Here's my problem and how I fixed it.
I'm using m0n0 1.2, captive portal w/ RADIUS auth, Vircom's VOP RADIUS
server. I discovered that VOP uses the RADIUS Attribute NAS-Port (number
5) for a great many things. IE: after two users logged in to m0n0's
captive portal, the RADIUS users online list would only show the most
recently authenticated user. It would also not reject a second login
attempt by the same user (with port-limit (62) = 1), but allow them to
In both instances, m0n0's captive portal stats page would show all
appropriate users (even two sessions with the same username), but the
RADIUS users online list would only show the most recent authenticated user.
I finally traced this down to the NAS-Port (5) attribute. m0n0 currently
has NAS-Port=0 hard coded into the radius auth script. I discovered that
when a second user attempts to auth with the same NAS-Port value, VOP
takes this to mean that the user on port 0 suddenly changed their
username. It authenticates the new username, and updates the info for
This is not exactly what I want to happen.
I modified the radius authentication code so that instead of a zero,
m0n0 will pass the last octet of the client's IP as the value of
NAS-Port. IE: say the client's IP is 192.168.0.56. m0n0 will send
NAS-Port=56 to RADIUS.
I have no experience with any other RADIUS product and therefore don't
know if this behavior is typical.
It seems debatable if this holds with the spirit of RFC2865
(http://www.faqs.org/rfcs/rfc2865.html) or not.
I'd love to have some feedback on this change. The updated files are
available for download at http://lagasse.racc2000.com/m0n0wall/.