(RADIATOR) Orinoco AP-500/1000 MAC auth problem

Karl Gaissmaier karl.gaissmaier at rz.uni-ulm.de
Tue Sep 24 06:53:46 CDT 2002 

Hello,

...
>>I don't need this Reply Attributes, really. Are you really sure this
>>is needed in your environment? If this is the truth, perhaps we should
>>talk about Firmware versions, but since AP500 V.3.83 it was really not
>>necessary
>>to spend reply attributes here in my environment, just "empty" Access
>>Accept packets.
>>
> 
> 
> My AP-500 has V3.95. Since the AP serves more than just one wireless
> device, it seems reasonable that AP needs to know which MAC address
> username the RADIUS is granting the access. NAS-IP-address I know for sure
> is necessary in my case since the AP is behind a firewall, and the
> AP request (on behalf of the wireless device) is NATed and sent through a
> router to the RADIUS in another network. The inbound message from the
> RADIUS to the router certainly has to provide NAS-IP-address information
> for the router to know which device behind the firewall should pick up
> (without a broadcast through the entire subnet).

First, I'm also running a lot of AP-500 with Firmware v.3.95 and MAC 
address based authorization, handled by a radius server (radiator)
with more than 400 wireless users in the moment, still very fast growing.

The AP sends an access-request with the following attributes to the 
radius server:

#######################################################################
Code:       Access-Request
Identifier: 134
Authentic:  <164><183><146><135><8>r<206><28>Q<9><154>"<195><169><225>Y
Attributes:
         NAS-IP-Address = 212.17.1.7
         User-Name = "00022d-0eaae0"
         User-Password = "G`<173>'"<192><242>!<147>:<137><175>0n0<182>"

....
Code:       Access-Accept
Identifier: 134
Authentic:  <164><183><146><135><8>r<206><28>Q<9><154>"<195><169><225>Y
Attributes:
#######################################################################

the radius server checks in my configuration just the "User-Name", and
this is in this context the MAC-addr in the format xxxxxx-xxxxxx.

The password sent by the AP is just the shared secret between the
AP and teh radius server, you have no user based passwords without 802.1X.

 > My AP-500 has V3.95. Since the AP serves more than just one wireless
 > device, it seems reasonable that AP needs to know which MAC address

The NAS knows already the MAC address, because he sends the 
Access-Request with the Identifier (e.g.134, see the example above), the 
Access-Accept has this same Identifier and then the NAS knows the 
accepted MAC

 > username the RADIUS is granting the access. NAS-IP-address I know for 
sure
 > is necessary in my case since the AP is behind a firewall, and the
 > AP request (on behalf of the wireless device) is NATed and sent through a
 > router to the RADIUS in another network. The inbound message from the
 > RADIUS to the router certainly has to provide NAS-IP-address information
 > for the router to know which device behind the firewall should pick up
 > (without a broadcast through the entire subnet).

do you really believe your NAT Router is able to decode the radius 
Accept packet, gaining the Radius Attribute NAS-IP-address and then 
sending this to the proper target. Please tell me the vendor and model 
of this wonderfull device.

No, normally this is done by a state table, IP addrs, protocol and ports 
so the NAT router knows to where to send the answer packets, I'm quite 
sure this is also in your environment.

Regards
	Charly

P.S. please send us a snippet of your config and your users file for MAC 
based WLAN authentication

-- 
Karl Gaissmaier Computing Center,University of Ulm,Germany
Email:karl.gaissmaier at rz.uni-ulm.de Network Administration
Tel.: ++49 731 50-22499

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list