Hi,

I am running Routeros V6.33.2 (also tried 6.11) and Freeradius v2.2.6 using the Mikrotik library with CoA.

There is two hotspot user profiles setup called "default" and "basic". The theory is when a user hits a certain data usage the radius server sends a CoA with the Mikrotik-Group attribute to "basic". The router should then change the user to the basic user profile and use the attributes defined in that profile.

The problem is only some of the profiles attributes are being applied. For example I have an address list called basic and that contains the IP of all the basic users and then there is a premium address list for the default user profile, and these address lists all seem to work and change at least once, however both profiles also have a rate-limit defined, and when a user is changed from default to basic the simple queue does not change and stays configured as per the default. Also if you try to do another CoA back to the default profile, you get the same Radius error as below. yet it is the exact same command that was being sent prior to trying to change to basic and it was accepted then

I have also noticed that the logs keep showing an error message "Radius CoA already in progress" for any user where the radius service is sending a CoA with the Mikrotik-Group = "basic" attribute set. And the Radius Servier is receving a reply to the CoA-NAK packet from the router with the error "Error-Cause = Unsupported-Extension"


Here is the Hotspot User Profile setup...

0 * name="default" idle-timeout=10m keepalive-timeout=2m status-autorefresh=1m shared-users=5 add-mac-cookie=yes mac-cookie-timeout=1d
rate-limit="768K/2M 2M/5M 1M/3M 3/3 4" address-list=premium incoming-packet-mark="dn_p2_premium_WAN1" outgoing-packet-mark="up_p2_premium_WAN1"
transparent-proxy=no

1 name="basic" idle-timeout=10m keepalive-timeout=2m status-autorefresh=1m shared-users=5 add-mac-cookie=yes mac-cookie-timeout=1d
rate-limit="256k/768K 1M/2M 512K/1M 5/5 7" address-list=basic incoming-packet-mark="basic" outgoing-packet-mark="basic" transparent-proxy=no


Here is some router radius log info.

An accepted CoA request

Jan 20 23:03:14 gw radius,debug,packet received CoA-Request with id 250 from 172.16.10.250:1814
Jan 20 23:03:14 gw radius,debug,packet Signature = 0x5ff152a88383c1468a59c5a354db3a55
Jan 20 23:03:14 gw radius,debug,packet User-Name = "TEST1"
Jan 20 23:03:14 gw radius,debug,packet Framed-IP-Address = 172.16.1.34
Jan 20 23:03:14 gw radius,debug,packet MT-Group = "default"
Jan 20 23:03:14 gw radius,debug received remote request 443798 code=CoA-Request from 172.16.10.250:1814
Jan 20 23:03:14 gw hotspot,debug TEST1 (172.16.1.34): RADIUS accounting request sent
Jan 20 23:03:14 gw hotspot,info,debug TEST1 (172.16.1.34): trying to update via Radius CoA
Jan 20 23:03:14 gw hotspot,debug TEST1 (172.16.1.34): using profile <default>
Jan 20 23:03:14 gw hotspot,info,debug TEST1 (172.16.1.34): Radius CoA succeeded
Jan 20 23:03:14 gw radius,debug sending CoA-ACK to remote request 443798
Jan 20 23:03:14 gw radius,debug,packet sending CoA-ACK with id 250 to 172.16.10.250:1814
Jan 20 23:03:14 gw radius,debug,packet Signature = 0x460daaab41d90478c9c9fe0a5156b558
Jan 20 23:03:14 gw radius,debug,packet NAS-Identifier = "router"
Jan 20 23:03:14 gw radius,debug,packet NAS-IP-Address = 172.16.10.254


A failed CoA request

Jan 20 23:03:19 gw radius,debug,packet received CoA-Request with id 123 from 172.16.10.250:1814
Jan 20 23:03:19 gw radius,debug,packet Signature = 0xb749f5e2c2709bf5630358859ccb6ac2
Jan 20 23:03:19 gw radius,debug,packet User-Name = "TEST2"
Jan 20 23:03:19 gw radius,debug,packet Framed-IP-Address = 172.16.0.227
Jan 20 23:03:19 gw radius,debug,packet MT-Group = "basic"
Jan 20 23:03:19 gw radius,debug received remote request 443799 code=CoA-Request from 172.16.10.250:1814
Jan 20 23:03:19 gw hotspot,debug TEST2 (172.16.0.227): RADIUS accounting request sent
Jan 20 23:03:19 gw hotspot,error,info,debug TEST2 (172.16.0.227): Radius CoA already in progress
Jan 20 23:03:19 gw radius,debug sending CoA-NAK to remote request 443799
Jan 20 23:03:19 gw radius,debug,packet sending CoA-NAK with id 123 to 172.16.10.250:1814
Jan 20 23:03:19 gw radius,debug,packet Signature = 0x6ce3d5fde0c5ce859e6a57a1f9ef48fa
Jan 20 23:03:19 gw radius,debug,packet Error-Cause = 406
Jan 20 23:03:19 gw radius,debug,packet NAS-Identifier = "router"
Jan 20 23:03:19 gw radius,debug,packet NAS-IP-Address = 172.16.10.254

Similar failed message from the radius logs...

Sending CoA-Request of id 186 to 172.16.10.254 port 3799
User-Name = "REMOVED"
Framed-IP-Address = 172.16.1.142
Mikrotik-Group = "basic"
rad_recv: CoA-NAK packet from host 172.16.10.254 port 3799, id=186, length=44
Error-Cause = Unsupported-Extension
NAS-Identifier = "router"
NAS-IP-Address = 172.16.10.254

I notice the sent Raiuds Attribute Mikrotik-Group seems different to the routers received debug attribute of MT-Group, but I assume this is an internal thing and not a fault.

So I think all is setup okay, and I am just thing this is a bug of some sort? Any suggestion most appreciated.

Okay, after a lot more playing around it seems the cause of the CoA-NAK's is actually being caused by the use of address-lists in the user-profiles.

It appears as that the first CoA request to use a profile with an address list (e.g. basic), it will work okay, and the IP of the client is added to the address list defined it the profile.

Then if there is a second CoA to change the profile back to the default profile (with no address list), then again everything works okay, and the client IP is removed from the address list as expected.

Now on the third CoA request we try to use the basic profile again, now the IP address of the client is again added to the address list but other profile settings (e.g. Rate Limit) do need get applied and the router responds to the Radius Server with a CoA-NAK with a 406 error.

So it seems that something within the internal add and removing of the client IP, to and from the address list is causing this. Then to make it worse all future CoA requests to that client will fail with the same error, until the client disconnects and reconnects then it starts all over again.

I have tested this in the latest bug-fix 6.32.4 and current 6.35.2, same issue exists.

So until the bug is fixed the only solution seems to be don't use the address list option in hotspot user profiles if you also need to use Radius CoA with them.

pppoe coa:
echo User-Name=mehdi,Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 coa secret

hotspot coa:
echo User-Name=mehdi,Framed-IP-Address="192.168.20.254",Mikrotik-Rate-Limit=\"512k/512k\" | radclient -d /usr/local/share/freeradius/ -x -F x.x.x.x:3799 cos secret



mehdi.sadighian@hotmail.com

So until the bug is fixed the only solution seems to be don't use the address list option in hotspot user profiles if you also need to use Radius CoA with them.

I am having same issue but don't know how to work around it.

Can you help me with the alternative way to configure the CoA without using the address lift option in the hotspot user profiles? I

In case you still haven't figured it out, and for the sake of anyone experiencing the same, what seemed to work for me was passing only the Framed-IP attribute for identification and the attribute to be changed.
echo "Framed-IP-Address=192.168.5.100, Mikrotik-Rate-Limit=1M/1M" | radclient -r '1' -x '192.168.5.1:3799' 'coa' secret`