(RADIATOR) Disconnect after 12 hours with WindowsXP clients

Hugh Irvine hugh at open.com.au
Mon Dec 5 16:18:46 CST 2005 

Hello Stephane -

Radiator is not initiating the disconnects.

You should have a look at a trace 4 debug from Radiator to see what  
is reported in the RADIUS requests.

regards

Hugh


On 5 Dec 2005, at 22:26, DELORT Stephane wrote:

>
> Hello,
>
> I am currently usign Radiator as a RADIUS server beyond Trapeze  
> switch. All the clients are Windows XP stations with patches and  
> drivers up to date for a 802.11 wireless configuration (PEAP/MSCHAP  
> v2).
> After 12 hours of connection the station disconnect and reconnect  
> (saw by acct stop/start).
> It happens with every stations.
>
>
>
> The NAS is set to be "passthrough" and every parameter is set to 24  
> hours.
> On the RADIUS, the only parameter that could have a role is, I  
> think, the EAPTLS_SessionResumptionLimit. It is also set to 24 hours.
>
> So, is there a known isssue with windows XP stations ?
> Could the APTLS_SessionResumptionLimit be responsible of these  
> disconnections ?
> How can I see if the disconnection is initiated from the RADIUS,  
> the switch or the station ?
>
>
> My PEAP config is shown below.
>
> Regards,
> Stéphane
>
>
>
>
>
> *******************************************************
>
> <Handler Called-Station-Id=/MX_WIFI/ >
> 	SessionDatabase NULL_SESSION_DB
> 	MaxSessions 1	
> 	<AuthBy FILE>
> 		EAPAnonymous	%0
> 		# The username of the outer authentication
> 		#  must be in this file to get anywhere. In this example,
> 		# it requires an entry for 'anonymous' which is the standard  
> username
> 		# in the outer requests, and it also requires an entry for the
> 		# actual user name who is trying to connect (ie the 'Login name'  
> entered
> 		# in the Funk Odyssey 'Edit Profile Properties' page
> 		#Filename %D/users
>
> 		# EAPType sets the EAP type(s) that Radiator will honour.
> 		# Options are: MD5-Challenge, One-Time-Password
> 		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> 		# Multiple types can be comma separated. With the default (most
> 		# preferred) type given first
> 		EAPType PEAP
>
> 		# EAPTLS_CAFile is the name of a file of CA certificates
> 		# in PEM format. The file can contain several CA certificates
> 		# Radiator will first look in EAPTLS_CAFile then in
> 		# EAPTLS_CAPath, so there usually is no need to set both
> 		#EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> 		EAPTLS_CAFile %D/certificates/certifs_murex/sdelort.crt
>
> 		# EAPTLS_CertificateFile is the name of a file containing
> 		# the servers certificate. EAPTLS_CertificateType
> 		# specifies the type of the file. Can be PEM or ASN1
> 		# defaults to ASN1
> 		#EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> 		EAPTLS_CertificateFile %D/certificates/certifs_murex/sdelort.crt		
> 		EAPTLS_CertificateType PEM
>
> 		# EAPTLS_PrivateKeyFile is the name of the file containing
> 		# the servers private key. It is sometimes in the same file
> 		# as the server certificate (EAPTLS_CertificateFile)
> 		# If the private key is encrypted (usually the case)
> 		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
> 		#EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> 		#EAPTLS_PrivateKeyPassword whatever
> 		EAPTLS_PrivateKeyFile %D/certificates/certifs_murex/sdelort.key
> 		EAPTLS_PrivateKeyPassword murex
>
> 		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> 		# size that will be replied by Radiator. It must be small
> 		# enough to fit in a single Radius request (ie less than 4096)
> 		# and still leave enough space for other attributes
> 		# Aironet APs seem to need a smaller MaxFragmentSize
> 		# (eg 1024) than the default of 2048. Others need even smaller  
> sizes.
> 		EAPTLS_MaxFragmentSize 1000		
> 		
> 		# Some clients, depending on their configuration, may require you  
> to specify
> 		# MPPE send and receive keys. This _will_ be required if you select
> 		# 'Keys will be generated automatically for data privacy' in the  
> Funk Odyssey
> 		# client Network Properties dialog.
> 		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> 		# in the final Access-Accept
> 		AutoMPPEKeys
>
> 		# You can enable some warning messages from the Net::SSLeay
> 		# module by setting SSLeayTrace to an integer from 1 to 4
> 		# 1=ciphers, 2=trace, 3=dump data
> 		SSLeayTrace 4
>
> 		# You can configure the User-Name that will be used for the inner
> 		# authentication. Defaults to 'anonymous'. This can be useful
> 		# when proxying the inner authentication. If tehre is a realm, it  
> can
> 		# be used to choose a local Realm to handle the inner  
> authentication.
> 		# %0 is replaced with the EAP identitiy
> 		# EAPAnonymous anonymous at some.other.realm
>
> 		# You can enable or disable support for TTLS Session Resumption and
> 		# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> 		# Default is enabled
> 		#EAPTLS_SessionResumption 0
>
> 		# You can limit how long after the initial session that a session  
> can be resumed
> 		# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults  
> to 43200
> 		# (12 hours)
> 		EAPTLS_SessionResumptionLimit 86400
>
> 		# You can control which version of the draft PEAP protocol to honour
> 		# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual  
> clients,
> 		# such as Funk Odyssey Client 2.22 or later.
> 		EAPTLS_PEAPVersion 0
>
> 		# You can make PEAP Version 1 support compatible with
> 		# nonstandard PEAP V1 clients that use the old broken TLS  
> encryption labels that
> 		# appear to be used frequently, due to Microsofts use of the  
> incorrect
> 		# label in its V0 client.
> 		#EAPTLS_PEAPBrokenV1Label
> 	</AuthBy>
> </Handler>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list