<nav type="pills" justified="false">
  * [[:user_manuals|Back to Documentation]]
  * [[:radius:rad_kick|Disconnecting Active RADIUS Users]]
</nav>

-----

====== Disconnecting Active RADIUS Users ======
===== Introduction =====
  * The RADIUS protocol uses UDP for communication between the client and the server.
  * The client initiates all communication and the server simply responds.
  * However, there are situations where the server must initiate communication with the client.
  * A typical example is the need to disconnect an active user.
  * Since January 2023, RADIUSdesk has introduced an update that allows you to send disconnect requests to RADIUS clients to disconnect active users.

===== Some technical information =====
  * In order for the RADIUS server to communicate with the RADIUS Client we need to determine two things.
        * The type of client.
        * The type of client in turn determines how we communicate with the RADIUS client.
   * We currently support two types of clients. 
        * CoovaChilli (Used by MESHdesk and APdesk)
        * Mikrotik
   * Later in the document we will discuss how the RADIUSdesk system communicates with these two types of clients.
   * We will also look at where we need to make changes to add support for more RADIUS clients.
==== CoovaChilli on MESHdesk and APdesk ====
  * MESHdesk and APdesk automatically add an associated RADIUS client when you add a Captive Portal Exit Point.
  * This RADIUS client is of type Coova-On-Meshdesk.
<panel type="primary">
{{:radius:radius_clients:radius_client_coova.png?nolink|}}
</panel>
  * When a user is disconnected, the component ///var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php// is then used to contact the AP with the instructions to disconnect the user.
  * If the MQTT mechanism is implemented, the disconnection takes place in real time.
  * Without the MQTT mechanism, disconnecting a user takes up to one minute.
  * The command used on CoovaChilli to disconnect is **chilli_query logout mac <MAC Address>**

==== Mikrotik ====
  * For Mikrotik's RADIUS clients, we use the **RouterOS API** client to communicate with Mikrotik. (https://github.com/EvilFreelancer/routeros-api-php)
  * This library is already included in RADIUSdesk.
  * Often there is a NAT connection between the Mikrotik and the RADIUSdesk server, so that the server cannot reach the Mikrotik directly.
  * Fortunately, Mikrotik supports a large number of VPN technologies from which you can choose.
  * https://help.mikrotik.com/docs/display/ROS/Virtual+Private+Networks
  * Please select one of your choice if required. The setup is well documented in the Mikrotik documentation at the link above.
  * When you add a RADIUS client and select the **Mikrotik API** type, a dialog will appear where you need to specify the details for the API connection to Mikrotik.
<panel type="primary">
{{:radius:radius_clients:radius_client_mikrotik_api.png?nolink|}}
</panel>

  * There is also a Test API connection button that you can use to confirm that the API communication with the Mikrotik is actually working.
  * In the screenshot above, you can see part of the response from Mikrotik indicating that the API communication is established and good.
  * We have also added a Mikrotik API button to the toolbar for RADIUS clients.
<panel type="primary">
{{:radius:radius_clients:radius_client_api_button.png?nolink|}}
</panel>

  * The button is disabled by default and is enabled when you select a **Mikrotik API** type RADIUS client.
  * When you select it, a new tab with two sub-tabs opens. One contains the active hotspot users and the other contains the active PPPoE users.
  * In these sub-tabs, you can select the listed users and disconnect them
<panel type="primary">
{{:radius:radius_clients:radius_client_api_tab.png?nolink|}}
</panel>

===== Add Support for additional types =====
  * This section is a technical section for those who want to introduce new RADIUS client types.
  * The list in the drop-down list is specified in the following file: ///var/www/rdcore/cake4/rd_cake/config/RadiusDesk.php//
<code php>
//Define nas types
$config['nas_types'][0]     = ['name' => 'Other',            	'id' => 'other',       		'active' => true];
$config['nas_types'][1]     = ['name' => 'Coova-On-Meshdesk', 'id' => 'CoovaMeshdesk',   	'active' => true];
$config['nas_types'][2]     = ['name' => 'Mikrotik-API',	'id' => 'Mikrotik-API',   	'active' => true];
</code>
  * If you then select an active user in **Activity Monitor** to disconnect behind the scenes, the code determines the type of RADIUS client based on the **nasidentifier** field.  (This field is located in the radacct table and must match the value in the dynamic-clients table)
  * This is all done within the file ///var/www/rdcore/cake4/rd_cake/src/Controller/Component/KickerComponent.php//.
  * So if you want to add support for more types, you will need to add additional sections to the PHP code.
  * Take a look at the following snippet.
<code php>
//First we try to find the client under dynamic_clients
$dc = $this->DynamicClients->find()
	->where(['DynamicClients.nasidentifier' => $nasidentifier])
	->contain(['DynamicClientSettings'])
	->first();
	
if($dc){
	//===CoovaMeshdesk====
	if($dc->type == $this->coova_md){ //It is type CoovaMeshdesk => Now try and locate AP to send command to 
	
		//We have a convention of nasidentifier for meshdesk => mcp_<captive_portal_id> and apdesk => ap_<ap id>_cp_<captive_portal_id>
		if(preg_match('/^mcp_/' ,$nasidentifier)){ //MESHdesk     		
			$this->kickMeshNodeUser($ent,$dc->cloud_id,$token);
		}
		
		if(preg_match('/^ap_/' ,$nasidentifier)){ //APdesk		
			$this->kickApUser($ent,$dc->cloud_id,$token); 			
		}
		sleep(1); //Give MQTT time to do its thing....  			
	}
	    		
	//===Mikrotik-API===

</code>
  * This is the only thing required to disconnect an active RADIUS user.
  * The FUP implementation also uses this mechanism, so this is also a core component for the success of the FUP implementation.