[ previous ] [ next ] [ threads ]
 
 From:  "Thibodeau, Dale" <dthibode at uwc dot edu>
 To:  "m0n0wall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Captive Portal RADIUS authentication missing fields
 Date:  Tue, 18 Oct 2005 13:32:05 -0500
Seems to have done the trick.

Thanks Jonathan!

dale 

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be] 
Sent: Tuesday, October 18, 2005 1:15 PM
To: Thibodeau, Dale; m0n0wall
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Thats because the putAttributes function didn't exists.

It had to be putAttribute ;)

FIXED:
http://inf.imelda.be/downloads/m0n0wall/generic-pc-radius2_20051018_20-0
3.img

Can you validate if this works?

J.

-----Oorspronkelijk bericht-----
Van: Thibodeau, Dale [mailto:dthibode at uwc dot edu]
Verzonden: dinsdag 18 oktober 2005 20:12
Aan: m0n0wall
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

 I'm still getting an error, putattributes radius_authentication.inc on
line 130

Any ideas?

dale

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be]
Sent: Tuesday, October 18, 2005 11:52 AM
To: Thibodeau, Dale; m0n0wall
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

I made a little mistake in the code, sorry ;)

This release should fix it:

http://inf.imelda.be/downloads/m0n0wall/generic-pc-radius2_20051018_18-4
9.img



--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Thibodeau, Dale [mailto:dthibode at uwc dot edu]
Verzonden: dinsdag 18 oktober 2005 15:41
Aan: m0n0wall
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Jonathan et al, I need to modify the radius authentication to pass mac
address.  I'm trying to follow the thread here but I'm not sure where
this left off.  What do I need to change in 1.2 to get the radius
authentication to pass mac address?  Sorry if I overlooked it here, I
searched through the thread but I can't find the conclusion.

I did find a link to a 1.2b10 cf image you had on your site that
supposedly has a modified radius, but upon authentication I get a
putattributes error on line 87.  Also, if I add in the
<radiusvendor>cisco</radiusvendor> tags I get another putattributes
error.

Can you help me?

Dale

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be]
Sent: Tuesday, October 11, 2005 3:39 PM
To: Bernie O'Connor; m0n0wall
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Would this be enough for you?

switch($radiusservers[0]['vendor']) {
        
        case 'cisco':
        $rauth->putAttributes(RADIUS_CALLED_STATION_ID, $clientmac);
        $rauth->putAttributes(RADIUS_CALLING_STATION_ID, $clientip);
        break;

        default:
        $rauth->putAttributes(RADIUS_CALLING_STATION_ID, $clientmac);
        break;
}

By this way if you specify the vendor default/cisco (select box on the
GUI, not yet implemented) the behaviour changes and this will satisfy
all users I think without breaking too much stuff. I did it with a
switch because this leaves it open to add other 'special' servers.

I think this will be a discussion for all m0n0wall users...


--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com]
Verzonden: dinsdag 11 oktober 2005 22:06
Aan: Jonathan De Graeve
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

I agree with you that mac is more secure, but...

For Cisco radius to work with m0n0wall radius per Cisco's
implementation, either 31 has to be a valid ip address, or m0n0wall has
to pass both 30 and 31 attributes.

Would you consider coding attribute 30 for mac address and attribute 31
for ip address and passing both with the authentication request?  I'm
using a document that Cisco radius uses for determining what Network
access restrictions to apply based on attribute 30,31.  Where 31 being a
valid ip address triggers what they call a NAR filter (network access
restriction), vs their DNIS/CLI filter when 31 is not valid ip and 30 is
also passed.  

bernie

===========
5.30.  Called-Station-Id

   Description

      This Attribute allows the NAS to send in the Access-Request packet
      the phone number that the user called, using Dialed Number
      Identification (DNIS) or similar technology.  Note that this may
      be different from the phone number the call comes in on.  It is
      only used in Access-Request packets.

   A summary of the Called-Station-Id Attribute format is shown below.
   The fields are transmitted from left to right.

    0                   1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   |     Type      |    Length     |  String ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

   Type

      30 for Called-Station-Id.

   Length

      >= 3

   String

      The String field is one or more octets, containing the phone
      number that the user's call came in on.

      The actual format of the information is site or application
      specific.  UTF-8 encoded 10646 [7] characters are recommended, but
      a robust implementation SHOULD support the field as
      undistinguished octets.

      The codification of the range of allowed usage of this field is
      outside the scope of this specification.

5.31.  Calling-Station-Id

   Description

      This Attribute allows the NAS to send in the Access-Request packet
      the phone number that the call came from, using Automatic Number
      Identification (ANI) or similar technology.  It is only used in
      Access-Request packets.

   A summary of the Calling-Station-Id Attribute format is shown below.
   The fields are transmitted from left to right.

    0                   1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   |     Type      |    Length     |  String ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

   Type

      31 for Calling-Station-Id.

   Length

      >= 3

   String

      The String field is one or more octets, containing the phone
      number that the user placed the call from.

      The actual format of the information is site or application
      specific.  UTF-8 encoded 10646 [7] characters are recommended, but
      a robust implementation SHOULD support the field as
      undistinguished octets.

      The codification of the range of allowed usage of this field is
      outside the scope of this specification.
================ 

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be]
Sent: Tuesday, October 11, 2005 3:38 PM
To: Bernie O'Connor
Cc: m0n0wall
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

I think i'm going to use mac

Is this a problem?

Since the ip can change and the mac of a computer seldom does (ok it can
be spoofed). 

In this way you can block certain clients to logon to your internet
service (abuse...)


J.

--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com]
Verzonden: dinsdag 11 oktober 2005 21:17
Aan: Jonathan De Graeve
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Code snippet:
-----------------------------
+++ dev/mfs/usr/local/captiveportal/radius_authentication.inc   Tue Sep
20 16:11:40 2005
@@ -28,7 +28,7 @@
        // was also fixed and patches submitted to Edwin. This bug would
        // have caused authentication to fail on every access.

-function
RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiusk
ey) {
+function
RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radiusk
ey,$clientip) {
        $sharedsecret=$radiuskey ;
        # $debug = 1 ;

@@ -44,7 +44,7 @@
        stream_set_timeout($fd, 5) ;

        if ($debug)
-           echo "<br>radius-port: $radiusport<br>radius-host:
$radiusip<br>username: $username<hr>\n";
+           echo "<br>radius-port: $radiusport<br>radius-host:
$radiusip<br>username: $username<br>clientip:  $clientip<hr>\n";

        $RA=pack("CCCCCCCCCCCCCCCC",                            // auth
code
            1+rand()%255, 1+rand()%255, 1+rand()%255, 1+rand()%255, @@
-60,19 +60,21 @@
                2+strlen($username)+            // username
                2+strlen($encryptedpassword)+   // userpassword
                2+strlen($nasHostname[0])+                      //
nasIdentifier
+               2+strlen($clientip)+            // Calling-Station-ID
                6+                              // nasPort
                6;                              // nasPortType

        $thisidentifier=rand()%256;
        //          v   v v     v   v   v   v     v     v
        // Line #   1   2 3     4   5   6   7     8     E
-       $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCCCCCCCCCCC",
+       $data=pack("CCCCa*CCCCCCCCa*CCa*CCa*CCA*CCCCCCCCCCCC",
            1,$thisidentifier,$length/256,$length%256,          //
header
            $RA,                                                //
authcode
            6,6,0,0,0,1,                                        //
service type
            1,2+strlen($username),$username,                    //
username
            2,2+strlen($encryptedpassword),$encryptedpassword,  //
userpassword
            32,2+strlen($nasHostname[0]),$nasHostname[0],       //
nasIdentifier
+           31,2+strlen($clientip),$clientip,                   //
Calling-Station-ID
            5,6,0,0,0,0,
// nasPort
            61,6,0,0,0,15
// nasPortType = Ethernet
            );
@@ -81,6 +83,7 @@
                echo "username is $username with len " .
strlen($username) ."\n" ;
                echo "encryptedpassword is $encryptedpassword with len "
. strlen($encryptedpassword) ."\n" ;
                echo "nasHostname is {$nasHostname[0]} with len " .
strlen($nasHostname[0]) ."\n" ;
+               echo "clientip is $clientip with len " .
strlen($clientip) . "\n" ;
        }

        $ret = fwrite($fd,$data) ; 

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be]
Sent: Tuesday, October 11, 2005 3:02 PM
To: Bernie O'Connor
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

What is the value of calling-station-id?

Mac or Ip of the host...?


--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com]
Verzonden: vrijdag 7 oktober 2005 15:54
Aan: Lee Sharp; m0n0wall
Onderwerp: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

Sounds like you might be dealing with a Cisco Radius server.  I created
a patch to allow 1.2b10 to work with Cisco Radius  (calling-station-id,
and client ip-address), Jonathan is considering adding the attributes
for 1.3.  If you're comfortable with building a custom image of m0n0wall
I can send you the patch; otherwise you'll have to wait for 1.3.

bernie 

-----Original Message-----
From: Jonathan De Graeve [mailto:Jonathan dot De dot Graeve at imelda dot be]
Sent: Thursday, October 06, 2005 4:54 PM
To: Lee Sharp; m0n0wall
Subject: RE: [m0n0wall] Captive Portal RADIUS authentication missing
fields

The attributes you are saying you require aren't in 1.11 and never will
be.

They where added later in 1.2b7 indeed....

As the Radius RFC's states only Nas-Ip || Nas-Identifier are required
fields. (you can use both of them in a request or only one of them)

If you want to use Captive Portal with Radius authentication working you
CAN use 1.2b10. It seems to be 'very stable'. At least if you only use
Captive Portal and radius... There are some caveats with Openvpn and
Ipsec with it but as long you aren't using that you can use this one.

Or you can wait until 1.2 comes out (it shouldn't be a long time
anymore, I think)

1.3b will have a complete rewritten radius authentication code to
support things users have been asking for (multiple radius server
support with failover, round-robin etc..., Radius url-redirection etc.)

Software has always been distributed 'AS IS' without any warranties.

J.


--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan dot de dot graeve at imelda dot be

-----Oorspronkelijk bericht-----
Van: Lee Sharp [mailto:leesharp at hal dash pc dot org]
Verzonden: donderdag 6 oktober 2005 22:44
Aan: m0n0wall
Onderwerp: [m0n0wall] Captive Portal RADIUS authentication missing
fields

I am trying to use m0n0 1.11 (this client does not like "beta" software)

with captive portal to authenticate against a RADIUS server owned by a
third party.  I have no control over, or access to, the RADIUS server.
I am failing in authentication.  The "tech" at the third party stated,
"In the auth request you are missing the following attributes; NAS IP,
Framed IP, Calling-Station-ID, Called-Station-ID, and Acct-Session-ID"
I have seen

people getting these attributes, but only in 1.2b7+  Will 1.11 provide
this, or do I need to convince the client that 1.2b10 is very stable
"beta" 
software? :-)

Lee


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch











---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch