Disconnecting Active RADIUS Users
Introduction
The RADIUS protocol uses UDP to communicate between the client and the server.
The client initiates all communication and the server simply replies.
There are however times when the need arise for the server to initiate communication to the client.
A typical example will be when there is a need to disconnect an active user.
Since January 2023 RADIUSdesk introduced an update that will allow you do send disconnect requests to RADIUS Clients in order to disconnect active users.
In order for the RADIUS server to communicate with the RADIUS Client we need determine two things.
We currently support two types of clients.
In the rest of the document we will discuss how the RADIUSdesk system communicate with these two types of clients.
We will also take a look where to make changes in order to add support for additional types of RADIUS Clients.
CoovaChilli on MESHdesk and APdesk
Disconnecting a user will then utilize the /var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php component to contact the AP with instructions to disconnect the user.
When the MQTT mechanism is implemented disconnecting will be in real-time.
Without the MQTT mechanism disconnecting a user will take up to one minute.
The disconnect command used on CoovaChilli will be chilli_query logout mac <MAC Address>
Mikrotik
-
This library is already included with RADIUSdesk.
Many times there will be a NAT connection between the Mikrotik and the RADIUSdesk server preventing the server to reach the Mikrotik directly.
Mikrotik fortunately supports a large amount of VPN technologies which you can choose from.
-
If needed, please select one of your choosing. Setting them up is well documented in the Mikrotik documentation in the link above.
When adding a RADIUS Client and selecting the
Mikrotik-API type you will be presented with a dialog to supply the detail for the
API connection to the Mikrotik.

There is also a
Test API Connection button which allows you to confirm that the
API communication to the Mikrotik is indeed working.
In the screenshot above you can see part of the reply from the Mikrotik indicating that the communication via the
API is established and good.
We also added a Mikrotik
API button to the toolbar for RADIUS Clients.
Add Support for additional types
This section is a technical section for those who wants to introduce new RADIUS Client types.
The list in the drop-down is specified in the following file: /var/www/rdcore/cake4/rd_cake/config/RadiusDesk.php
//Define nas types
$config['nas_types'][0] = ['name' => 'Other', 'id' => 'other', 'active' => true];
$config['nas_types'][1] = ['name' => 'Coova-On-Meshdesk', 'id' => 'CoovaMeshdesk', 'active' => true];
$config['nas_types'][2] = ['name' => 'Mikrotik-API', 'id' => 'Mikrotik-API', 'active' => true];
Then when selecting an active user in Activity Monitor to disconnect behind the scenes the code will determine the type of RADIUS Client based on the nasidentifier field. (This is in the radacct table and has to match the value in the dynamic-clients table)
This all happens inside the /var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php file.
Thus adding support for additional types will involve adding additional sections to the PHP code.
See the snippet below.
//First we try to locate the client under dynamic_clients
$dc = $this->DynamicClients->find()
->where(['DynamicClients.nasidentifier' => $nasidentifier])
->contain(['DynamicClientSettings'])
->first();
if($dc){
//===CoovaMeshdesk====
if($dc->type == $this->coova_md){ //It is type CoovaMeshdesk => Now try and locate AP to send command to
//We have a convention of nasidentifier for meshdesk => mcp_<captive_portal_id> and apdesk => ap_<ap id>_cp_<captive_portal_id>
if(preg_match('/^mcp_/' ,$nasidentifier)){ //MESHdesk
$this->kickMeshNodeUser($ent,$dc->cloud_id,$token);
}
if(preg_match('/^ap_/' ,$nasidentifier)){ //APdesk
$this->kickApUser($ent,$dc->cloud_id,$token);
}
sleep(1); //Give MQTT time to do its thing....
}
//===Mikrotik-API===
That's the only things involved in disconnecting an active RADIUS user.
The FUP implementation also utilizes this mechanism so this also serve as a core component for the FUP implementation to be successful.