Thank you very much Dinesh.
It works very well ;o)
I can see that the "NAS Port Type" attribute is now set on the request.
And it works fine with this policy condition in IAS:
- NAS Port Type matches "Ethernet" -
Here's at packet sniff of the new request packet:
Frame 11 (131 bytes on wire, 131 bytes captured)
Ethernet II, Src: 00:50:fc:66:0f:5d, Dst: 00:20:18:a0:71:87
Internet Protocol, Src Addr: 192.168.1.1 (192.168.1.1), Dst Addr:
User Datagram Protocol, Src Port: 3642 (3642), Dst Port: radius (1812)
Code: Access Request (1)
Packet identifier: 0xb0 (176)
Attribute value pairs
t:Service Type(6) l:6, Value:Login(1)
t:User Name(1) l:7, Value:"xxxxxx"
t:User Password(2) l:18, Value:xxxxxxxxxxxxxxxxxxxxxxxxxx
t:NAS identifier(32) l:26, Value:"monowall.xxxxxxx.local"
t:NAS Port(5) l:6, Value:0
t:NAS Port Type(61) l:6, Value:Ethernet(15)
From: Dinesh Nair [mailto:dinesh at alphaque dot com]
Sent: 13. juni 2004 08:03
To: Martin Holst
Subject: RE: [m0n0wall] Captive Portal VS IAS radius
On Sun, 13 Jun 2004, Dinesh Nair wrote:
> alternatively, i could add a NAS-Port-Type attribute when the Captive
> Portal sends out the RADIUS access-request. i'd probably set it to
> Ethernet, as that seems to be the closest match.
> strictly from the RFCs though, since the NAS (in this case m0n0wall)
> doesnt differentiate among it's incoming ports for the captive portal,
> this attribute is not mandatory. adding it however does not break
> anything me thinks.
> i'll add it in, and send you the changes. it'd help a lot if you could
> test it for me, as i dont have access to an IAS server.
find attached a modified radius_authentication.inc which adds in the
NAS-Port-Type attribute in the Access-Request and sets it to type=15
(Ethernet). your policy authentication on the IAS should be set to allow
this for it to work.
you can upload it to you running m0n0wall with the exec.php command:
1. first upload the file, m0n0wall will place it in /tmp
2. then from exec.php, execute
/bin/cp /tmp/radius_authentication.inc /usr/local/captiveportal
your next authentication using the captive portal would use the new
access-request packet format.
do let me know how it goes and if it fixes what you're seeing.
Regards, /\_/\ "All dogs go to heaven."
dinesh at alphaque dot com (0 0) http://www.alphaque.com/
| for a in past present future; do
| for b in clients employers associates relatives neighbours pets; do
| echo "The opinions here in no way reflect the opinions of my $a $b."
| done; done