(RADIATOR) NAS-Port and NAS-Port-Type

Hugh Irvine hugh at open.com.au
Thu Oct 2 22:12:15 CDT 2003


Hello Andrea -

Many thanks for a very informative post.

Your solution sounds excellent (that is why we let you change 
Radiator's default behaviour).

:-)

I will suggest to Mike that we include your mail as a FAQ item (with 
your permission of course).

regards

Hugh


On Friday, Oct 3, 2003, at 12:57 Australia/Melbourne, Andrea 
Brancatelli wrote:

> Recently I talked with Mike (or maybe with Hugh) in Private Mail (that 
> was one of the cases I was talking about) about an Access Point I have 
> that is currently reporting all the connection as coming from 
> "NAS-Port: 9". That is giving problems to the SESSION table because 
> when a second user logs in radiator blindly deletes any user that was 
> on the same NAS-Port on the same AP.
>
> Talking with Mike he pointed me that this was a wrong behaviour and 
> that I had to point this out to the manifactour of the AP.
>
> I did.
>
> Their answer is that the AP works well and has no problem of any kind 
> with the RadiusNT package they use for testing (and this is a pretty 
> lame answer) but also pointed me that that behaviour is not wrong 
> according to RFC 2138 and 2865... see 
> http://www.ietf.org/rfc/rfc2865.txt
> Basically they said that since NAS-Port-Type is correctly reported as 
> Wireless - IEEE 802.11 (19) the Radius server should be smart enough 
> not to assume that the NAS is able to discriminate among Ports. 
> Wireless Ports surely are not "phisical ports" (as NAS-Port 
> description refers to) and the RFC clearly says that "Either NAS-Port 
> (5) or NAS-Port-Type or both SHOULD be present in an Access-Request 
> packet, if the NAS differentiates among its ports."... _IF_ the Nas 
> differentiates among its port, don't expect the NAS to be able to do 
> that.
>
> (actually I have disassembled their firmware and I must say they have 
> concrete reasons not to implement the "real" NAS-Port concept... the 
> AP is Linux Embedded and the 9 it is returning refers to the tty 
> assigned to the Wireless Lan Card. They use Radclient to do the Radius 
> Login and it assume the tty number as the NAS-Port - something that 
> would be correct if the NAS was a "rack-modem")
>
> So, trying to make a long story short what I did was replacing the 
> NAS-Port definition in the SESSION database from Integer to Char 22 
> and replace the Session Add and Session Delete SQL query to use the 
> remote peer MAC Address to fake out an univoque NAS-Port. It works.
>
> My suggestion for you guys is that maybe you can be prepared to work 
> around similar situation and get somewhat deeper in the SESSION table 
> handling, for example including the MAC address of the remote peer (if 
> it is available, of course) as an addedd UNIQUEness field for deleting 
> stuff in the session database....
>
> Delete Session query... Delete from session where NAS = something, 
> NAS-Port = something and MAC = something.
>
> Just an idea... any comment?
>
> Hope this is somewhat useful.
>
> Andrea
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list