(RADIATOR) SessionDatabase, EAP and dynamic keys

Morton Jonuschat lists at maxdata.com
Wed Sep 10 02:23:43 CDT 2003 

Hi,

I'm currently evaluating Radiator 3.6 + all current patches and up to 
know I got most of the things I want to do figured out. Radiator is 
serving NAS and VPN equipment just fine, the roblem is with the WLAN 
equipment.

The setup is like this:

Laptop with Intel Pro/Wireless 2100 card and WPA "certified" drivers, 
Odyssey client for EAP-TTLS
Cisco Aironet AP1200 access point running IOS 12.2(11)JA1
Radiator configured to do EAP-TTLS. Outer auth from SQL, inner by proxy 
to a radius hooked up with the W2K active directory.

After some hacking and fixing the eap_anon_hook.pl to make the 
accounting show the real user that connects to the AP.

The problems are with the session database functions - after studying 
the manual for two days straight and not finding anything that seems to 
help me solve them I ask for your help:

Problem #1:

The session database only shows the outer User-Name - is there a hook I 
can use to fix the username just like I do with accounting?

Problem #2:

 If I set a Session-Timeout of 120 seconds the accesspoints request a 
new key by way of sending a new Access-Request with the proper 
credentials. Radiator processes this request ok, but one of the steps 
involves clearing the session table for that nas and port.

This would be the right thing to do for any "normal" nas equipment. 
Chances are nobody can connect to port X of the nas if there is still a 
connection.

With WLAN nas and regular re-keying this doesn't work anymore. At least 
the cisco accesspoint  doesn't send a accounting start/alive/stop 
records after re-keying as the session is still ok, just a new 
encryption key has been exchanged. Is there any way to suppress the 
SessionDatabase Delete query? If you could set this up per client would 
be ok for me, a way to implement Pre/Post hooks for the session database 
would be even better. Oh, and I haven't found a way to make the Cisco AP 
send accounting records after re-keying. If you by any chance know how 
to do this, that would be another solution that would work for me.

Any ideas how to go about solving these things?

--
i. A. Morton Jonuschat
Systemmanager Network & Security
Information Services / Communications

MAXDATA AG
Elbestraße 12 - 16
D-45768 Marl
Telefon: +49 2365 952-2563
Telefax: +49 2365 952-2505

www.maxdata.com




===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list