[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Andrew Hull" <list at racc2000 dot com>, "M0n0 Wall list" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Radius nas-port attribute problem and pach
 Date:  Thu, 27 Oct 2005 23:15:29 +0200
>Solution:
>I modified the radius authentication code so that instead of a zero, 
>m0n0 will pass the last octet of the client's IP as the value of 
>NAS-Port. IE: say the client's IP is 192.168.0.56. m0n0 will send 
>NAS-Port=56 to RADIUS.
 
Assume the following: 
LAN netmask of 10.0.0.0/23

10.0.0.56 Nas-Port=56
10.0.1.56 Nas-Port=56
=> ERROR
You at least need the 2full octets... (with 005 instead of 5)

>I have no experience with any other RADIUS product and therefore don't 
>know if this behavior is typical.
> 
>It seems debatable if this holds with the spirit of RFC2865 
>(http://www.faqs.org/rfcs/rfc2865.html) or not.
> 
>I'd love to have some feedback on this change. The updated files are 
>available for download at http://lagasse.racc2000.com/m0n0wall/.

The RFC's are not very clear with this resulting in vendor specific
implementations

It should be possible to assign a dynamic/free port-id based on the
number of users online and which nas-ports are already assigned. Some
radiusservers also have the ability to discard attributes in
requests....

Will look for a decent solution (expect it to come with the radius
session-timeout system)

J.