|
||||||||
I made a little mistake in the code, sorry ;) This release should fix it: http://inf.imelda.be/downloads/m0n0wall/generic-pc-radius2_20051018_18-4 9.img -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan dot de dot graeve at imelda dot be -----Oorspronkelijk bericht----- Van: Thibodeau, Dale [mailto:dthibode at uwc dot edu] Verzonden: dinsdag 18 oktober 2005 15:41 Aan: m0n0wall Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields Jonathan et al, I need to modify the radius authentication to pass mac address. I'm trying to follow the thread here but I'm not sure where this left off. What do I need to change in 1.2 to get the radius authentication to pass mac address? Sorry if I overlooked it here, I searched through the thread but I can't find the conclusion. I did find a link to a 1.2b10 cf image you had on your site that supposedly has a modified radius, but upon authentication I get a putattributes error on line 87. Also, if I add in the <radiusvendor>cisco</radiusvendor> tags I get another putattributes error. Can you help me? Dale -----Original Message----- From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] Sent: Tuesday, October 11, 2005 3:39 PM To: Bernie O'Connor; m0n0wall Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields Would this be enough for you? switch($radiusservers[0]['vendor']) { case 'cisco': $rauth->putAttributes(RADIUS_CALLED_STATION_ID, $clientmac); $rauth->putAttributes(RADIUS_CALLING_STATION_ID, $clientip); break; default: $rauth->putAttributes(RADIUS_CALLING_STATION_ID, $clientmac); break; } By this way if you specify the vendor default/cisco (select box on the GUI, not yet implemented) the behaviour changes and this will satisfy all users I think without breaking too much stuff. I did it with a switch because this leaves it open to add other 'special' servers. I think this will be a discussion for all m0n0wall users... -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan dot de dot graeve at imelda dot be -----Oorspronkelijk bericht----- Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com] Verzonden: dinsdag 11 oktober 2005 22:06 Aan: Jonathan De Graeve Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields I agree with you that mac is more secure, but... For Cisco radius to work with m0n0wall radius per Cisco's implementation, either 31 has to be a valid ip address, or m0n0wall has to pass both 30 and 31 attributes. Would you consider coding attribute 30 for mac address and attribute 31 for ip address and passing both with the authentication request? I'm using a document that Cisco radius uses for determining what Network access restrictions to apply based on attribute 30,31. Where 31 being a valid ip address triggers what they call a NAR filter (network access restriction), vs their DNIS/CLI filter when 31 is not valid ip and 30 is also passed. bernie =========== 5.30. Called-Station-Id Description This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets. A summary of the Called-Station-Id Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type 30 for Called-Station-Id. Length >= 3 String The String field is one or more octets, containing the phone number that the user's call came in on. The actual format of the information is site or application specific. UTF-8 encoded 10646 [7] characters are recommended, but a robust implementation SHOULD support the field as undistinguished octets. The codification of the range of allowed usage of this field is outside the scope of this specification. 5.31. Calling-Station-Id Description This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets. A summary of the Calling-Station-Id Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type 31 for Calling-Station-Id. Length >= 3 String The String field is one or more octets, containing the phone number that the user placed the call from. The actual format of the information is site or application specific. UTF-8 encoded 10646 [7] characters are recommended, but a robust implementation SHOULD support the field as undistinguished octets. The codification of the range of allowed usage of this field is outside the scope of this specification. ================ -----Original Message----- From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] Sent: Tuesday, October 11, 2005 3:38 PM To: Bernie O'Connor Cc: m0n0wall Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields I think i'm going to use mac Is this a problem? Since the ip can change and the mac of a computer seldom does (ok it can be spoofed). In this way you can block certain clients to logon to your internet service (abuse...) J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan dot de dot graeve at imelda dot be -----Oorspronkelijk bericht----- Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com] Verzonden: dinsdag 11 oktober 2005 21:17 Aan: Jonathan De Graeve Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields Code snippet: ----------------------------- +++ dev/mfs/usr/local/captiveportal/radius_authentication.inc Tue Sep 20 16:11:40 2005 @@ -28,7 +28,7 @@ // was also fixed and patches submitted to Edwin. This bug would // have caused authentication to fail on every access. -function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiusk ey) { +function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiusk ey,$clientip) { $sharedsecret=$radiuskey ; # $debug = 1 ; @@ -44,7 +44,7 @@ stream_set_timeout($fd, 5) ; if ($debug) - echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<hr>\n"; + echo "<br>radius-port: $radiusport<br>radius-host: $radiusip<br>username: $username<br>clientip: $clientip<hr>\n"; $RA=pack("CCCCCCCCCCCCCCCC", // auth code 1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255, @@ -60,19 +60,21 @@ 2+strlen($username)+ // username 2+strlen($encryptedpassword)+ // userpassword 2+strlen($nasHostname[0])+ // nasIdentifier + 2+strlen($clientip)+ // Calling-Station-ID 6+ // nasPort 6; // nasPortType $thisidentifier=rand()%256; // v v v v v v v v v // Line # 1 2 3 4 5 6 7 8 E - $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC", + $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCA*CCCCCCCCCCCC", 1,$thisidentifier,$length/256,$length%256, // header $RA, // authcode 6,6,0,0,0,1, // service type 1,2+strlen($username),$username, // username 2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier + 31,2+strlen($clientip),$clientip, // Calling-Station-ID 5,6,0,0,0,0, // nasPort 61,6,0,0,0,15 // nasPortType = Ethernet ); @@ -81,6 +83,7 @@ echo "username is $username with len " . strlen($username) ."\n" ; echo "encryptedpassword is $encryptedpassword with len " . strlen($encryptedpassword) ."\n" ; echo "nasHostname is {$nasHostname[0]} with len " . strlen($nasHostname[0]) ."\n" ; + echo "clientip is $clientip with len " . strlen($clientip) . "\n" ; } $ret = fwrite($fd,$data) ; -----Original Message----- From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] Sent: Tuesday, October 11, 2005 3:02 PM To: Bernie O'Connor Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields What is the value of calling-station-id? Mac or Ip of the host...? -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan dot de dot graeve at imelda dot be -----Oorspronkelijk bericht----- Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com] Verzonden: vrijdag 7 oktober 2005 15:54 Aan: Lee Sharp; m0n0wall Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields Sounds like you might be dealing with a Cisco Radius server. I created a patch to allow 1.2b10 to work with Cisco Radius (calling-station-id, and client ip-address), Jonathan is considering adding the attributes for 1.3. If you're comfortable with building a custom image of m0n0wall I can send you the patch; otherwise you'll have to wait for 1.3. bernie -----Original Message----- From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] Sent: Thursday, October 06, 2005 4:54 PM To: Lee Sharp; m0n0wall Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing fields The attributes you are saying you require aren't in 1.11 and never will be. They where added later in 1.2b7 indeed.... As the Radius RFC's states only Nas-Ip || Nas-Identifier are required fields. (you can use both of them in a request or only one of them) If you want to use Captive Portal with Radius authentication working you CAN use 1.2b10. It seems to be 'very stable'. At least if you only use Captive Portal and radius... There are some caveats with Openvpn and Ipsec with it but as long you aren't using that you can use this one. Or you can wait until 1.2 comes out (it shouldn't be a long time anymore, I think) 1.3b will have a complete rewritten radius authentication code to support things users have been asking for (multiple radius server support with failover, round-robin etc..., Radius url-redirection etc.) Software has always been distributed 'AS IS' without any warranties. J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan dot de dot graeve at imelda dot be -----Oorspronkelijk bericht----- Van: Lee Sharp [mailto:leesharp at hal dash pc dot org] Verzonden: donderdag 6 oktober 2005 22:44 Aan: m0n0wall Onderwerp: [m0n0wall] Captive Portal RADIUS authentication missing fields I am trying to use m0n0 1.11 (this client does not like "beta" software) with captive portal to authenticate against a RADIUS server owned by a third party. I have no control over, or access to, the RADIUS server. I am failing in authentication. The "tech" at the third party stated, "In the auth request you are missing the following attributes; NAS IP, Framed IP, Calling-Station-ID, Called-Station-ID, and Acct-Session-ID" I have seen people getting these attributes, but only in 1.2b7+ Will 1.11 provide this, or do I need to convince the client that 1.2b10 is very stable "beta" software? :-) Lee --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |