(RADIATOR) Disconnect after 12 hours with WindowsXP clients

DELORT Stephane Stephane.DELORT at murex.com
Mon Dec 5 05:26:26 CST 2005 

Hello,

I am currently usign Radiator as a RADIUS server beyond Trapeze switch. All the clients are Windows XP stations with patches and drivers up to date for a 802.11 wireless configuration (PEAP/MSCHAP v2).
After 12 hours of connection the station disconnect and reconnect (saw by acct stop/start).
It happens with every stations.



The NAS is set to be "passthrough" and every parameter is set to 24 hours.
On the RADIUS, the only parameter that could have a role is, I think, the EAPTLS_SessionResumptionLimit. It is also set to 24 hours.

So, is there a known isssue with windows XP stations ?
Could the APTLS_SessionResumptionLimit be responsible of these disconnections ?
How can I see if the disconnection is initiated from the RADIUS, the switch or the station ?


My PEAP config is shown below.

Regards,
Stéphane
 




*******************************************************

<Handler Called-Station-Id=/MX_WIFI/ >
	SessionDatabase NULL_SESSION_DB
	MaxSessions 1	
	<AuthBy FILE>
		EAPAnonymous	%0
		# The username of the outer authentication
		#  must be in this file to get anywhere. In this example,
		# it requires an entry for 'anonymous' which is the standard username 
		# in the outer requests, and it also requires an entry for the
		# actual user name who is trying to connect (ie the 'Login name' entered
		# in the Funk Odyssey 'Edit Profile Properties' page
		#Filename %D/users

		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default (most
		# preferred) type given first
		EAPType PEAP

		# EAPTLS_CAFile is the name of a file of CA certificates 
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		#EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
		EAPTLS_CAFile %D/certificates/certifs_murex/sdelort.crt

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		#EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateFile %D/certificates/certifs_murex/sdelort.crt		
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile) 
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		#EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		#EAPTLS_PrivateKeyPassword whatever
		EAPTLS_PrivateKeyFile %D/certificates/certifs_murex/sdelort.key
		EAPTLS_PrivateKeyPassword murex

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1000		
		
		# Some clients, depending on their configuration, may require you to specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		SSLeayTrace 4

		# You can configure the User-Name that will be used for the inner
		# authentication. Defaults to 'anonymous'. This can be useful
		# when proxying the inner authentication. If tehre is a realm, it can 
		# be used to choose a local Realm to handle the inner authentication.
		# %0 is replaced with the EAP identitiy
		# EAPAnonymous anonymous at some.other.realm

		# You can enable or disable support for TTLS Session Resumption and
		# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
		# Default is enabled
		#EAPTLS_SessionResumption 0

		# You can limit how long after the initial session that a session can be resumed
		# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
		# (12 hours)
		EAPTLS_SessionResumptionLimit 86400

		# You can control which version of the draft PEAP protocol to honour
		# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
		# such as Funk Odyssey Client 2.22 or later.
		EAPTLS_PEAPVersion 0

		# You can make PEAP Version 1 support compatible with
		# nonstandard PEAP V1 clients that use the old broken TLS encryption labels that
		# appear to be used frequently, due to Microsofts use of the incorrect
		# label in its V0 client.
		#EAPTLS_PEAPBrokenV1Label
	</AuthBy>
</Handler>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list