Page 1 of 1

Access Control and accounting with Radius

Posted: Sat Dec 17, 2005 3:25 am
by kmullen
HELP!

I am so tired of dealing with "wired" network people that don't think the following is possible:

Wireless client links to AP
Traffic passess to MT in Router mode
MT uses MAC or IP to check Radius for access.
if authorized access granted
if unrecognized forwarded to info page for obtaining access.
if blocked for non-payment redirected to page explaining reason and #
If blocked for abuse or virus redirected to page explaining reason and #

I want to use Radius so I can shut off clients for multiple locations from one central database.

All access points are capable of querying Radius servers using MAC address.

I need serious, DETAILED help.

:!: :?:

What no help out there!

Posted: Tue Dec 20, 2005 11:50 pm
by kmullen
:roll:

Lot's of people looking but no answers. I know this is possible because I know of one ISP using MT to do this.

No one willing to help? :?:

Re: Access Control and accounting with Radius

Posted: Wed Dec 21, 2005 11:28 am
by cmit
Hi - I don't currently have the time to put up a detailed instruction here (apart from that that' a thing I normally make money with...). Some hints:

- Use Hotspot on the MikroTik for login checking etc - in combination with RADIUS server (this has been a topic in these forums several times).
- Then use RADIUS to put the non-paying and virus-infected users into different address pools.
- Create HTTP-redirection rules for all users in the "bad" pools, i.e. a rule which redirects all traffic from clients in the "non-paying" pool to port 80 to a special webserver you run presenting your "please pay your bill"-page.

Regards,
Christian

Thanks

Posted: Thu Dec 22, 2005 4:13 am
by kmullen
CMIT, I fully understand that NO ONE should work for free. If this is your line of business I am willing to pay for your work.

From your tips I'm assuming you think I am using DHCP. We statically assign IP's based on the MAC of the clients CPE.

Also, each tower has a standalone MT with no wlan cards. Will this still work as a hotspot controller?

And . . .

Posted: Thu Dec 22, 2005 4:17 am
by kmullen
Our customers don't use a login. So will the hotspot controller use the MAC address of the radio as the username / password?

Posted: Thu Dec 22, 2005 10:09 am
by cmit
I'm not sure what you mean with the "standalone MT with no wireless cards".
Apart from that: You could use HotSpot and have it authenticate against a RADIUS server using the clients MAC address as username. So your scenario would be possible. One thing you have to ensure in such a scenario is that you really get the clients' MAC address through to the hotspot. Depending on config/network setup you could end up not seeing the real source MAC address of the customer.

Also - I'm sure you have thought of this - a MAC address could be forged quite easily...

Best regards,
Christian Meis

Forgery!?!

Posted: Thu Dec 22, 2005 6:32 pm
by kmullen
Yes we did think of that, but we haven't had much of a problem. If we use PPoE then all customers behind a residential router would have access when one authenticates. Right?

Re: Forgery!?!

Posted: Fri Dec 23, 2005 10:21 am
by cmit
If we use PPoE then all customers behind a residential router would have access when one authenticates. Right?
Yeah - there would be no way to distinguish between those then.

Best regards,
Christian Meis

Posted: Fri Dec 23, 2005 11:03 am
by YazzY
Create one IP pool for paying users, one for non-paying and one for blocked ones.
Create three groups, each with different pool attribute. You can even set up different speed rate for each of the groups (non paying users get 32kbit traffic rate)
Let them all authenticate and get IPs.
Set up firewalling to redirect tcp 80 requests from the network of the naughty users to your website.
Users with no account can get IP via DHCP and get all their traffic forwarded to your website of choice as if you were running hotspot.

Detailed help is avaliable if you check out http://www.mikrotik.com/consultants.html
:)

Cheers,
Marcin Jessa.

Posted: Fri Dec 23, 2005 11:09 am
by cmit
(Off-topic)
Hey Marcin - read your e-mail ;)

Best regards,
Christian Meis