====== Disconnecting Active RADIUS Users ======
===== Introduction =====
  * The RADIUS protocol uses UDP to communicate between the client and the server.
  * The client initiates all communication and the server simply replies.
  * There are however times when the need arise for the server to initiate communication to the client.
  * A typical example will be when there is a need to disconnect an active user.
  * Since January 2023 RADIUSdesk introduced an update that will allow you do send disconnect requests to RADIUS Clients in order to disconnect active users.

===== Some technical information =====
  * In order for the RADIUS server to communicate with the RADIUS Client we need determine two things.
        * The type of client.
        * The type of client in turn will determine how we will communicate with the RADIUS Client.
   * We currently support two types of clients. 
        * CoovaChilli (Used by MESHdesk and APdesk)
        * Mikrotik
   * In the rest of the document we will discuss how the RADIUSdesk system communicate with these two types of clients.
   * We will also take a look where to make changes in order to add support for additional types of RADIUS Clients.
==== CoovaChilli on MESHdesk and APdesk ====
  * MESHdesk and APdesk automatically adds an associated RADIUS Client when adding a Captive Portal exit point.
  * This RADIUS Client will have the type of **Coova-On-Meshdesk**.
{{:radiusdesk:radius_clients:radius_client_coova.png?nolink|}}
  * Disconnecting a user will then utilize the ///var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php// component to contact the AP with instructions to disconnect the user.
  * When the MQTT mechanism is implemented disconnecting will be in real-time.
  * Without the MQTT mechanism disconnecting a user will take up to one minute.
  * The disconnect command used on CoovaChilli will be **chilli_query logout mac <MAC Address>**

==== Mikrotik ====
  * With the Mikrotik RADIUS Clients we make use of the **RouterOS API Client** to communicate with the Mikrotik. (https://github.com/EvilFreelancer/routeros-api-php)
  * This library is already included with RADIUSdesk.
  * Many times there will be a NAT connection between the Mikrotik and the RADIUSdesk server preventing the server to reach the Mikrotik directly.
  * Mikrotik fortunately supports a large amount of VPN technologies which you can choose from.
  * https://help.mikrotik.com/docs/display/ROS/Virtual+Private+Networks
  * If needed, please select one of your choosing. Setting them up is well documented in the Mikrotik documentation in the link above.
  * When adding a RADIUS Client and selecting the **Mikrotik-API** type you will be presented with a dialog to supply the detail for the API connection to the Mikrotik.{{:radiusdesk:radius_clients:radius_client_mikrotik_api.png?nolink|}}

  * There is also a **Test API Connection** button which allows you to confirm that the API communication to the Mikrotik is indeed working.
  * In the screenshot above you can see part of the reply from the Mikrotik indicating that the communication via the API is established and good.
  * We also added a Mikrotik API button to the toolbar for RADIUS Clients.
{{:radiusdesk:radius_clients:radius_client_api_button.png?nolink|}}

  * The button is disabled by default and becomes enabled when you select a RADIUS Client of type **Mikrotik-API**.
  * Selecting it will open a new tab with two sub-tabs. One listing active **Hotspot** users and the other listing active **PPPoE** users.
  * You can select and disconnect listed users in those sub-tabs.
{{:radiusdesk:radius_clients:radius_client_api_tab.png?nolink|}}

===== Add Support for additional types =====
  * This section is a technical section for those who wants to introduce new RADIUS Client types.
  * The list in the drop-down is specified in the following file: ///var/www/rdcore/cake4/rd_cake/config/RadiusDesk.php//
<code php>
//Define nas types
$config['nas_types'][0]     = ['name' => 'Other',            	'id' => 'other',       		'active' => true];
$config['nas_types'][1]     = ['name' => 'Coova-On-Meshdesk', 'id' => 'CoovaMeshdesk',   	'active' => true];
$config['nas_types'][2]     = ['name' => 'Mikrotik-API',	'id' => 'Mikrotik-API',   	'active' => true];
</code>
  * Then when selecting an active user in **Activity Monitor** to disconnect behind the scenes the code will determine the type of RADIUS  Client based on the **nasidentifier** field. (This is in the radacct table and has to match the value in the dynamic-clients table)
  * This all happens inside the ///var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php// file.
  * Thus adding support for additional types will involve adding additional sections to the PHP code.
  * See the snippet below.
<code php>
//First we try to locate the client under dynamic_clients
$dc = $this->DynamicClients->find()
	->where(['DynamicClients.nasidentifier' => $nasidentifier])
	->contain(['DynamicClientSettings'])
	->first();
	
if($dc){
	//===CoovaMeshdesk====
	if($dc->type == $this->coova_md){ //It is type CoovaMeshdesk => Now try and locate AP to send command to 
	
		//We have a convention of nasidentifier for meshdesk => mcp_<captive_portal_id> and apdesk => ap_<ap id>_cp_<captive_portal_id>
		if(preg_match('/^mcp_/' ,$nasidentifier)){ //MESHdesk     		
			$this->kickMeshNodeUser($ent,$dc->cloud_id,$token);
		}
		
		if(preg_match('/^ap_/' ,$nasidentifier)){ //APdesk		
			$this->kickApUser($ent,$dc->cloud_id,$token); 			
		}
		sleep(1); //Give MQTT time to do its thing....  			
	}
	    		
	//===Mikrotik-API===

</code>
  * That's the only things involved in disconnecting an active RADIUS user.
  * The FUP implementation also utilizes this mechanism so this also serve as a core component for the FUP implementation to be successful.