Community discussions

 
manson
newbie
Topic Author
Posts: 32
Joined: Thu Feb 14, 2013 9:41 am

RouterOS DHCP + Freeradius - Queues

Tue Sep 16, 2014 11:45 am

Hello,

I have DHCP Server on ROS getting leases and rate limits from freeradius database, it's working like it should but there is a problem with changing rate limits to connected users. After lease expire client is getting new lease but changed in database rate limits are not changed.
Any idea how to make it work?
 
Kadafi
newbie
Posts: 25
Joined: Tue Jan 18, 2011 5:52 pm

Re: RouterOS DHCP + Freeradius - Queues

Tue Sep 16, 2014 1:48 pm

Hello,

I have DHCP Server on ROS getting leases and rate limits from freeradius database, it's working like it should but there is a problem with changing rate limits to connected users. After lease expire client is getting new lease but changed in database rate limits are not changed.
Any idea how to make it work?
The only way for now create static address lists and write script in scheduler that makes dynamic leases into static and updates them on new dynamic entries.
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: RouterOS DHCP + Freeradius - Queues

Tue Sep 16, 2014 3:11 pm

Hello,

I have DHCP Server on ROS getting leases and rate limits from freeradius database, it's working like it should but there is a problem with changing rate limits to connected users. After lease expire client is getting new lease but changed in database rate limits are not changed.
Any idea how to make it work?
On a regular renewal (which DHCP clients will typically do at the halfway point of their current lease), the MT will not re-request information from RADIUS, as the lease entry still exists in the MikroTik. Similarly, the MT will always check its own leases first (e.g. static leases), and will not query RADIUS if a static lease exists.

In order to force the MT to re-check RADIUS for updated shaping information, you need to delete the lease from the MT DHCP Server > Leases tab (either manually or via a script triggered by your FreeRADIUS backend when the rate limit changes).
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Wed Sep 17, 2014 1:21 am

Are you specifying the Session-Timeout in your FreeRADIUS reply packet?

We had issues without Session-Timeout where users were only authenticated once. As long as they kept their lease renewed before it expired, they never had to authenticate again.

With Session-Timeout set to 3600 seconds, the mikrotik re-authenticates them every hour and they get their new MikroTik-Access-List value to change to their new plan speed within an hour of the plan being changed in the database. They can force a renewal before their current lease expires if they are in a hurry.
 
manson
newbie
Topic Author
Posts: 32
Joined: Thu Feb 14, 2013 9:41 am

Re: RouterOS DHCP + Freeradius - Queues

Thu Sep 18, 2014 12:01 pm

And how about same issue but with using User Manager?
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Sat Nov 01, 2014 9:15 pm

I am trying to do shaiping via DHCP and got the same issue.

I think there is an issue in DHCP processing on Mikrotik side.

If station send request first time mikrotik has no lease and correctly sends requests to RADIUS.
If station disconnects and resends DHCP request or makes renewal leases, Mirotik trys to check it's databases for static leases. If it can find any kind of leases it will not process radius request again. I should do it only for radius leases.

What is the workarounds?

1. Send Session-Timeout. Is mikrotik consider it unlimited by default?
2. Regular clean-up of whole lease database.
3. Script for manual clean up particular lease cause by lease script.
4. Ask mikrotik to fix a bug?
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Sat Nov 01, 2014 9:46 pm

With Session-Timeout set to 3600 seconds, the mikrotik re-authenticates them every hour and they get their new MikroTik-Access-List value to change to their new plan speed within an hour of the plan being changed in the database. They can force a renewal before their current lease expires if they are in a hurry.
Are you shure that DHCP radius accept message can provide MikroTik-Access-List atribute?
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Tue Nov 04, 2014 10:48 pm

I am trying to do shaiping via DHCP and got the same issue.

I think there is an issue in DHCP processing on Mikrotik side.

If station send request first time mikrotik has no lease and correctly sends requests to RADIUS.
If station disconnects and resends DHCP request or makes renewal leases, Mirotik trys to check it's databases for static leases. If it can find any kind of leases it will not process radius request again. I should do it only for radius leases.

What is the workarounds?

1. Send Session-Timeout. Is mikrotik consider it unlimited by default?
2. Regular clean-up of whole lease database.
3. Script for manual clean up particular lease cause by lease script.
4. Ask mikrotik to fix a bug?
Number 1 works for my 2000 customers.... I would say 2 and 3 are not necessary if you do 1. 4 is not necessary because it is working as designed.

Authentication is separate from Authorization.

If RADIUS doesn't specify a session timeout, the DHCP server uses MAC authentication to authenticate the device. If no limits were in the RADIUS authorization response, the user/device is unlimited. The DHCP server has it's own concept of Lease Time which is not related to authorization. So, when an authorized without limits client requests to renew its lease, the DHCP server looks at it's table of limits and says "00:11:22:33:44:55" is not beyond its authorized time limit, renew the lease.

If RADIUS returns a Session-Timeout, the DHCP server knows this MAC address is authenticated and is also authorized for the next ${Session-Timeout} seconds. If the device requests to renew it's lease, the DHCP server looks at its table and sees "this MAC address already authenticated and is authorized until ${time}." If the new Lease Time would give the device access beyond $time, DHCP needs to ask the RADIUS server about the device's authorization again.

With PPP, if you don't specify a Session-Timeout or other limit, the user can stay connected forever and never has to re-authenticate. There is no difference here. It is just the DHCP concept of a default lease-time which is confusing people.
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Tue Nov 04, 2014 10:56 pm

With Session-Timeout set to 3600 seconds, the mikrotik re-authenticates them every hour and they get their new MikroTik-Access-List value to change to their new plan speed within an hour of the plan being changed in the database. They can force a renewal before their current lease expires if they are in a hurry.
Are you shure that DHCP radius accept message can provide MikroTik-Access-List atribute?
Yes. Absolutely. That is what we do for our customers.

DHCP uses MAC authentication to send a RADIUS request to the RADIUS server. The RADIUS reply packet contains the Session-Timeout and MikroTik-Access-List and Framed-Pool or Framed-Address. If our Session-Timeout is 3600, the customer can be put in a different Access-List with a different IP pool or static IP address.

You may have to make sure your RADIUS server knows about the MikroTik-Access-List attribute.

http://wiki.mikrotik.com/wiki/Manual:RA ... dictionary
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Wed Nov 05, 2014 11:25 pm

lambert

Thank you for details. We've implemented Session-Timeout and to i it's working exactly as we want!

We will try to use Mikrotik-Address-List, we did it for PPP servers, so it's quite easy.

I am confusing because in the official documentation this parameter is missing:
http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Thu Nov 13, 2014 10:37 pm

Radius attribute Mikrotik-Address-List is working with DHCP, but has an issue. Once it got some value from radius it will stay forever and not expires if lease is updating. Only disconnected and fully expired leases can clean up address-list.

Looks like behaviour of standart DHCP without attribute Session-Time.
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Thu Nov 13, 2014 11:42 pm

What reply attributes are you returning? It works for us all day every day. Below are the attributes we use for everyone. Customers with static IP addresses also get a Framed-IP attribute from the radreply table.
mysql> select * from radgroupreply where groupname = "1MbCustomers";
+-----+--------------+-----------------------+----+--------------+
| id  | groupname    | attribute             | op | value        |
+-----+--------------+-----------------------+----+--------------+
|  67 | 1MbCustomers | Mikrotik-Address-List | =  | 1MbCustomers |
|  66 | 1MbCustomers | Framed-Pool           | =  | CustPub      |
| 107 | 1MbCustomers | Session-Timeout       | =  | 7200         |
+-----+--------------+-----------------------+----+--------------+
If a customer switched to another plan, we put them in another group and the associated address list is returned the next time they renew the lease. Once they get the new lease, any new connections are matched by the address-list in the mangle rules. The new connections are then shaped by the queue tree rules. Existing, long running connections are not affected, unless the IP changes and, therefore, breaks the connection.

Do you check that the customer's dynamic address-list entry is in /ip firewall address-list and if it has changed?
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Thu Nov 13, 2014 11:56 pm

 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Fri Nov 14, 2014 2:37 pm

We are using version 6.18 now.

This issue is about processing of radius atribute.

If we set atribute to some value it will in this state untill we set new value.

For example

1. We send from Radius
Framed-IP-Address = 172.16.1.1
Mikrotik-Address-List = [b]hotline[/b]
Session-Timeout = 3600
This address staying in hotline filter

2. Now we removed user from hotline list
Framed-IP-Address = 172.16.1.1
Session-Timeout = 3600
But address-list "hotline" keeps holding IP 172.16.1.1 until you disconnect device! Every renewal of lease keeps it on list.

The only way to remove atribute dynamically is to provide new value:
Framed-IP-Address = 172.16.1.1
Mikrotik-Address-List = [b]allow[/b]
Session-Timeout = 3600
I think this is unclear handling of radus atributes.

If we provide Session-Timeout, we hope that all atributes should expire automaticaly. Exactly the same as DHCP lease. But we have to push new value to some attribute just for moving out the old one.

Mikrotik DHCP + Radius is using several people at the world I think. So It's better to update knowlege base than doing changes on soft.

I can do notes on wiki if Mikrotik team provide access.
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Fri Nov 14, 2014 7:29 pm

Okay, that makes sense and explains why we do not have a problem. On our network, every user is in an address-list.

You might want to make a feature request of MikroTik to use the session-timeout as an address-list timeout. But it would still be there until timeout expired even if you force the device to get a new lease.

I would just give everyone a default address-list, even if you don't use that in your configuration on the router.
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Thu Feb 26, 2015 12:46 pm

I am wondering about changelog for ROS v6.23
What's new in 6.23 (2014-Dec-04 14:46):
dhcpv4 server - fix adding address lists from radius
Is this issue menchioned by me above ore something else?

I am going to upgrade from 6.18 to newer release and extend DHCP+Radius configuration.
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: RouterOS DHCP + Freeradius - Queues

Tue Mar 03, 2015 2:06 am

That fixes a problem which was introduced after 6.18.
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Tue Mar 10, 2015 11:18 pm

This is really sad story about software development process for ROS. Each release has some fix for the bugs introduced earlier and creates ne bugs. So tthere are no one stable version for the long time :(

By the way we are runing DHCP + Freeradius + Queues wery well.

Now I am trying to find a way to monitor queues utilisation.

It's possible to use SNMP and Tools->Graphing as well.

But both methods work only for the life time of the DHCP lease. If subscriber reconnect for any reason then system change SNMP number for the queue and qounters become unknown. I discovered that deleting simple queue automatically remove manually added command
/tool graphing queue
add simple-queue=XXXX
So local graphs become unknown too. This is probably expected behavior for both method. But, is there any way to monitor statistic for the dynamic queue? I am thinking about automatic creating and maintaining queues via lease script.
 
cchance
newbie
Posts: 39
Joined: Mon Dec 01, 2014 2:42 pm

Re: RouterOS DHCP + Freeradius - Queues

Fri Mar 20, 2015 6:11 am

should be possible, though i have no idea how lol
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: RouterOS DHCP + Freeradius - Queues

Tue Mar 24, 2015 12:53 am

I found a workaround.

You have to add manually queue with exactly the same name. It will stay permanently. When DHCP trying to add queue dynamically it won't sucseeded because of existing rule. So won't be able to remove rule too.

This is acceptable for monitoring special customers, not full monitoring of all queues.

Who is online

Users browsing this forum: Google [Bot] and 107 guests