yfi_setup_nas_MikrotikDynamic

Background

• An important part of proper NAS behaviour is to send an Accounting-On RADIUS packet to the RADIUS server after boot up.
• This is so that in the event that if there was any users connected before the boot up (i.e. the NAS stopped working), their sessions can be gracefully terminated.
• If this does not happen, there will be stale sessions which is not what we want. This causes an inaccurate reflection on what is happening on our network.

---

Dynamic Clients

Problem 1 -> Unique Identifier

• As described on the dynamic clients Wiki page; FreeRADIUS inspects incoming requests with the help of rlm_raw to determine if certain attributes are present and has an expected value.
• With Mikrotik (as with most NAS devices) the first packet that ever will arrive from the NAS is the Accounting-On packet which informs the RADIUS server Hey I'm back, don't know what you know about me; so close all previous sessions from users you currently have.
• For this to happen we need to take extra care on two things:

Item
Comment

Value of NAS-IP-Address
The incomming value of NAS-IP-Address should correspond to the value of nasipaddress that is listed in the radacct table

A unique AVP
We need to identify the Mikrotik NAS on a unique AVP. This AVP should be present in alll the RADIUS packets sent from the NAS device to the RADIUS server

• With the Mikrotik NAS it only leaves us with two attributes that we can tweak to uniquely identify the NAS.

AVP
Commonet

NAS-Identifier
This is the value of System->Identity

Mikrotik-Realm
This is the value of Realm as defined in each Radius definition in Mikrotik

Problem 2 -> Value of NAS-IP-Address

• Refer to thissimple incoming Accountin-On packet form the Mikrotik:

  rad_recv: Accounting-Request packet from host 19.20.16.16 port 53176, id=3, length=48
      Acct-Status-Type = Accounting-On
      NAS-Identifier = "MikroTik"
      Acct-Delay-Time = 0
      NAS-IP-Address = 192.168.1.104
  

• Mikrotik by default takes the value of the WAN interface (uplink) and assign it to the NAS-IP-Address.

• When one configures a RADIUS in Mikrotik there is an option to specify the Src. Address. The default is 0.0.0.0 which causes Mikrotik to use the IP Address of the uplink.
• The problem comes when say for instance our device had a specific DHCP IP Address and had been down for quite some time. During boot up it gets a new DHCP IP Address different from the previous one.
• This will now cause a change in the value of NAS-IP-Address. This is not what we want.

• Unfortunately Mikrotik does not allow that we can make the value of Src. Address just any value. (WARNING: It will allow yo to actually assign it, but as soon as you are trying to authenticate with a hotspot, the error log will spit the following out:

  00:15:11 radius,debug new request 3f:36 code=Access-Request service=hotspot called-i
  d=hotspot1 domain=defdom 
  00:15:11 radius,debug sending 3f:36 to 19.20.16.16:1812 
  00:15:11 radius,debug could not send packet: Cannot assign requested address 
  00:15:11 radius,debug timeout for 3f:36 
  00:15:13 hotspot,info,debug dvdwalt@ri (10.5.50.254): login failed: RADIUS server is
   not responding
  

• The above output was captured by turning RADIUS logging on.

  /system logging
  add topics=radius action=memory
  

• So it actually first checks if the value which it allowed you to assign is a valid value; (The IP Address of one of its interfaces) if not it would not send the request to the RADIUS server and will report to you that this RADIUS server is actually not responding; which is not the truth.

• A way to make the value of NAS-IP-Address unique and constant is by assigning it the value of the hotspot gateway e.g. 10.5.50.1. To ensure this value is unique please change it when setting up the hotspot to something different from the default e.g. 10.150.10.1.
• This will ensure the Mikrotik can be uniquely identified.

Modifying the sites-enabled/dynamic-clients file

• Add this to make use of the realm as a unique ID:

  #This is for Mikrotik devices where the unique attribute that we will use will be: Mikrotik-Realm
  if("%{raw:Mikrotik-Realm}"){
      #Test to see if it is in the DB
      if ("%{sql: select count(*) from nas where community='%{raw:Mikrotik-Realm}'}" == 1) {
          update control {
              FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
              FreeRADIUS-Client-Require-MA = no
              FreeRADIUS-Client-Secret = "%{sql: select nas.secret from nas where nas.community='%{raw:Mikrotik-Realm}'}"
              FreeRADIUS-Client-Shortname = "%{sql: select shortname from nas where community='%{raw:Mikrotik-Realm}'}"
              FreeRADIUS-Client-NAS-Type = "other"
              #Optional Virtual server
              #FreeRADIUS-Client-Virtual-Server = "dynamic_server"
          }
          ok
      }
  }