[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Bernie O'Connor" <Bernie dot OConnor at sas dot com>
 Cc:  "m0n0wall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Captive Portal RADIUS authentication missing fields
 Date:  Tue, 11 Oct 2005 21:38:10 +0200
I think i'm going to use mac

Is this a problem?

Since the ip can change and the mac of a computer seldom does (ok it can
be spoofed). 

In this way you can block certain clients to logon to your internet
service (abuse...)


J.

--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com] 
Verzonden: dinsdag 11 oktober 2005 21:17
Aan: Jonathan De Graeve
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Code snippet:
-----------------------------
+++ dev/mfs/usr/local/captiveportal/radius_authentication.inc   Tue Sep
20 16:11:40 2005
@@ -28,7 +28,7 @@
        // was also fixed and patches submitted to Edwin. This bug would
        // have caused authentication to fail on every access.

-function
RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiusk
ey) {
+function
RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiusk
ey,$clientip) {
        $sharedsecret=$radiuskey ;
        # $debug = 1 ;

@@ -44,7 +44,7 @@
        stream_set_timeout($fd, 5) ;

        if ($debug)
-           echo "<br>radius-port: $radiusport<br>radius-host:
$radiusip<br>username: $username<hr>\n";
+           echo "<br>radius-port: $radiusport<br>radius-host:
$radiusip<br>username: $username<br>clientip:  $clientip<hr>\n";

        $RA=pack("CCCCCCCCCCCCCCCC",                            // auth
code
            1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255,
@@ -60,19 +60,21 @@
                2+strlen($username)+            // username
                2+strlen($encryptedpassword)+   // userpassword
                2+strlen($nasHostname[0])+                      //
nasIdentifier
+               2+strlen($clientip)+            // Calling-Station-ID
                6+                              // nasPort
                6;                              // nasPortType

        $thisidentifier=rand()%256;
        //          v   v v     v   v   v   v     v     v
        // Line #   1   2 3     4   5   6   7     8     E
-       $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC",
+       $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCA*CCCCCCCCCCCC",
            1,$thisidentifier,$length/256,$length%256,          //
header
            $RA,                                                //
authcode
            6,6,0,0,0,1,                                        //
service type
            1,2+strlen($username),$username,                    //
username
            2,2+strlen($encryptedpassword),$encryptedpassword,  //
userpassword
            32,2+strlen($nasHostname[0]),$nasHostname[0],       //
nasIdentifier
+           31,2+strlen($clientip),$clientip,                   //
Calling-Station-ID
            5,6,0,0,0,0,
// nasPort
            61,6,0,0,0,15
// nasPortType = Ethernet
            );
@@ -81,6 +83,7 @@
                echo "username is $username with len " .
strlen($username) ."\n" ;
                echo "encryptedpassword is $encryptedpassword with len "
. strlen($encryptedpassword) ."\n" ;
                echo "nasHostname is {$nasHostname[0]} with len " .
strlen($nasHostname[0]) ."\n" ;
+               echo "clientip is $clientip with len " .
strlen($clientip) . "\n" ;
        }

        $ret = fwrite($fd,$data) ; 

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] 
Sent: Tuesday, October 11, 2005 3:02 PM
To: Bernie O'Connor
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

What is the value of calling-station-id?

Mac or Ip of the host...?


--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com]
Verzonden: vrijdag 7 oktober 2005 15:54
Aan: Lee Sharp; m0n0wall
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Sounds like you might be dealing with a Cisco Radius server.  I created
a patch to allow 1.2b10 to work with Cisco Radius  (calling-station-id,
and client ip-address), Jonathan is considering adding the attributes
for 1.3.  If you're comfortable with building a custom image of m0n0wall
I can send you the patch; otherwise you'll have to wait for 1.3.

bernie 

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be]
Sent: Thursday, October 06, 2005 4:54 PM
To: Lee Sharp; m0n0wall
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

The attributes you are saying you require aren't in 1.11 and never will
be.

They where added later in 1.2b7 indeed....

As the Radius RFC's states only Nas-Ip || Nas-Identifier are required
fields. (you can use both of them in a request or only one of them)

If you want to use Captive Portal with Radius authentication working you
CAN use 1.2b10. It seems to be 'very stable'. At least if you only use
Captive Portal and radius... There are some caveats with Openvpn and
Ipsec with it but as long you aren't using that you can use this one.

Or you can wait until 1.2 comes out (it shouldn't be a long time
anymore, I think)

1.3b will have a complete rewritten radius authentication code to
support things users have been asking for (multiple radius server
support with failover, round-robin etc..., Radius url-redirection etc.)

Software has always been distributed 'AS IS' without any warranties.

J.


--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Lee Sharp [mailto:leesharp at hal dash pc dot org]
Verzonden: donderdag 6 oktober 2005 22:44
Aan: m0n0wall
Onderwerp: [m0n0wall] Captive Portal RADIUS authentication missing
fields

I am trying to use m0n0 1.11 (this client does not like "beta" software)

with captive portal to authenticate against a RADIUS server owned by a
third party.  I have no control over, or access to, the RADIUS server.
I am failing in authentication.  The "tech" at the third party stated,
"In the auth request you are missing the following attributes; NAS IP,
Framed IP, Calling-Station-ID, Called-Station-ID, and Acct-Session-ID"
I have seen

people getting these attributes, but only in 1.2b7+  Will 1.11 provide
this, or do I need to convince the client that 1.2b10 is very stable
"beta" 
software? :-)

Lee


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch