
acks: 1
naks: 3

and the radius log from nas

Feb 16 12:26:38 radius,debug,packet received Disconnect-Request with id 98 from radius-server:49202
Feb 16 12:26:38 radius,debug,packet     Signature = 0x03e6aab96f7e5d928b0e52cf96b21d33
Feb 16 12:26:38 radius,debug,packet     User-Name = \"user_test\"
Feb 16 12:26:38 radius,debug,packet     Acct-Session-Id = \"8140763a\"
Feb 16 12:26:38 radius,debug,packet     NAS-IP-Address = 10.100.1.31
Feb 16 12:26:38 radius,debug,packet     NAS-Port = 40878
Feb 16 12:26:38 radius,debug,packet     Service-Type = 2
Feb 16 12:26:38 radius,debug,packet     Framed-Protocol = 1
Feb 16 12:26:38 radius,debug,packet     Framed-IP-Address = 172.16.32.45
Feb 16 12:26:38 radius,debug received remote request 1 code=Disconnect-Request from radius-server:49202
....
Feb 16 12:26:38 radius,debug sending Disconnect-ACK to remote request 1
Feb 16 12:26:38 radius,debug,packet sending Disconnect-ACK with id 98 to radius-server:49202
Feb 16 12:26:38 radius,debug,packet     Signature = 0xe29af2318ea8d10fa4dd32bd113630df
Feb 16 12:26:38 radius,debug,packet     NAS-Identifier = \"NAS19\"
Feb 16 12:26:38 radius,debug,packet     NAS-IP-Address = 10.100.1.31
....
Feb 16 12:26:41 radius,debug,packet received Disconnect-Request with id 98 from radius-server:49202
Feb 16 12:26:41 radius,debug,packet     Signature = 0x03e6aab96f7e5d928b0e52cf96b21d33
Feb 16 12:26:41 radius,debug,packet     User-Name = \"user_test\"
Feb 16 12:26:41 radius,debug,packet     Acct-Session-Id = \"8140763a\"
Feb 16 12:26:41 radius,debug,packet     NAS-IP-Address = 10.100.1.31
Feb 16 12:26:41 radius,debug,packet     NAS-Port = 40878
Feb 16 12:26:41 radius,debug,packet     Service-Type = 2
Feb 16 12:26:41 radius,debug,packet     Framed-Protocol = 1
Feb 16 12:26:41 radius,debug,packet     Framed-IP-Address = 172.16.32.45
Feb 16 12:26:41 radius,debug received remote request 2 code=Disconnect-Request from radius-server:49202
Feb 16 12:26:41 radius,debug sending Disconnect-NAK to remote request 2
Feb 16 12:26:41 radius,debug,packet sending Disconnect-NAK with id 98 to radius-server:49202
Feb 16 12:26:41 radius,debug,packet     Signature = 0x8357807fedd43d4c116526446fa95f44
Feb 16 12:26:41 radius,debug,packet     Error-Cause = 503
Feb 16 12:26:41 radius,debug,packet     NAS-Identifier = \"NAS19\"
Feb 16 12:26:41 radius,debug,packet     NAS-IP-Address = 10.100.1.31

savage · Mon Feb 16, 2009 2:49 pm

Hi,

There's a few things here that doesn't add up to me and that doesn't make sense...

- Your radclient when you send the disconnect request, reports a invalid signature (incorrect shared secret), yet, your MT accepts the request? I don't get this. When the share secret is incorrect, your NAS will not understand the request at all.
- Looking at the MT logs, it still doesn't make sense to me that MT would see Service-Type = 2 and Framed-Protocol = 1. Granted, this looks to me like a issue in MT (Normis?)
- In terms of the error returned by MT (See point 2 above), Error-Cause 503 = Session Context Not Found as per draft-chiba-radius-dynauthor-ext-01 for RFC3576.

I am suspecting that MT does not see the disconnect message being valid because it cannot identify the session you are trying to terminte. I am willing to bet some very personal body parts on the fact that this is because of the Service-Type = 2 and Framed-Protoco = 1... There's no reason IHMO why MT should see the attributes are your logs indicate

kostil · Mon Feb 16, 2009 3:07 pm

my radclient shared secret is right, and one fact a confirm it. if you look carefully you can see that thirst disconnect message reply is Disconnect-ACK and user was sucessfully kicked from NAS, but in answer is still error message and radclient retry request got the Disconnect-NAK and error 503 start from second retry because the user was already kicked by thirst request.
why is the thirst reply can be with error for radclient, but it's ok for mikrotik? (Normis?)

P.S. I've tryed to exclude Service-Type = 2 and Framed-Protoco = 1 but the result was all the same.

kostil · Tue Feb 17, 2009 4:26 pm

upgrade my radius from 2.0.5 to 2.1.3 but no result

kostil · Thu Feb 19, 2009 1:46 pm

could any one tell me version of radius server and mikrotik NAS how made this subject without errors?

shivachitta · Tue Nov 24, 2009 3:39 pm

could any one tell me version of radius server and mikrotik NAS how made this subject without errors?

Hi kostil....

thanks for ur help in adavance....

im also same struggling with same problem .
im getting " Disconnect-ACK " , user not able to use the service and
getting the same problem
radclient retrying and got the Disconnect-NAK and error 503 start from second retry because the user was already kicked by thirst request.

Can u suggest me solution plz ASAP....

What u have done to solve that problem ...

kostil · Tue Nov 24, 2009 3:49 pm

could any one tell me version of radius server and mikrotik NAS how made this subject without errors?

Hi kostil....

thanks for ur help in adavance....

im also same struggling with same problem .
im getting " Disconnect-ACK " , user not able to use the service and
getting the same problem
radclient retrying and got the Disconnect-NAK and error 503 start from second retry because the user was already kicked by thirst request.

Can u suggest me solution plz ASAP....

What u have done to solve that problem ...

i'm using the ssh and mikrotik console command

shivachitta · Wed Nov 25, 2009 6:30 am

could any one tell me version of radius server and mikrotik NAS how made this subject without errors?
i'm using the ssh and mikrotik console command

there is another way like as follows where we can solve that (give retry count as "-r 1" )

see the Eg :

echo "User-Name=test_user,NAS-IP-Address=192.x.x.x,NAS-Port-Id=x,Framed-IP-Address=192.x.x.x,Acct-Session-Id=8010000c" | radclient -r 1 -x 192.x.x.x:3799 disconnect test
Sending Disconnect-Request of id 119 to 192.168.100.245 port 3799

shivachitta · Wed Nov 25, 2009 6:58 am

i'm using the ssh and mikrotik console command

can u tel me with some example by using ssh and mikrotik..( if possible )
So , each time time do we need to do same to disconect ?
or Any more ways did u found?

and How to get a session details( means how much upload and download he had done like that ) from mikrotik NAS.... Is there any way ?

fewi · Wed Nov 25, 2009 7:00 am

When I played with CoA I found that the 1.x train of FreeRADIUS does not throw this error. Of course 1.x is no longer maintained. I don't remember what code change in 2.x causes this behavior.

shivachitta · Wed Nov 25, 2009 8:13 am

When I played with CoA I found that the 1.x train of FreeRADIUS does not throw this error. Of course 1.x is no longer maintained. I don't remember what code change in 2.x causes this behavior.

Hi...
Is there any way to get all details for specific session from mikrotik NAS ..( like download usage , time used , status etc.. )
any request packet format ( eg if possible )

thanks in advance......

kostil · Wed Nov 25, 2009 9:00 am

When I played with CoA I found that the 1.x train of FreeRADIUS does not throw this error. Of course 1.x is no longer maintained. I don't remember what code change in 2.x causes this behavior.

Hi...
Is there any way to get all details for specific session from mikrotik NAS ..( like download usage , time used , status etc.. )
any request packet format ( eg if possible )

thanks in advance......

try to use radius accounting on your mikrotik.

shivachitta · Wed Nov 25, 2009 9:46 am

When I played with CoA I found that the 1.x train of FreeRADIUS does not throw this error. Of course 1.x is no longer maintained. I don't remember what code change in 2.x causes this behavior.

Hi...
Is there any way to get all details for specific session from mikrotik NAS ..( like download usage , time used , status etc.. )
any request packet format ( eg if possible )

thanks in advance......
try to use radius accounting on your mikrotik.

plz can u be some more clear ..

i want all details for a perticular session as a response to any request ( like access request or COA or disconnect )
If u see in CISCO it is possible with the command "'Account-Info" SSG_ACCOUNT_PING .
i need same with mikrotik ..

is this possible any means...

shivachitta · Thu Nov 26, 2009 7:12 am

When I played with CoA I found that the 1.x train of FreeRADIUS does not throw this error. Of course 1.x is no longer maintained. I don't remember what code change in 2.x causes this behavior.

Hi...
Is there any way to get all details for specific session from mikrotik NAS ..( like download usage , time used , status etc.. )
any request packet format ( eg if possible )

thanks in advance......
try to use radius accounting on your mikrotik.

any idea.... ?

legrang · Wed Nov 03, 2010 4:19 pm

my radclient shared secret is right, and one fact a confirm it. if you look carefully you can see that thirst disconnect message reply is Disconnect-ACK and user was sucessfully kicked from NAS, but in answer is still error message and radclient retry request got the Disconnect-NAK and error 503 start from second retry because the user was already kicked by thirst request.
why is the thirst reply can be with error for radclient, but it's ok for mikrotik? (Normis?)

Because there is an incompatibility between RouterOS, radclient and RFC 3576.

When the user has been disconnected and RouterOS sends the Disconnect-ACK response, it includes two attributes in the response (NAS-Identifier and NAS-IP-Address) which are not suggested by the RFC. If my understanding of radclient's source code is correct, it does not expect any attributes in a Disconnect-ACK response. The RFC does not seem to be clear on exactly what is allowed.

So to summarize, the RFC is unclear, RouterOS sends frivolous, unnecessary attributes in the response, and radclient isn't exactly robust.

Freeradius PoD

Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Re: Freeradius PoD

Who is online