Fabrice, Adrian, PF users Hi!
I think in my case Framed-IP-Address is not an alternative because IP assignment is done by PF on the registration interface, so using CAPSMAN is all about MAC Address, I have also tried sending Calling-Station-Id on different formats with no luck. I have also installed "User Manager" (Mikrotik radius server package) so I could test how Disconnect-Request is performed on Mikrotik world. I configured my CAPSMAN manager pointing to userman as a RADIUS server and add a "MAC" as username, access to network is granted but when i disabled the user (MAC) on User Manager, device is still connected and the error is the same (406) [image: imagen.png] Maybet COA is not fully implemented on RouterOS? I have read several old Mikrotik forum threads about this topic with no luck, and info about this on Mikrotik Wiki is misleading. I'm going to open a forum thread on Mikrotik and send them an email support. I will keep you posted. Have all a nice week, Enrique. El mar, 15 dic 2020 a las 16:59, Fabrice Durand via PacketFence-users (< packetfence-users@lists.sourceforge.net>) escribió: > Hello Adrian, > > if you can try with other mac format to see if one works. > > like: > > 5c:e0:c5:c1:d6:fd > > 5C:E0:C5:C1:D6:FD > > 5c-e0-c5-c1-d6-fd > > 5C-E0-C5-C1-D6-FD > > 5ce0c5c1d6fd > > 5CE0C5C1D6FD > > Regards > > Fabrice > > > Le 20-12-15 à 13 h 06, Adrian D'Atri-Guiran a écrit : > > Hi Fabrice, > > I played around with it a bit further, and here's a working test: > echo "Framed-IP-Address=10.5.50.2" | radclient -x 10.2.2.1:3799 > disconnect secret > Sent Disconnect-Request Id 44 from 0.0.0.0:37354 to 10.2.2.1:3799 length > 26 > Framed-IP-Address = 10.5.50.2 > Received Disconnect-ACK Id 44 from 10.2.2.1:3799 to 10.2.2.254:37354 > length 30 > NAS-Identifier = "MikroTik" > > Where 10.5.50.2 is the client IP. and 10.2.2.1 is the ip of my main > mikrotik router that manages the hotspot. This command instantly > deauthenticated the client, but did not remove the client's Cookie. For > this reason I believe that we should have "cookie" disabled under Hotspot > -> Server Profiles -> Login -> Login By (uncheck Cookie). > > My problem is I don't know how to fix Mikrotik.pm how do I access the > client IP? I want to do something like: > 'Framed-IP-Address' => "$client_ip_address", > on: > https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/ > Mikrotik.pm#L230 > > Also I guess we must be careful here because in some scenarios if the > client has been assigned a new IP and packetfence is not yet aware of it, > this could break. MAC address would probably be better for > deauthenticating, but I haven't managed to get that working yet. > > Thanks! > -Adrian > > > On Mon, Dec 14, 2020 at 6:02 PM Adrian D'Atri-Guiran < > adrian.datri.gui...@gmail.com> wrote: > >> Thank you, >> >> >btw you can try to add: >> >'Calling-Station-Id' => $mac, >> I have attempted this and the result was a new error (and client remains >> authenticated on the mikrotik hotspot): >> >> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN: >> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device >> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet. >> (pf::accounting_events_history::latest_mac_history) >> Dec 14 20:58:08 radius pfqueue: pfqueue(4868) WARN: >> [mac:5c:e0:c5:c1:d6:fd] Unable to pull accounting history for device >> 5c:e0:c5:c1:d6:fd. The history set doesn't exist yet. >> (pf::accounting_events_history::latest_mac_history) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd] >> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating >> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set, >> we will use controller 10.2.2.1 to perform deauth >> (pf::Switch::Mikrotik::radiusDisconnect) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform >> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: >> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] [5c:e0:c5:c1:d6:fd] >> DesAssociating mac on switch (10.2.2.1) (pf::api::desAssociate) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] deauthenticating >> 5c:e0:c5:c1:d6:fd (pf::Switch::Mikrotik::radiusDisconnect) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) INFO: [mac:5c:e0:c5:c1:d6:fd] controllerIp is set, >> we will use controller 10.2.2.1 to perform deauth >> (pf::Switch::Mikrotik::radiusDisconnect) >> Dec 14 20:58:18 radius packetfence_httpd.webservices: >> httpd.webservices(4444) WARN: [mac:5c:e0:c5:c1:d6:fd] Unable to perform >> RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: >> Unsupported-Extension. (pf::Switch::Mikrotik::radiusDisconnect) >> >> >> >> On Fri, Dec 11, 2020 at 5:43 PM Durand fabrice via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >>> btw you can try to add: >>> >>> 'Calling-Station-Id' => $mac, >>> >>> here: >>> >>> >>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Mikrotik.pm#L230 >>> >>> >>> Le 20-12-11 à 20 h 31, Durand fabrice via PacketFence-users a écrit : >>> > The code needs to be updated: >>> > >>> > >>> > https://forum.mikrotik.com/viewtopic.php?t=33063 >>> > >>> > >>> > Le 20-12-11 à 14 h 28, Enrique Gross via PacketFence-users a écrit : >>> >> Hi PF users! Hope you all doing well >>> >> >>> >> Hi Fabrice, >>> >> >>> >> I have read the mail Adrian sent you regarding COA and Mikrotik. I >>> >> have been using SSH to disconnect CAPSMAN devices, but I was >>> >> interested in using Radius COA. >>> >> >>> >> This is the output of radsniff after successful registration at the >>> >> captive-portal, role is assigned but no disconnection is made >>> >> >>> >> 2020-12-11 16:18:39.352569 (1) Disconnect-Request Id 219 >>> >> any:192.168.67.86:56875 -> 192.168.67.254:3799 +0.000 >>> >> User-Name = "C2:F7:64:FB:0E:69" >>> >> Authenticator-Field = 0x677a789c11f3586ec7e73859e5b3080a >>> >> 2020-12-11 16:18:39.375064 (2) Disconnect-NAK Id 219 >>> >> any:192.168.67.86:56875 <- 192.168.67.254:3799 +0.022 +0.022 >>> >> NAS-Identifier = "MK-IBERA2" >>> >> Error-Cause = Unsupported-Extension >>> >> Authenticator-Field = 0xb6261e8e06e5ecf78db2049bea689396 >>> >> 2020-12-11 16:18:44.575064 (1) Cleaning up request packet ID 219 >>> >> >>> >> This is Mikrotik side of log: >>> >> >>> >> 16:18:39 radius,debug,packet received Disconnect-Request with id 219 >>> >> from 192.168.67.86:56875 >>> >> 16:18:39 radius,debug,packet Signature = >>> >> 0x677a789c11f3586ec7e73859e5b3080a >>> >> 16:18:39 radius,debug,packet User-Name = "C2:F7:64:FB:0E:69" >>> >> 16:18:39 radius,debug received remote request 25 >>> >> code=Disconnect-Request from 192.168.67.86:56875 >>> >> 16:18:39 radius,debug sending Disconnect-NAK to remote request 25 >>> >> 16:18:39 radius,debug,packet sending Disconnect-NAK with id 219 to >>> >> 192.168.67.86:56875 >>> >> 16:18:39 radius,debug,packet Signature = >>> >> 0xb6261e8e06e5ecf78db2049bea689396 >>> >> 16:18:39 radius,debug,packet Error-Cause = 406 >>> >> 16:18:39 radius,debug,packet NAS-Identifier = "MK-IBERA2" >>> >> >>> >> Thanks for your help, >>> >> >>> >> Enrique >>> >> >>> >> >>> >> -- >>> >> >>> >> >>> >> _______________________________________________ >>> >> PacketFence-users mailing list >>> >> PacketFence-users@lists.sourceforge.net >>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> > >>> > >>> > _______________________________________________ >>> > PacketFence-users mailing list >>> > PacketFence-users@lists.sourceforge.net >>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> -- > Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- [image: Imágenes integradas 1]
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
