Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Wireless AP RADIUS problem

Post Reply
 
cleaver
just joined
Topic Author
Posts: 7
Joined: Tue Apr 15, 2014 2:39 pm

Wireless AP RADIUS problem

Tue Jul 29, 2014 11:45 am

Hi,
I am using a RB951Ui-2HnD as a wireless AP using FreeRADIUS with SQL backend for authentication and accounting.
RouterOS is version 6.17, but I've been having the same problem with previous versions.

Authentication works OK but the problem is with accounting. The AP fails to provide the Calling-Station-Id (wifi station's MAC address) property to the radius server in the Accounting-Request packet. So the session record in the accounting table contains an empty field for Calling-Station-Id. I need this field to do stale session cleanup, but I can't figure out how to make the AP provide it with the Accounting-Request to the radius server.

As a matter of fact, the AP does provide Calling-Station-Id in the Access-Request packet, here's the relevant freeradius debug log excerpt:
Code: Select all
rad_recv: Access-Request packet from host 192.168.13.4 port 41720, 
id=192, length=219
  Service-Type = Framed-User
  Framed-MTU = 1400
  User-Name = "cleaver"
  NAS-Port-Id = "wlan1"
  NAS-Port-Type = Wireless-802.11
  Acct-Session-Id = "82000027"
  Acct-Multi-Session-Id = 
"D4-CA-6D-F6-55-C1-CC-FA-00-C6-4A-A6-82-00-00-00-00-00-00-1F"
--->>> Calling-Station-Id = "CC-FA-00-C6-4A-A6" //emphasys mine
  Called-Station-Id = "D4-CA-6D-F6-55-C1:datamax"
  EAP-Message = 0x0200000c01636c6561766572
  Message-Authenticator = 0x434e50ee2a38b4327019b1f023d7006e
  NAS-Identifier = "MikroTik"
  NAS-IP-Address = 192.168.13.4
The above shows a description of the Access-Request packet and as you can see, it does contain the Calling-Station-Id attribute. This is fine.

But here's the debug output for the Accounting-Request sent to the radius server, where this attribute disappears:
Code: Select all
rad_recv: Accounting-Request packet from host 192.168.13.4 port 51157, 
id=205, length=153
  Service-Type = Framed-User
  NAS-Port-Id = "wlan1"
  NAS-Port-Type = Wireless-802.11
  User-Name = "cleaver"
  Acct-Session-Id = "82000027"
  Acct-Multi-Session-Id = 
"D4-CA-6D-F6-55-C1-CC-FA-00-C6-4A-A6-82-00-00-00-00-00-00-1F"
  Acct-Authentic = RADIUS
  Acct-Status-Type = Start
  NAS-Identifier = "MikroTik"
  Acct-Delay-Time = 0
  NAS-IP-Address = 192.168.13.4
The Calling-Station-Id attribute is missing here, and that's why it doesn't get recorded in the accounting table where I need it to be.

This behavior is rather strange because the RouterOS documentation about radius says that:
The accounting request carries the same attributes as Access Request, plus these ones:
......
......
So the AP is expected to provide the Calling-Station-Id attribute in Accounting-Request too, but it does not. It only provides it in Access-Accept.

Is there a way to configure my routerboard so that it provides the Calling-Station-Id attribute in the Accounting-Request packet to the radius server? I really need this attribute for accounting, and according to the documentation, it should be there.

Any suggestions?

Thanks!
Top
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 201
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:
Contact awacenter

Re: Wireless AP RADIUS problem

Tue Jul 29, 2014 1:32 pm

Hi cleaver
In the wireless authenticacion you are working in layer 2 of OSI model http://en.wikipedia.org/wiki/OSI_model. In this layer, there is no IP address but It is suppossed that there is a MAC address.
And the accounting request has to represent which MAC produced the successfull authentication.

I am with you, the 802.1x auth doesnot have the correct 'accounting request'

Santiago
Top
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 201
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:
Contact awacenter

Re: Wireless AP RADIUS problem

Thu Aug 07, 2014 11:39 am

Cleaver, I sent an email to support@mikrotik.com.
We wait their response. :)
Top
 
cleaver
just joined
Topic Author
Posts: 7
Joined: Tue Apr 15, 2014 2:39 pm

Re: Wireless AP RADIUS problem

Thu Aug 07, 2014 12:01 pm

Thank you, I hope they'll do something about this issue.
Top
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 201
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:
Contact awacenter

Re: Wireless AP RADIUS problem

Mon Aug 11, 2014 3:15 pm

Support Mikrotik said:
Called-station-id and calling-station-id are used only in access-request attributes.
This is not really true because in MT hotspot service, the accounting works fine.
Called-station-id and calling-station-id attributes are normally stored in the database using Accounting Request. RADIUS server stores all the details of the account which is just to authenticate. It is the only way to store the MAC address of customer and NAS.

I wait his reply.
Top
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 201
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:
Contact awacenter

802.1x accounting problem. Lack of data in Acct-Request inRA

Wed Aug 13, 2014 11:13 am

Hi,
I test repeatly the authentication of my tablet and in my freeradius DB does not appear the MAC addresd of my tablet.
In the previous post, we attach one Accounting packet for the wireless accounting.
I think it is necessary to depuerate the accouting request that MT device sends to RADIUS server. It works fine for the hotspot service.
I asked to support@mikrotik.com without a satisfactory answer.

Sincerely,
Santiago
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests
  4. RouterOS
  5. Wireless Networking