Community discussions

 
oeufdure
just joined
Topic Author
Posts: 6
Joined: Tue Aug 26, 2014 10:35 pm

Disassociate device (CoA, SNMP ...)

Tue Aug 26, 2014 11:12 pm

Hello all,

I am working with PacketFence and i try to find a way to desassociate a device connected to a OmniTIK U-5hdN.
The access point has been configured with CAPsMAN and the vlan association is working as expected.

The only issue is when i want to change the vlan id, i need PacketFence to be able to send a request to the access point.

I tried first with CoA with something like that:

Sending Disconnect-Request of id 200 to 172.20.20.246 port 3799
Acct-Session-Id = "ba7684f052142ace"
User-Name = "10:68:3F:71:D7:50"
rad_recv: Disconnect-NAK packet from host 172.20.20.246 port 3799, id=200, length=42
Error-Cause = Unsupported-Extension
NAS-Identifier = "MikroTik"
NAS-IP-Address = 172.20.20.246

In the log: Radius disconnect with no ip provided

So i tried with:

Sending Disconnect-Request of id 25 to 172.20.20.246 port 3799
Framed-IP-Address = 172.21.135.10
Acct-Session-Id = "ba7684f052142ace"
User-Name = "10:68:3F:71:D7:50"
rad_recv: Disconnect-NAK packet from host 172.20.20.246 port 3799, id=25, length=42
Error-Cause = Session-Context-Not-Found
NAS-Identifier = "MikroTik"
NAS-IP-Address = 172.20.20.246

With in the log: Radius disconnect request for unknown ip 172.21.135.10

172.21.135.10 is the current device ip address.

So i tried to check if it was possible with snmp (something near oid :iso.3.6.1.4.1.14988.1.1.1.5.1 ) but it look that there is no way to desassociate the device (and where i can find the mib ? this one look outdated http://www.mikrotik.com/download/Mikrotik.mib).

So the last way to do it is to use the cli:

[admin@MikroTik] /caps-man registration-table> print
# INTERFACE MAC-ADDRESS UPTIME RX-SIGNAL
0 cap1 10:68:3F:71:D7:50 4s900ms -39
[admin@MikroTik] /caps-man registration-table> remove 0

i am now able to receive a new radius request, but it mean that i have to connect with telnet/ssh, then parse the print result and find the index that correspond to my device mac address and remove the index (it´s possible but for each device i will have to do it).

So my question is, is there a way to do a CoA without the Framed-IP-Address attribute ?
or is there a way to do it by snmp ?

Thanks
Regards
Fabrice
 
oeufdure
just joined
Topic Author
Posts: 6
Joined: Tue Aug 26, 2014 10:35 pm

Re: Disassociate device (CoA, SNMP ...)

Thu Aug 28, 2014 6:44 pm

Hi,

so without other way than cli to desassociate a device on a Mikrotik access point this will be the only way to do it in PacketFence.
I kept the CoA method in PacketFence, i hope in the future i will be able to use it.

So Mikrotik access point will be supported in PacketFence´s next release.
https://github.com/inverse-inc/packetfence/pull/222

Regards
Fabrice
 
baggar11
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Oct 22, 2013 4:49 am

Re: Disassociate device (CoA, SNMP ...)

Sun Aug 31, 2014 9:02 am

Fabrice, this is awesome! Thanks for your help on this. Which release will we see these changes effective in?
 
oeufdure
just joined
Topic Author
Posts: 6
Joined: Tue Aug 26, 2014 10:35 pm

Re: Disassociate device (CoA, SNMP ...)

Mon Sep 01, 2014 2:51 am

Hi,

the pull request has been merged in devel so it will be available in the next release (probably next week).

Fabrice
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Disassociate device (CoA, SNMP ...)

Mon Sep 01, 2014 3:34 pm

here is OID for RouterOS version
1.3.6.1.4.1.14988.1.1.4.4.0
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Disassociate device (CoA, SNMP ...)

Mon Sep 01, 2014 6:42 pm

Im pretty up on Packetfence... Would probably need to do an SNMP query to make sure the wireless-FP package is being used and no the regular wireless package. Both will work, but only one will work with VLAN assignment.
 
oeufdure
just joined
Topic Author
Posts: 6
Joined: Tue Aug 26, 2014 10:35 pm

Re: Disassociate device (CoA, SNMP ...)

Tue Sep 02, 2014 3:43 pm

Hello,

thanks for the oid, it has been added in the Mikrotik module.
getVersion will be probably use when i will be able to do CoA on the access point, like if version > 6.19 do CoA instead of SSH.

Also i have only one Mikrotik access point so i don´t know where the radius request come, is it from the CAPsMAN ap or from each access point managed by CAPsMAN ?
Btw i will probably be able to query snmp oid to determine if CAPsMAN has been enabled or no and send an error to the packetfence admin.

Regards
Fabrice
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Disassociate device (CoA, SNMP ...)

Wed Sep 03, 2014 3:18 pm

it is not possible to query capsman if it is enabled or that wireless-fp packet is installed and active.

Maybe it is possible to use perl implementation of API library to make calls directly to the router?

http://forum.mikrotik.com/viewtopic.php?f=9&t=22744
http://wiki.mikrotik.com/wiki/API
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Disassociate device (CoA, SNMP ...)

Sat Sep 06, 2014 6:52 pm

Radius comes from the controller. Not the ap. In your case it's both.
 
baggar11
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Oct 22, 2013 4:49 am

Re: Disassociate device (CoA, SNMP ...)

Mon Sep 15, 2014 7:15 pm

Fabrice, thanks for your work on this, this is truly awesome. I've been waiting a long time for Mikrotik AP support in PacketFence. Do you have any plans or know if PacketFence will be able to support Mikrotik switches?
 
oeufdure
just joined
Topic Author
Posts: 6
Joined: Tue Aug 26, 2014 10:35 pm

Re: Disassociate device (CoA, SNMP ...)

Tue Sep 16, 2014 2:37 am

I just have a Mikrotik AP and not switch. So without a switch i will not be able to support it.
Maybe Mikrotik support is able to lend me a switch ;-)

Fabrice
 
baggar11
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Oct 22, 2013 4:49 am

Re: Disassociate device (CoA, SNMP ...)

Tue Sep 16, 2014 6:49 pm

Fabrice, where are you located at? Are you in the US?
 
oeufdure
just joined
Topic Author
Posts: 6
Joined: Tue Aug 26, 2014 10:35 pm

Re: Disassociate device (CoA, SNMP ...)

Wed Sep 17, 2014 12:27 am

At Montréal, Canada.
I am working at inverse for PacketFence project.
 
baggar11
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Oct 22, 2013 4:49 am

Re: Disassociate device (CoA, SNMP ...)

Wed Sep 17, 2014 1:11 am

I believe we've spoken on the freenode irc channel before. You mind hopping on again? I want to see if we can work out details on getting you a mikrotik router/switch.
 
qarqun
just joined
Posts: 1
Joined: Wed Apr 29, 2015 11:07 am

Re: Disassociate device (CoA, SNMP ...)

Wed Apr 29, 2015 12:21 pm

At Montréal, Canada.
I am working at inverse for PacketFence project.
Fabrice,
I have sent you an email regarding Mikrotik RouterBOARD 951Ui-2HnD support in PF.
I want to contribute that AP to you for your testing.
Right now, dynamic vlan switching is working successfully but once changed to default vlan there is no connectivity (can't ping to anywhere although received DHCP successfully in the default vlan)

Thanks,
 
safiullahtariq
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Sun Apr 06, 2014 9:21 pm
Location: Lahore Pakistan

Re: Disassociate device (CoA, SNMP ...)

Wed Mar 29, 2017 5:02 pm

Hello All,

I know this is an old post. But im curious -

Isnt the RouterOS same on all the devices like Hap AC Lite and OmniTIK U-5hnD? if that is the case then what is the issue with Packetfence and its support with other devices ?

I am actually having issue in configuring my Hap AC Lite with PacketFence.
I have installed PacketFence Out-of-Band Deployment using ZEN (their VM image) and made all the required settings which they have asked to do in mikrotik. Im facing an issue, any device i try to connect to the Mikrotik and Packetfence, it does not obtain IP address and the error i get in the logs of Mikrotik is

"cap1 Disconnected, received disassoc: sending station leaving (8)"
I can see the Radius getting a request for connection in the log of PF.

I know this is not packetfence forum, but i cant get any help from Packetfence.

This is the setting i have done in my mikrotik hap ac lite: (well this is what PacketFence people ask to do)
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ce/an(17dBm), SSID: OPEN, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce disabled=no l2mtu=1600 mode=ap-bridge ssid=MikroTik-05A64D
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-master-local
/interface vlan
add interface=BR-CAPS l2mtu=1594 name=default vlan-id=1
add interface=BR-CAPS l2mtu=1594 name=isolation vlan-id=3
add interface=BR-CAPS l2mtu=1594 name=registration vlan-id=2
/caps-man datapath
add bridge=BR-CAPS client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man interface
#
add arp=enabled configuration.mode=ap configuration.ssid=OPEN datapath=datapath1 disabled=no l2mtu=1600 mac-address=\
    D4:CA:6D:05:A6:4D master-interface=none mtu=1500 name=cap1 radio-mac=D4:CA:6D:05:A6:4D
/caps-man aaa
set interim-update=5m
/caps-man access-list
add action=query-radius interface=cap1 radius-accounting=yes signal-range=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether1-gateway
add bridge=BR-CAPS interface=ether5-master-local
/interface wireless cap
set bridge=BR-CAPS discovery-interfaces=BR-CAPS enabled=yes interfaces=wlan1
/ip accounting
set enabled=yes
/radius
add address=192.168.1.5 secret=useStrongerSecret service=wireless
/radius incoming
set accept=yes

Who is online

Users browsing this forum: No registered users and 25 guests