Disconnecting Active RADIUS Users

Introduction

  • The RADIUS protocol uses UDP for communication between the client and the server.
  • The client initiates all communication and the server simply responds.
  • However, there are situations where the server must initiate communication with the client.
  • A typical example is the need to disconnect an active user.
  • Since January 2023, RADIUSdesk has introduced an update that allows you to send disconnect requests to RADIUS clients to disconnect active users.

Some technical information

  • In order for the RADIUS server to communicate with the RADIUS Client we need to determine two things.
    • The type of client.
    • The type of client in turn determines how we communicate with the RADIUS client.
  • We currently support two types of clients.
    • CoovaChilli (Used by MESHdesk and APdesk)
    • Mikrotik
  • Later in the document we will discuss how the RADIUSdesk system communicates with these two types of clients.
  • We will also look at where we need to make changes to add support for more RADIUS clients.

CoovaChilli on MESHdesk and APdesk

  • MESHdesk and APdesk automatically add an associated RADIUS client when you add a Captive Portal Exit Point.
  • This RADIUS client is of type Coova-On-Meshdesk.

  • When a user is disconnected, the component /var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php is then used to contact the AP with the instructions to disconnect the user.
  • If the MQTT mechanism is implemented, the disconnection takes place in real time.
  • Without the MQTT mechanism, disconnecting a user takes up to one minute.
  • The command used on CoovaChilli to disconnect is chilli_query logout mac <MAC Address>

Mikrotik

  • For Mikrotik's RADIUS clients, we use the RouterOS API client to communicate with Mikrotik. (https://github.com/EvilFreelancer/routeros-api-php)
  • This library is already included in RADIUSdesk.
  • Often there is a NAT connection between the Mikrotik and the RADIUSdesk server, so that the server cannot reach the Mikrotik directly.
  • Fortunately, Mikrotik supports a large number of VPN technologies from which you can choose.
  • https://help.mikrotik.com/docs/display/ROS/Virtual+Private+Networks
  • Please select one of your choice if required. The setup is well documented in the Mikrotik documentation at the link above.
  • When you add a RADIUS client and select the Mikrotik API type, a dialog will appear where you need to specify the details for the API connection to Mikrotik.

  • There is also a Test API connection button that you can use to confirm that the API communication with the Mikrotik is actually working.
  • In the screenshot above, you can see part of the response from Mikrotik indicating that the API communication is established and good.
  • We have also added a Mikrotik API button to the toolbar for RADIUS clients.

  • The button is disabled by default and is enabled when you select a Mikrotik API type RADIUS client.
  • When you select it, a new tab with two sub-tabs opens. One contains the active hotspot users and the other contains the active PPPoE users.
  • In these sub-tabs, you can select the listed users and disconnect them

Add Support for additional types

  • This section is a technical section for those who want to introduce new RADIUS client types.
  • The list in the drop-down list is specified in the following file: /var/www/rdcore/cake4/rd_cake/config/RadiusDesk.php
//Define nas types
$config['nas_types'][0]     = ['name' => 'Other',            	'id' => 'other',       		'active' => true];
$config['nas_types'][1]     = ['name' => 'Coova-On-Meshdesk', 'id' => 'CoovaMeshdesk',   	'active' => true];
$config['nas_types'][2]     = ['name' => 'Mikrotik-API',	'id' => 'Mikrotik-API',   	'active' => true];
  • If you then select an active user in Activity Monitor to disconnect behind the scenes, the code determines the type of RADIUS client based on the nasidentifier field. (This field is located in the radacct table and must match the value in the dynamic-clients table)
  • This is all done within the file /var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php.
  • So if you want to add support for more types, you will need to add additional sections to the PHP code.
  • Take a look at the following snippet.
//First we try to find the client under dynamic_clients
$dc = $this->DynamicClients->find()
	->where(['DynamicClients.nasidentifier' => $nasidentifier])
	->contain(['DynamicClientSettings'])
	->first();
 
if($dc){
	//===CoovaMeshdesk====
	if($dc->type == $this->coova_md){ //It is type CoovaMeshdesk => Now try and locate AP to send command to 
 
		//We have a convention of nasidentifier for meshdesk => mcp_<captive_portal_id> and apdesk => ap_<ap id>_cp_<captive_portal_id>
		if(preg_match('/^mcp_/' ,$nasidentifier)){ //MESHdesk     		
			$this->kickMeshNodeUser($ent,$dc->cloud_id,$token);
		}
 
		if(preg_match('/^ap_/' ,$nasidentifier)){ //APdesk		
			$this->kickApUser($ent,$dc->cloud_id,$token); 			
		}
		sleep(1); //Give MQTT time to do its thing....  			
	}
 
	//===Mikrotik-API===
  • This is the only thing required to disconnect an active RADIUS user.
  • The FUP implementation also uses this mechanism, so this is also a core component for the success of the FUP implementation.
  • radius/rad_kick.txt
  • Last modified: 2024/02/13 04:47
  • by system