[ previous ] [ next ] [ threads ]
 From:  "Martin Holst" <mail at martinh dot dk>
 To:  "Dinesh Nair" <dinesh at alphaque dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Captive Portal VS IAS radius
 Date:  Sun, 13 Jun 2004 12:37:53 +0200
Thank you very much Dinesh.
It works very well ;o)

I can see that the "NAS Port Type" attribute is now set on the request.
And it works fine with this policy condition in IAS:
 - NAS Port Type matches "Ethernet" -

Here's at packet sniff of the new request packet:

Frame 11 (131 bytes on wire, 131 bytes captured)
Ethernet II, Src: 00:50:fc:66:0f:5d, Dst: 00:20:18:a0:71:87
Internet Protocol, Src Addr: (, Dst Addr: (
User Datagram Protocol, Src Port: 3642 (3642), Dst Port: radius (1812)
Radius Protocol
    Code: Access Request (1)
    Packet identifier: 0xb0 (176)
    Length: 89
    Authenticator: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Attribute value pairs
        t:Service Type(6) l:6, Value:Login(1)
        t:User Name(1) l:7, Value:"xxxxxx"
        t:User Password(2) l:18, Value:xxxxxxxxxxxxxxxxxxxxxxxxxx
        t:NAS identifier(32) l:26, Value:"monowall.xxxxxxx.local"
        t:NAS Port(5) l:6, Value:0
        t:NAS Port Type(61) l:6, Value:Ethernet(15)


-----Original Message-----
From: Dinesh Nair [mailto:dinesh at alphaque dot com] 
Sent: 13. juni 2004 08:03
To: Martin Holst
Subject: RE: [m0n0wall] Captive Portal VS IAS radius

On Sun, 13 Jun 2004, Dinesh Nair wrote:

> alternatively, i could add a NAS-Port-Type attribute when the Captive
> Portal sends out the RADIUS access-request. i'd probably set it to
> Ethernet, as that seems to be the closest match.
> strictly from the RFCs though, since the NAS (in this case m0n0wall)
> doesnt differentiate among it's incoming ports for the captive portal,
> this attribute is not mandatory. adding it however does not break
> anything me thinks.
> i'll add it in, and send you the changes. it'd help a lot if you could
> test it for me, as i dont have access to an IAS server.


find attached a modified radius_authentication.inc which adds in the
NAS-Port-Type attribute in the Access-Request and sets it to type=15
(Ethernet). your policy authentication on the IAS should be set to allow
this for it to work.

you can upload it to you running m0n0wall with the exec.php command:

1. first upload the file, m0n0wall will place it in /tmp
2. then from exec.php, execute
/bin/cp /tmp/radius_authentication.inc /usr/local/captiveportal

your next authentication using the captive portal would use the new
access-request packet format.

do let me know how it goes and if it fixes what you're seeing.

Regards,                           /\_/\   "All dogs go to heaven."
dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
| for a in past present future; do
|   for b in clients employers associates relatives neighbours pets; do
|   echo "The opinions here in no way reflect the opinions of my $a $b."
| done; done