There are times when HeroTill cannot disconnect radius sessions from the NAS.
This could result in the user going over his cap with no means of disconnecting or it can prevent the user from being switched to another package.
To see this, go to https://your_datatill_app/radius/sessions and sort on duration and descending.
Try and disconnect one of the long running sessions.
If it fails, it means FreeRADIUS cannot talk back to the NAS.
This is most often one of two reasons:
1. The NAS does not have “Incoming” enabled on the Radius setting or it is not using port 1700. See screenshot below for a MikroTik NAS example:
2. There is NAT’ting involved, so when FreeRADIUS talks back to the NAS it appears to originate from an IP other than the radius IP configured on the NAS.
To troubleshoot incorrect return IP, do the following:
Go to one of the NAS where the users are not being disconnected.
Add a filter rule to accept and log inbound radius disconnect requests like follows and move this rule to the top:
Now try and disconnect the user again and see what appears in the RouterOS log:
As you can see above, the disconnect request appears to come from an IP other than the Radius IP, so it get’s ignored.
There are two ways to fix the problem.
1. Change the Src. Address in the Radius server setup:
2. Add another radius entry on the NAS, using the new IP from the log.
You do not need to tick any services for this radius entry.
Be sure to move this new radius entry to the bottom of the list.
FreeRADIUS should be now able to disconnect those sticky Radius users. If not, please contact us for assistance.