Hi Fabrice,
I played around with it a bit further, and here's a working test:
echo "Framed-IP-Address=10.5.50.2" | radclient -x 10.2.2.1:3799 disconnect
secret
Sent Disconnect-Request Id 44 from 0.0.0.0:37354 to 10.2.2.1:3799 length 26
Framed-IP-Address = 10.5.50.2
Received Disconnect-ACK Id 44 from 10.2.2.1:3799 to 10.2.2.254:37354 length
30
NAS-Identifier = "MikroTik"
Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of my main
mikrotik router that manages the hotspot. This command instantly
deauthenticated the client, but did not remove the client's Cookie. For
this reason I believe that we should have "cookie" disabled under Hotspot
-> Server Profiles -> Login -> Login By (uncheck Cookie).
My problem is I don't know how to fix Mikrotik.pm how do I access the
client IP? I want to do something like:
'Framed-IP-Address' => "$client_ip_address",
on:
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik
.pm#L230
Also I guess we must be careful here because in some scenarios if the
client has been assigned a new IP and packetfence is not yet aware of it,
this could break. MAC address would probably be better for
deauthenticating, but I haven't managed to get that working yet.
Thanks!
-Adrian
On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran <
[email protected]> wrote:
> Thank you,
>
> >btw you can try to add:
> >'Calling-Station-Id' => $mac,
> I have attempted this and the result was a new error (and client remains
> authenticated on the mikrotik hotspot):
>
> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device
> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN:
> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device
> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet.
> (pf::accounting_events_history::latest_mac_history)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd]
> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating
> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set,
> we will use controller 10.2.2.1 to perform deauth
> (pf::Switch::Mikrotik::radiusDisconnect)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform
> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause:
> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd]
> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating
> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set,
> we will use controller 10.2.2.1 to perform deauth
> (pf::Switch::Mikrotik::radiusDisconnect)
> Dec 14 20:58:18 radius packetfence_httpd.webservices:
> httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform
> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause:
> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect)
>
>
>
> On Fri, Dec 11, 2020 at 5:43 PM Durand fabrice via PacketFence-users <
> [email protected]> wrote:
>
>> btw you can try to add:
>>
>> 'Calling-Station-Id' => $mac,
>>
>> here:
>>
>>
>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230
>>
>>
>> Le 20-12-11 à 20 h 31, Durand fabrice via PacketFence-users a écrit :
>> > The code needs to be updated:
>> >
>> >
>> > https://forum.mikrotik.com/viewtopic.php?t=33063
>> >
>> >
>> > Le 20-12-11 à 14 h 28, Enrique Gross via PacketFence-users a écrit :
>> >> Hi PF users! Hope you all doing well
>> >>
>> >> Hi Fabrice,
>> >>
>> >> I have read the mail Adrian sent you regarding COA and Mikrotik. I
>> >> have been using SSH to disconnect CAPSMAN devices, but I was
>> >> interested in using Radius COA.
>> >>
>> >> This is the output of radsniff after successful registration at the
>> >> captive-portal, role is assigned but no disconnection is made
>> >>
>> >> 2020-12-11 16:18:39.352569 (1) Disconnect-Request Id 219
>> >> any:192.168.67.86:56875 -> 192.168.67.254:3799 +0.000
>> >> User-Name = "C2:F7:64:FB:0E:69"
>> >> Authenticator-Field = 0x677a789c11f3586ec7e73859e5b3080a
>> >> 2020-12-11 16:18:39.375064 (2) Disconnect-NAK Id 219
>> >> any:192.168.67.86:56875 <- 192.168.67.254:3799 +0.022 +0.022
>> >> NAS-Identifier = "MK-IBERA2"
>> >> Error-Cause = Unsupported-Extension
>> >> Authenticator-Field = 0xb6261e8e06e5ecf78db2049bea689396
>> >> 2020-12-11 16:18:44.575064 (1) Cleaning up request packet ID 219
>> >>
>> >> This is Mikrotik side of log:
>> >>
>> >> 16:18:39 radius,debug,packet received Disconnect-Request with id 219
>> >> from 192.168.67.86:56875
>> >> 16:18:39 radius,debug,packet Signature =
>> >> 0x677a789c11f3586ec7e73859e5b3080a
>> >> 16:18:39 radius,debug,packet User-Name = "C2:F7:64:FB:0E:69"
>> >> 16:18:39 radius,debug received remote request 25
>> >> code=Disconnect-Request from 192.168.67.86:56875
>> >> 16:18:39 radius,debug sending Disconnect-NAK to remote request 25
>> >> 16:18:39 radius,debug,packet sending Disconnect-NAK with id 219 to
>> >> 192.168.67.86:56875
>> >> 16:18:39 radius,debug,packet Signature =
>> >> 0xb6261e8e06e5ecf78db2049bea689396
>> >> 16:18:39 radius,debug,packet Error-Cause = 406
>> >> 16:18:39 radius,debug,packet NAS-Identifier = "MK-IBERA2"
>> >>
>> >> Thanks for your help,
>> >>
>> >> Enrique
>> >>
>> >>
>> >> --
>> >>
>> >>
>> >> _______________________________________________
>> >> PacketFence-users mailing list
>> >> [email protected]
>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
