[ previous ] [ next ] [ threads ]
 
 From:  Andrew Hull <list at racc2000 dot com>
 To:  M0n0 Wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Radius nas-port attribute problem and pach
 Date:  Thu, 27 Oct 2005 16:56:16 -0400
Hello list,
Here's my problem and how I fixed it.
 
I'm using m0n0 1.2, captive portal w/ RADIUS auth, Vircom's VOP RADIUS 
server. I discovered that VOP uses the RADIUS Attribute NAS-Port (number 
5) for a great many things. IE: after two users logged in to m0n0's 
captive portal, the RADIUS users online list would only show the most 
recently authenticated user. It would also not reject a second login 
attempt by the same user (with port-limit (62) = 1), but allow them to 
connect.
 
In both instances, m0n0's captive portal stats page would show all 
appropriate users (even two sessions with the same username), but the 
RADIUS users online list would only show the most recent authenticated user.
 
I finally traced this down to the NAS-Port (5) attribute. m0n0 currently 
has NAS-Port=0 hard coded into the radius auth script. I discovered that 
when a second user attempts to auth with the same NAS-Port value, VOP 
takes this to mean that the user on port 0 suddenly changed their 
username. It authenticates the new username, and updates the info for 
port 0.
 
This is not exactly what I want to happen.
 
Solution:
I modified the radius authentication code so that instead of a zero, 
m0n0 will pass the last octet of the client's IP as the value of 
NAS-Port. IE: say the client's IP is 192.168.0.56. m0n0 will send 
NAS-Port=56 to RADIUS.
 
I have no experience with any other RADIUS product and therefore don't 
know if this behavior is typical.
 
It seems debatable if this holds with the spirit of RFC2865 
(http://www.faqs.org/rfcs/rfc2865.html) or not.
 
I'd love to have some feedback on this change. The updated files are 
available for download at http://lagasse.racc2000.com/m0n0wall/.
 
Thank you,
Andrew Hull