On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote:
> Hello all,
>
> As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request,
> the hook script will send Disconnect-Request to Mikrotik once the session
> exceeds the quota, here is how i send Disconnect-Request:
[snip]
> This works fine but the problem is that user can't re-authenticate again
> because it reaches Maxsessions although I have this in my config file:
[snip]
> The user would successfully authenticate again when I manually remove the
> session from RADONLINE by executing the DeleteQuery.
It has been a while since I have had to look at/think about this, but as I
recall, this is how it works:
DeleteQuery doesn't get executed unless the Radiator server receives
Accounting-Stop from the MikroTik.
PoD/Disconnect-Request may or may not cause Accounting-Stop to be issued by
MikroTik RouterOS; I can't remember and I will have to simulate this later and
run a packet capture to see what happens. (Maybe if you are running an older
version of RouterOS, try upgrading? It could be a bug that got fixed later,
and they have definitely had their share of RADIUS client bugs in the past.)
In any case, you can work around a problem where Radiator does not receive
Accounting-Stop by having Radiator verify that any active sessions for the user
that are recorded in the RADONLINE table are valid at the moment that the user
tries to authenticate again. Radiator does this by executing an SNMP query to
the NAS that is on record for each session to see if the Session-ID for that
row in the table is still valid. If the NAS does not return anything for the
OID, then Radiator assumes the session is dead and purges that entry from
RADONLINE, reducing MaxSessions count by 1.
To enable this functionality, you need to make sure that SNMP is enabled and
configured on each MikroTik NAS, you need to make sure that Net-SNMP is
installed and configured on the Radiator server, and you need to add these
options to your Client clause in your Radiator config file:
<Client DEFAULT>
[...]
# MikroTik supports this MIB
NasType CiscoSessionMIB
SNMPCommunity public
</Client>
Replace 'public' with the SNMP community string that you have configured on the
MikroTik.
We also made a slight change to the Radiator code, because by default, if
Radiator does not get a response back from its SNMP "get" to the MikroTik, it
gives the benefit of the doubt to RADONLINE. We have found that more often
than not, it is better to give the benefit of the doubt to the user. That way,
a user is not unfairly punished by problems with our NAS or problems on our
network that might make it impossible for Radiator to communicate with our NAS.
Here is the patch to make that change in behavior:
diff -r -d -u -N Radius/Nas/CiscoSessionMIB.pm
Radius-patched/Nas/CiscoSessionMIB.pm
--- Radius/Nas/CiscoSessionMIB.pm 2009-10-26 15:23:55.000000000 -0700
+++ Radius-patched/Nas/CiscoSessionMIB.pm 2014-12-08 05:20:02.000000000
-0800
@@ -39,7 +39,7 @@
$client->{SNMPCommunity},
"$Radius::Nas::CiscoMIB.9.150.1.1.3.1.2.$session_id");
- return 1 if (!$result || $result =~ /no response/i); # Could not SNMP.
Assume still there
+ return 0 if (!$result || $result =~ /no response/i); # Could not SNMP.
Give benefit of doubt to user.
return 0 if $result =~ /no such variable/i; # Not in the MIB means no
such session
return uc($1) eq uc($name)
if ($result =~ /^.*\"([^"]+)".*$/);
Hope this helps,
--
Nathan Anderson
First Step Internet, LLC
[email protected]
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
