On Mon, 2012-12-31 at 12:05 -0600, Chris Gotstein wrote:
> I'm setting up Radius authentication to link our billing system and
> access points. What i'm doing is using FreeRadius as a proxy to our
> billing radius server to overcome some limitations that it has. I have
> no problem getting the radios to authentication, but when i query our
> billing software to see who's connected, i'm only seeing 1 mac address
> per AP. It appears that since everyone on the mikrotik AP is connecting
> to wlan1, i'm only seeing that 1 port come through radius. Is there a
> way in FreeRadius to add a unique port for each mac address authenticated?
I'm not sure why you are seeing this behavior. Radius MAC
authentication in RouterOS for wireless SHOULD be authenticating every
MAC that attempts to associate. You may be using the wrong query to the
radius database. I'm only guessing there. There is another issue,
though, that you should be aware of about this type of query, though.
The basic process for wireless access auth requests (router's
perspective) is this:
1. Is "default authenticate" turned on?
yes - authenticate UNLESS local or radius says "no"
no - do NOT authenticate unless local or radius says "yes"
2. Is the mac address listed in the local database (access-list)?
yes - auth or not depending on "authenticate" setting DO NOT consult
radius
no - proceed to step 3
3. Is radius configured for this card in the security profile?
yes - send auth request to radius - auth or not depending on radius
answer
no - MAC will have been authenticated already before this is a possible
answer in steps 1/2
Once a "final answer" is reached about authentication, there are no
further queries to the database (radius OR local) about this MAC address
status. In other words, let's assume we made it to the radius request
and radius said "yes, authenticate this mac". The station would be
allowed to connect and the router will NEVER communicate any further
with the radius server about that mac address until, of course, it
disconnects and tries to reconnect, but that is NOT a function related
to radius.
Now, with that explanation for what happens, let me explain the issue.
Because radius is used to simply authenticate, freeradius will NOT
recieve a "START" packet for a session for this MAC address. In effect,
radius will have no way of knowing if there is an active connection for
ANY wireless mac addresses that are authenticated, even if that auth
happened by radius.
Perhaps another way to explain this is the explain the process for
another type of radius request. I'll use pppoe as an example. Once it
is determined that a pppoe user must be authenticated via radius
(basically the same 3 steps as above), the radius auth packet is sent to
radius server, which will return a "yes" or "no", along with various
parameters for a "yes". As soon as the pppoe server gets that answer
and establishes the pppoe session, there is another packet sent to the
radius server called a "session start". This packet contains various
information about the session. Depending on the configuration of your
router, there MAY be periodic "status update" messages sent to the
radius server about each active session. Finally at the END of the
session (user logs off or whatever), a "session stop" packet is sent.
Because of these start/stop packets, the radius server is able to keep
track of which pppoe users are CURRENTLY connected. I do not think you
will find a mechanism in routeros to make that possible for wireless
connections. I know for certain that routeros will NOT send a stop
packet for disconnected wireless clients.
--
********************************************************************
* Butch Evans * Professional Network Consultation *
* http://www.butchevans.com/ * Network Engineering *
* http://store.wispgear.net/ * Wired or Wireless Networks *
* http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! *
* NOTE THE NEW PHONE NUMBER: 702-537-0979 *
********************************************************************
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
