Mikrotik CoA Disconnect not working


Does anyone have a MT router working correctly with RADIUS? Everything seems to work fine except for the CoA Disconnect.

I have spent countless hours with others including Sonar support trying to figure it out with no luck. Sonar says it is an issue between FreeRADIUS and the Tik and I believe that to be true. Even testing with radclient from the RADIUS server fails with ‘no response from the server’.

The MT log shows a Disconnect-NACK with Error-Cause 406 which is ‘unsupported extension’.


Yes, we have CoA disconnect working just fine. The “Unsupported Extension” is probably due to not enough RADIUS attributes specified. I believe you need more than just the username or it will ignore the request and fail with that error.


The 406 was another issue, but the RADIUS server never receives a “Disconnect-response” from the MT:

Capturing on ‘eth0’
19 1081.728959386 xxx.xxx.xxx.192 → xxx.xxx.xxx.50 RADIUS 107 Disconnect-Request(40) (id=114, l=65)

Even though the MT says it sent it:

jun/05 22:49:04 radius,debug sending Disconnect-ACK to remote request 185
jun/05 22:49:04 radius,debug,packet sending Disconnect-ACK with id 114 to xxx.xxx.xxx.192:1814


If the RADIUS server doesn’t receive a disconnect-response, there are a few possibilities that I can think of, the most obvious would be that a firewall is blocking the response or that the response packet is being NATted and so the source address is being altered because of that.


Thank you, Michael.
I went through a lot of troubleshooting like this since I posted this. It seems the MT is not actually sending the ACK even though the log says it is. The packet sniffer on the Tik confirms this. At this point I’m assuming it’s a bug in RouterOS and am looking to implement a workaround on FreeRADIUS.


What routeros version are you running? Our routers definitely return this Disconnect-ACK properly.




Our routers are still running older 6.39.x and 6.40.x releases, we are in the process of upgrading. I will test to see if the same thing happens with ours after the upgrade and let you know.


Thank you


This seemed to be a bug in 6.39 in my testing, it started working once I upgraded to 6.42 (the Disconnect NAK issue.)


It seems the issue was that we were using the floating VRRP address for the NAS. Creating 2 pools in FreeRadius with the VRRP member addresses instead solved the disconnect problem. I suspect the ACK may have been going out from a different address or something. Hopefully this helps someone if they run into the same issue.