[ previous ] [ next ] [ threads ]
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive Portal MAC Pass-Through + Radius Reauthentication
 Date:  Tue, 22 Apr 2008 22:53:27 +0200

I'm ansering to a question which I've posted to the m0n0wall list,
because it's a more developer issue.

Am Dienstag, den 22.04.2008, 21:17 +0200 schrieb Peter Allgeyer:
> Hi,
> we have configured the captive portal to authenticate users against a
> Radius server with reauthentication every minute. When using the MAC
> Pass-Through feature, we have problems reaching hosts on the WAN side on
> other ports then port 80. The log says, that the connections passes the
> filter, but tcpdump tells me that the packet never reaches the next hop
> router.
> I've found some messages in the captive portal log, which make me
> believe, that it has something to do with radius reauthentication:
> Apr 22 18:18:20 RADIUS_DISCONNECT: unauthenticated, 00:02:a5:fa:b9:35,
> Apr 22 18:16:14 RADIUS_DISCONNECT: unauthenticated, 00:02:a5:fa:b9:35,
> Apr 22 18:07:06 RADIUS_DISCONNECT: unauthenticated, 00:08:02:0b:84:c2,
> Apr 22 18:06:01 RADIUS_DISCONNECT: unauthenticated, 00:08:02:0b:84:c2,
> Apr 22 18:04:55 RADIUS_DISCONNECT: unauthenticated, 00:08:02:0b:84:c2,
> Apr 22 18:03:50 RADIUS_DISCONNECT: unauthenticated, 00:08:02:0b:84:c2,
> Can we please exclude the Pass-Through mac addresses from radius
> reauthentication?

Maybe I'm able to define those mac addresses in the radius server, so
that there'll be no problem in future. Have to try that. But:

I think I've found the cause of the problem in the source:

/etc/inc/captiveportal.inc: function captiveportal_prune_old()

    /* read database */
    $cpdb = captiveportal_read_db();


    $no_users = count($cpdb);
    for ($i = 0; $i < $no_users; $i++) {

It reads in a list of all recognized hosts and iterates on the numbver
of hosts found. Then, it checks for "hard timeout",
"Session-Terminate-Time", "radius idle_timeout", "radius
session_timeout" and so on. Last there's a check for "RADIUS
reauthentication". I think, in case of Pass-Through mac addresses, we
don't have to check for any of those timeouts, just letting that hosts
stay connected. So excluding the hosts listed
in /var/db/captiveportal_mac.db (or better(?) <passthrumac>) from any
test in captiveportal_prune_old would be nice and doesn't lead to


 copyleft(c) by |           /*  * Buddy system. Hairy. You really aren't
 Peter Allgeyer |   _-_     expected to understand this  *  */   --
                | 0(o_o)0   From /usr/src/linux/mm/page_alloc.cA