What you are asking should be possible. A few questions:

Do you use the User Manager with the hotspot? I don't know if this would affect the process... but it might.

Is your hotspot set up so that you are able to use the On Login / On Logout scripts under User Profiles? This would probably be the way to do it...

hs user profile scripts.png

Once the users are logged in the first time, this record will need to be stored somewhere. How long do you want this record to exist? 1 month, 1 year?

I have not worked with Freeradius... so the question is:

If you put this script in the On Login box (picture earlier), do you start seeing logs of users logging in?

Code: Select all

/log info "$user just logged in, triggered On Login script";

Also, do active hotspot users show up in IP > Hotspot > Active tab?

Something like this may work for you. The script checks each hotspot login. New firewall rules are added that attempt to add the user to the Firewall's Address List for X number of days. Users are filtered by whatever string you choose. This was tested on a stock hotspot without any other custom firewall rules, so it's possible that customized firewall rules could interfere. One thing to keep in mind is that dynamic Address List entries are created, and they are not persistent if the router reboots.

Instructions:
1. Edit the CONFIG section at the top of the script
2. You may need to edit the /tool e-mail... code further down in the script, in case your email settings are different
3. Paste this script in IP > Hotspot > User Profiles > Scripts > On Login
4. Tools > Email might need to be configured for sending email

Tested on v5.22

Code: Select all

# CONFIG --------------------------------------------\

# Email address to send to
:local emailaddress "email@domain.com";

# How long user stays in Address List
:local timeout 30d;

# Name filter, only process usernames that start with this string, CASE sensitive
# If you want to allow all users, remove everything between the quotes :local nameFilter "";
:local nameFilter "AD";

# END CONFIG ----------------------------------------/



# if username starts with nameFilter, proceed
if ([:find "$user" "$nameFilter"] = 0) do={
	/log info "[HOTSPOT] - $user - logged in, matches name filter";

# Set date and time variables
	:local date [/system clock get date];
	:local time [/system clock get time];
# get user IP
	:local ip [/ip hotspot active get [find user="$user"] address];
# delcare a few variables
	:local emailsubject;
	:local emailbody;

# if user does NOT exist in Address List
	:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 0) do={
		/log info "[HOTSPOT] - $user - not found in Address List";

# add firewall rules that will add dynamic address list entry
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=pre-hs-input disabled=no src-address=$ip comment="$user - HSLOGIN";
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=forward disabled=no src-address=$ip comment="$user - HSLOGIN";

		:local counter 0;
# number of times to attempt to add user to Address List before giving up	
		:local limit 60;
# delay between attempts
		:local delaytime 5s;
# loop a number of times to check if user is added to Address List	
		:while (counter < $limit) do={
			:set counter ($counter + 1);
			/log info "[HOTSPOT] - $user - checking if user is in Address List - attempt $counter of $limit";
# wait between Address List checks		
			:delay $delaytime;
# if Address List entry is found, proceed
			:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 1) do={
				/log info "[HOTSPOT] - $user - user has been added to Address List, sending email";
# set email subject and body variables
				:set emailsubject "New Hotspot Login ($user)";
				:set emailbody "User: $user\r\n$time, $date\r\nIP: $ip\r\nExpires in: $timeout";
# increment counter
				:set counter ($limit+10);
			} else={
# if we have reached the limit of times to check, send email
				:if ($counter = $limit) do={
					/log info "[HOTSPOT] - $user - failed to add user to Address List, sending email";
# set email subject and body variables
					:set emailsubject "New Hotspot Login ERROR ($user)";
					:set emailbody "ERROR: failed to add to Address List, need to investigate.\r\n\r\nUser: $user\r\n$time, $date\r\nIP: $ip\r\n";
				}
			}
		}
# remove firewall rules afterwards
		/ip firewall filter remove [find comment="$user - HSLOGIN"];
# send email
		/tool e-mail send to="$emailaddress" subject="$emailsubject" body="$emailbody";
# if user DOES exist in address list	
	} else={
		/log info "[HOTSPOT] - $user - already in Address List";
	}
# if user does not match name filter	
} else={
	/log info "[HOTSPOT] - $user - logged in, does not match name filter";
}

is there a way that I can add more filter words to it? ..it seems like the logins isn't case sensitive, thats also a problem, so if someone enters "ad" it still logins but no email

:local nameFilter ("AD","ad","Ad","aD");

:local nameFilter ("");

# CONFIG --------------------------------------------\

# Email address to send to
:local emailaddress "email@domain.com";

# How long user stays in Address List
:local timeout 30d;

# Name filter, only process usernames that start with this string, CASE sensitive
# If you want to allow all users, leave one set of double quotes: :local nameFilter ("");
:local nameFilter ("AD","ad","Ad","aD");

# END CONFIG ----------------------------------------/



# found a match toggle
:local match 0;
# check each nameFilter element
:foreach i in=$nameFilter do={
# if username starts with nameFilter, we have a match
	if ([:find "$user" "$i"] = 0) do={
		:set match 1;
	}
}
if ($match = 1) do={
	/log info "[HOTSPOT] - $user - logged in, matches name filter";

# Set date and time variables
	:local date [/system clock get date];
	:local time [/system clock get time];
# get user IP
	:local ip [/ip hotspot active get [find user="$user"] address];
# delcare a few variables
	:local emailsubject;
	:local emailbody;

# if user does NOT exist in Address List
	:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 0) do={
		/log info "[HOTSPOT] - $user - not found in Address List";

# add firewall rules that will add dynamic address list entry
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=pre-hs-input disabled=no src-address=$ip comment="$user - HSLOGIN";
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=forward disabled=no src-address=$ip comment="$user - HSLOGIN";

		:local counter 0;
# number of times to attempt to add user to Address List before giving up	
		:local limit 60;
# delay between attempts
		:local delaytime 5s;
# loop a number of times to check if user is added to Address List	
		:while (counter < $limit) do={
			:set counter ($counter + 1);
			/log info "[HOTSPOT] - $user - checking if user is in Address List - attempt $counter of $limit";
# wait between Address List checks		
			:delay $delaytime;
# if Address List entry is found, proceed
			:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 1) do={
				/log info "[HOTSPOT] - $user - user has been added to Address List, sending email";
# set email subject and body variables
				:set emailsubject "New Hotspot Login ($user)";
				:set emailbody "User: $user\r\n$time, $date\r\nIP: $ip\r\nExpires in: $timeout";
# increment counter
				:set counter ($limit+10);
			} else={
# if we have reached the limit of times to check, send email
				:if ($counter = $limit) do={
					/log info "[HOTSPOT] - $user - failed to add user to Address List, sending email";
# set email subject and body variables
					:set emailsubject "New Hotspot Login ERROR ($user)";
					:set emailbody "ERROR: failed to add to Address List, need to investigate.\r\n\r\nUser: $user\r\n$time, $date\r\nIP: $ip\r\n";
				}
			}
		}
# remove firewall rules afterwards
		/ip firewall filter remove [find comment="$user - HSLOGIN"];
# send email
		/tool e-mail send to="$emailaddress" subject="$emailsubject" body="$emailbody";
# if user DOES exist in address list	
	} else={
		/log info "[HOTSPOT] - $user - already in Address List";
	}
# if user does not match name filter, log info
} else={
	/log info "[HOTSPOT] - $user - logged in, does not match name filter";
}

is there a way that I can add more filter words to it? ..it seems like the logins isn't case sensitive, thats also a problem, so if someone enters "ad" it still logins but no email

Yes.

The full script is further down, but here are some of the changes. You can now add more filter strings. Edit the following array to include the ones you want. Current it's set to allow any combination of "AD":

Code: Select all

:local nameFilter ("AD","ad","Ad","aD");

You can add or remove ones you don't want, just make sure to enclose each one in quotes and separate them with a comma (no comma after the last one).

If you want to allow all users, change it to:

Code: Select all

:local nameFilter ("");

NOTE: You'll need to replace the entire script, as some of the structure has changed.

v2

Code: Select all

# CONFIG --------------------------------------------\

# Email address to send to
:local emailaddress "email@domain.com";

# How long user stays in Address List
:local timeout 30d;

# Name filter, only process usernames that start with this string, CASE sensitive
# If you want to allow all users, leave one set of double quotes: :local nameFilter ("");
:local nameFilter ("AD","ad","Ad","aD");

# END CONFIG ----------------------------------------/



# found a match toggle
:local match 0;
# check each nameFilter element
:foreach i in=$nameFilter do={
# if username starts with nameFilter, we have a match
	if ([:find "$user" "$i"] = 0) do={
		:set match 1;
	}
}
if ($match = 1) do={
	/log info "[HOTSPOT] - $user - logged in, matches name filter";

# Set date and time variables
	:local date [/system clock get date];
	:local time [/system clock get time];
# get user IP
	:local ip [/ip hotspot active get [find user="$user"] address];
# delcare a few variables
	:local emailsubject;
	:local emailbody;

# if user does NOT exist in Address List
	:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 0) do={
		/log info "[HOTSPOT] - $user - not found in Address List";

# add firewall rules that will add dynamic address list entry
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=pre-hs-input disabled=no src-address=$ip comment="$user - HSLOGIN";
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=forward disabled=no src-address=$ip comment="$user - HSLOGIN";

		:local counter 0;
# number of times to attempt to add user to Address List before giving up	
		:local limit 60;
# delay between attempts
		:local delaytime 5s;
# loop a number of times to check if user is added to Address List	
		:while (counter < $limit) do={
			:set counter ($counter + 1);
			/log info "[HOTSPOT] - $user - checking if user is in Address List - attempt $counter of $limit";
# wait between Address List checks		
			:delay $delaytime;
# if Address List entry is found, proceed
			:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 1) do={
				/log info "[HOTSPOT] - $user - user has been added to Address List, sending email";
# set email subject and body variables
				:set emailsubject "New Hotspot Login ($user)";
				:set emailbody "User: $user\r\n$time, $date\r\nIP: $ip\r\nExpires in: $timeout";
# increment counter
				:set counter ($limit+10);
			} else={
# if we have reached the limit of times to check, send email
				:if ($counter = $limit) do={
					/log info "[HOTSPOT] - $user - failed to add user to Address List, sending email";
# set email subject and body variables
					:set emailsubject "New Hotspot Login ERROR ($user)";
					:set emailbody "ERROR: failed to add to Address List, need to investigate.\r\n\r\nUser: $user\r\n$time, $date\r\nIP: $ip\r\n";
				}
			}
		}
# remove firewall rules afterwards
		/ip firewall filter remove [find comment="$user - HSLOGIN"];
# send email
		/tool e-mail send to="$emailaddress" subject="$emailsubject" body="$emailbody";
# if user DOES exist in address list	
	} else={
		/log info "[HOTSPOT] - $user - already in Address List";
	}
# if user does not match name filter, log info
} else={
	/log info "[HOTSPOT] - $user - logged in, does not match name filter";
}

You are welcome! Enjoy...

How are you adding the MAC users?

1) Do you add user to IP Bindings with Type:Bypassed (http://forum.mikrotik.com/viewtopic.php ... =2#p123566). When I use this method, the client is bypassed, so there is no login. Therefore, script does not run.

2) Do you add new User with Name as MAC address and blank password (http://forum.mikrotik.com/viewtopic.php ... =2#p123564). The script works when I use this method.

Or are you using a different method?

So, are you saying that after the first MAC user logs in, then the script stops working for all users? Hmm...

From what I can figure out, the script hangs up on the $user variable... not sure why because it would correctly work the first time. So, I converted $user to a string and used the string instead throughout the script. Now it seems to be working. Let me know if this works!

v3

Code: Select all

# CONFIG --------------------------------------------\

# Email address to send to
:local emailaddress "email@domain.com";

# How long user stays in Address List
:local timeout 30d;

# Name filter, only process usernames that start with this string, CASE sensitive
# If you want to allow all users, leave one set of double quotes: :local nameFilter ("");
:local nameFilter ("AD","ad","Ad","aD");

# END CONFIG ----------------------------------------/

:local userStr [:tostr $user];

# found a match toggle
:local match 0;
# check each nameFilter element
:foreach i in=$nameFilter do={
# if username starts with nameFilter, we have a match
   if ([:find "$userStr" "$i"] = 0) do={
      :set match 1;
   }
}
if ($match = 1) do={
   /log info "[HOTSPOT] - $userStr - logged in, matches name filter";

# Set date and time variables
   :local date [/system clock get date];
   :local time [/system clock get time];
# get user IP
   :local ip [/ip hotspot active get [find user="$userStr"] address];
# delcare a few variables
   :local emailsubject;
   :local emailbody;

# if user does NOT exist in Address List
   :if ([:len [/ip firewall address-list find list~"^$userStr - HSLOGIN"]] = 0) do={
      /log info "[HOTSPOT] - $userStr - not found in Address List";

# add firewall rules that will add dynamic address list entry
      /ip firewall filter add action=add-src-to-address-list address-list="$userStr - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=pre-hs-input disabled=no src-address=$ip comment="$userStr - HSLOGIN";
      /ip firewall filter add action=add-src-to-address-list address-list="$userStr - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=forward disabled=no src-address=$ip comment="$userStr - HSLOGIN";

      :local counter 0;
# number of times to attempt to add user to Address List before giving up   
      :local limit 60;
# delay between attempts
      :local delaytime 5s;
# loop a number of times to check if user is added to Address List   
      :while (counter < $limit) do={
         :set counter ($counter + 1);
         /log info "[HOTSPOT] - $userStr - checking if user is in Address List - attempt $counter of $limit";
# wait between Address List checks      
         :delay $delaytime;
# if Address List entry is found, proceed
         :if ([:len [/ip firewall address-list find list~"^$userStr - HSLOGIN"]] = 1) do={
            /log info "[HOTSPOT] - $userStr - user has been added to Address List, sending email";
# set email subject and body variables
            :set emailsubject "New Hotspot Login ($userStr)";
            :set emailbody "User: $userStr\r\n$time, $date\r\nIP: $ip\r\nExpires in: $timeout";
# increment counter
            :set counter ($limit+10);
         } else={
# if we have reached the limit of times to check, send email
            :if ($counter = $limit) do={
               /log info "[HOTSPOT] - $userStr - failed to add user to Address List, sending email";
# set email subject and body variables
               :set emailsubject "New Hotspot Login ERROR ($userStr)";
               :set emailbody "ERROR: failed to add to Address List, need to investigate.\r\n\r\nUser: $userStr\r\n$time, $date\r\nIP: $ip\r\n";
            }
         }
      }
# remove firewall rules afterwards
      /ip firewall filter remove [find comment="$userStr - HSLOGIN"];
# send email
      /tool e-mail send to="$emailaddress" subject="$emailsubject" body="$emailbody";
# if user DOES exist in address list   
   } else={
      /log info "[HOTSPOT] - $userStr - already in Address List";
   }
# if user does not match name filter, log info
} else={
   /log info "[HOTSPOT] - $userStr - logged in, does not match name filter";
}

everything seems to work 100% now, thx mate

My hotspot is configured to use usermanager, so not sure if this is the reason it does not work.

From my router I can send test emails, I also see that on the log, I get "user just logged in, triggered on logon script" followed by "user logged in, matches name filter"

However nothing further is logged and no email is received.

Something like this may work for you. The script checks each hotspot login. New firewall rules are added that attempt to add the user to the Firewall's Address List for X number of days. Users are filtered by whatever string you choose. This was tested on a stock hotspot without any other custom firewall rules, so it's possible that customized firewall rules could interfere. One thing to keep in mind is that dynamic Address List entries are created, and they are not persistent if the router reboots.

Instructions:
1. Edit the CONFIG section at the top of the script
2. You may need to edit the /tool e-mail... code further down in the script, in case your email settings are different
3. Paste this script in IP > Hotspot > User Profiles > Scripts > On Login
4. Tools > Email might need to be configured for sending email

Tested on v5.22

Code: Select all

# CONFIG --------------------------------------------\

# Email address to send to
:local emailaddress "email@domain.com";

# How long user stays in Address List
:local timeout 30d;

# Name filter, only process usernames that start with this string, CASE sensitive
# If you want to allow all users, remove everything between the quotes :local nameFilter "";
:local nameFilter "AD";

# END CONFIG ----------------------------------------/



# if username starts with nameFilter, proceed
if ([:find "$user" "$nameFilter"] = 0) do={
	/log info "[HOTSPOT] - $user - logged in, matches name filter";

# Set date and time variables
	:local date [/system clock get date];
	:local time [/system clock get time];
# get user IP
	:local ip [/ip hotspot active get [find user="$user"] address];
# delcare a few variables
	:local emailsubject;
	:local emailbody;

# if user does NOT exist in Address List
	:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 0) do={
		/log info "[HOTSPOT] - $user - not found in Address List";

# add firewall rules that will add dynamic address list entry
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=pre-hs-input disabled=no src-address=$ip comment="$user - HSLOGIN";
		/ip firewall filter add action=add-src-to-address-list address-list="$user - HSLOGIN,$date,$time" address-list-timeout=$timeout chain=forward disabled=no src-address=$ip comment="$user - HSLOGIN";

		:local counter 0;
# number of times to attempt to add user to Address List before giving up	
		:local limit 60;
# delay between attempts
		:local delaytime 5s;
# loop a number of times to check if user is added to Address List	
		:while (counter < $limit) do={
			:set counter ($counter + 1);
			/log info "[HOTSPOT] - $user - checking if user is in Address List - attempt $counter of $limit";
# wait between Address List checks		
			:delay $delaytime;
# if Address List entry is found, proceed
			:if ([:len [/ip firewall address-list find list~"^$user - HSLOGIN"]] = 1) do={
				/log info "[HOTSPOT] - $user - user has been added to Address List, sending email";
# set email subject and body variables
				:set emailsubject "New Hotspot Login ($user)";
				:set emailbody "User: $user\r\n$time, $date\r\nIP: $ip\r\nExpires in: $timeout";
# increment counter
				:set counter ($limit+10);
			} else={
# if we have reached the limit of times to check, send email
				:if ($counter = $limit) do={
					/log info "[HOTSPOT] - $user - failed to add user to Address List, sending email";
# set email subject and body variables
					:set emailsubject "New Hotspot Login ERROR ($user)";
					:set emailbody "ERROR: failed to add to Address List, need to investigate.\r\n\r\nUser: $user\r\n$time, $date\r\nIP: $ip\r\n";
				}
			}
		}
# remove firewall rules afterwards
		/ip firewall filter remove [find comment="$user - HSLOGIN"];
# send email
		/tool e-mail send to="$emailaddress" subject="$emailsubject" body="$emailbody";
# if user DOES exist in address list	
	} else={
		/log info "[HOTSPOT] - $user - already in Address List";
	}
# if user does not match name filter	
} else={
	/log info "[HOTSPOT] - $user - logged in, does not match name filter";
}