Mikrotik RouterOS 6.39 Radius issues


#1

Hi guys, Mikrotik has a problem with Radius Accounting stop messages in 6.39 version. Please do not upgrade to it untill they will fix it. In case if they will not fix it, we will have to change the processing of Mikrotik stop packets in Splynx Radius server.

Description of the issue :

In case when Mikrotik stops the PPP session, it sends wrong Framed-IP address (10.0.0.0). We work with the Framed-IP address as part of session identification, so our Radius cannot close the session correctly. In all previous versions always correct Framed-IP address came back from Mikrotik to Radius server.

Here is a correct START packet, where Framed-IP is the IP address of customer (192.168.102.5) :

START:
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15728642
NAS-Port-Type = Ethernet
User-Name = "alex"
Calling-Station-Id = "C8:2A:14:2D:05:AE"
Called-Station-Id = "service1"
NAS-Port-Id = "ether3"
Acct-Session-Id = "81300002"
Framed-IP-Address = 192.168.102.5
Acct-Authentic = RADIUS
Event-Timestamp = "May 2 2017 18:15:50 CEST"
Acct-Status-Type = Start
NAS-Identifier = "NAS-SPLYNX"
Acct-Delay-Time = 0
NAS-IP-Address = 10.0.1.36

And here is a STOP packet with broken Framed-IP address :
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15728642
NAS-Port-Type = Ethernet
User-Name = "alex"
Calling-Station-Id = "C8:2A:14:2D:05:AE"
Called-Station-Id = "service1"
NAS-Port-Id = "ether3"
Acct-Session-Id = "81300002"
Framed-IP-Address = 10.0.0.0
Acct-Authentic = RADIUS
Event-Timestamp = "May 2 2017 18:16:38 CEST"
Acct-Session-Time = 48
Idle-Timeout = 0
Session-Timeout = 0
X-Ascend-Data-Rate = 1000000
Ascend-Xmit-Rate = 1000000
X-Ascend-Data-Rate = 500000
Ascend-Data-Rate = 500000
Mikrotik-Rate-Limit = "500000/1000000 0/0 0/0 1/1 5 250000/500000"
Acct-Input-Octets = 55500
Acct-Input-Gigawords = 0
Acct-Input-Packets = 862
Acct-Output-Octets = 6912
Acct-Output-Gigawords = 0
Acct-Output-Packets = 54
Acct-Status-Type = Stop
Acct-Terminate-Cause = NAS-Request
NAS-Identifier = "NAS-SPLYNX"
Acct-Delay-Time = 0
NAS-IP-Address = 10.0.1.36

Here I created a topic on mikrotik forum - https://forum.mikrotik.com/viewtopic.php?f=21&t=121196&p=596365#p596365


Easy way to reset auth
#2

Can you please tell me what version is still safe?? is it only the unit that receives the pppoe connections that have the issue???


#3

I think it’s related to all Radius packets, not only PPP.
Regarding the versions of RouterOS - the 6.39 is the latest, so you can use everything except this one. But I think it will be fixed soon by Mikrotik or we will have to make some patch in splynx which will fix this issue.


#4

Even with 6.39.1 I found that problems persist.


#5

Hi Guys

also downloaded and installed the 6.39.1
upgrades from 6.38.5
The problems that we have found.

1: Radius clients on PPPoE take a hell of a long time to reconnect.

will give a update if we find something else.


#6

@alexcherry do you think they going to fix it soon??? or should we downgrade routers???


#7

please downgrade a router, we don’t want to change our system yet to handle Mikrotik bug’s behaviour. I hope they will fix it soon, going to up their topic on mikrotk forum


#8

has Mikrotik said they going to fix it??


#10

@ex what do you think about that ? Can we change the processing of STOP accounting packet in splynx to ignore the Framed-IP ?


#11

Mikrotik is enjoying the silence… No answer, no reaction from their side.
I will write to their support, but it looks that we will have to change our processing of Stop accounting packets


#12

Hi Alex
i’ve the same issue after the upgrade to ROS 6.39
Have you any news about the fixing?

Thanks
Andrea


#13

Yes, they are stubborn on such changes. Exactly the same a few years back when they changed the behavior of dynamic queues to non-changeable. They did this without any notice and explanations. Sometimes they can be quite crude.


#14

Hi, we have created a hotfix. Now latest 1.3 dev version works well with 6.39 and processes these accounting packets.
Please update to latest dev version to work with 6.39 and latest Mikrotik Router OS

Run these commands to upgrade :
apt-get update
apt-get dist-upgrade
apt-get install splynx-dev


#15

Guys please help my problem has gotten worse …my clients if disconnected cant reconnect…


#16

Have you updated ?
Restart radius after update helps

service splynx_radd restart
service freeradius restart


#17

will my people be able to reauth??? the problem is theres about a 7 min delay from when they disconnect to when they can reauth…will this “reset” that timer???


#18

send me pls the teamviewer to alex@splynx.com or to our ticket and I will check what you have there
will be available in 30 mins appx


#19

@skoenman ok, as I said, the update helps :slight_smile:


#20

Thanks Alex seems like something went haywire when i did the update… all should be sorted now.


#21

We pulled all our core routers back to 6.37.5 - the current bugfix version. This seemed to fix it (without upgrading Splynx).

In 6.38.x, we also found that the ‘incoming’ radius packets were not switching users on or off, or bumping their packages up and down on demand from Splynx. 6.37.5 seems to fix that too.

We also found in 6.39.1 that some DNS services were also screwed. So thanks Mikrotik, for dumping another broken router upgrade on us. Sigh.

—* Bill