(RADIATOR) SessionDatabase, EAP and dynamic keys

Hugh Irvine hugh at open.com.au
Thu Sep 11 00:40:32 CDT 2003


Hello Morton -

Thanks for your mail - you raise some interesting points.

Mike and I will be discussing your questions over the next day or so 
and we will try to get back to you by the end of the week.

regards

Hugh


On Wednesday, Sep 10, 2003, at 17:23 Australia/Melbourne, Morton 
Jonuschat wrote:

> Hi,
>
> I'm currently evaluating Radiator 3.6 + all current patches and up to 
> know I got most of the things I want to do figured out. Radiator is 
> serving NAS and VPN equipment just fine, the roblem is with the WLAN 
> equipment.
>
> The setup is like this:
>
> Laptop with Intel Pro/Wireless 2100 card and WPA "certified" drivers, 
> Odyssey client for EAP-TTLS
> Cisco Aironet AP1200 access point running IOS 12.2(11)JA1
> Radiator configured to do EAP-TTLS. Outer auth from SQL, inner by 
> proxy to a radius hooked up with the W2K active directory.
>
> After some hacking and fixing the eap_anon_hook.pl to make the 
> accounting show the real user that connects to the AP.
>
> The problems are with the session database functions - after studying 
> the manual for two days straight and not finding anything that seems 
> to help me solve them I ask for your help:
>
> Problem #1:
>
> The session database only shows the outer User-Name - is there a hook 
> I can use to fix the username just like I do with accounting?
>
> Problem #2:
>
> If I set a Session-Timeout of 120 seconds the accesspoints request a 
> new key by way of sending a new Access-Request with the proper 
> credentials. Radiator processes this request ok, but one of the steps 
> involves clearing the session table for that nas and port.
>
> This would be the right thing to do for any "normal" nas equipment. 
> Chances are nobody can connect to port X of the nas if there is still 
> a connection.
>
> With WLAN nas and regular re-keying this doesn't work anymore. At 
> least the cisco accesspoint  doesn't send a accounting 
> start/alive/stop records after re-keying as the session is still ok, 
> just a new encryption key has been exchanged. Is there any way to 
> suppress the SessionDatabase Delete query? If you could set this up 
> per client would be ok for me, a way to implement Pre/Post hooks for 
> the session database would be even better. Oh, and I haven't found a 
> way to make the Cisco AP send accounting records after re-keying. If 
> you by any chance know how to do this, that would be another solution 
> that would work for me.
>
> Any ideas how to go about solving these things?
>
> --
> i. A. Morton Jonuschat
> Systemmanager Network & Security
> Information Services / Communications
>
> MAXDATA AG
> Elbestraße 12 - 16
> D-45768 Marl
> Telefon: +49 2365 952-2563
> Telefax: +49 2365 952-2505
>
> www.maxdata.com
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list