[RADIATOR] Assigning IP's directly from the Radius server
Heikki Vatiainen
hvn at open.com.au
Fri Feb 4 05:19:03 CST 2011
On 02/04/2011 09:28 AM, Gerard Alcorlo Bofill wrote:
Gerard, if I understand correctly, the address allocator works, but you
have problems getting the wireless AP to accept the IP address you want
the wireless client to use.
> *** Sending to 192.168.50.9 port 1645 ....
> Code: Access-Accept
> Identifier: 208
> Authentic: L$<158><20>#x<233>V<147>3<204>{<161><22>sj
> Attributes:
> Framed-IP-Netmask = xxx.xxx.xxx.xxx
> Framed-IP-Address = xxx.xxx.xxx.xxx
> MS-Primary-DNS-Server = xxx.xxx.xxx.xxx
> MS-Secondary-DNS-Server = xxx.xxx.xxx.xxx
> MS-MPPE-Send-Key = blablabla
> MS-MPPE-Recv-Key = blablabla
> EAP-Message = blablabla
> Message-Authenticator = blablabla
You may want to check the incoming Access-Request to see if there are
any Framed-* attributes. For example if Framed-Protocol is sent by the
WLAN AP, it may want to see Framed-Protocol in the response. What it
does with these attributes should be documented by the vendor.
>>>> This is the error I'm getting from de AP:
>>>> 16:27:29.234 GMT: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
>>>> 16:27:29.241 GMT: RADIUS/ENCODE(0000002A):Orig. component type = DOT11
>>>> 16:27:29.241 GMT: RADIUS/ENCODE: No idb found! Framed IP Addr might not
>>>> be included
>>>>
>>>> I thought that my NAS (my AP) would send all the attributes to the wifi
>>>> client but that's not happening.
>>>>
>>>> Are this attributes only for PPP connections or is it possible to use
>>>> them using a wifi AP?
I would say the Framed-* attributes are for connections such as PPP or
PPPoE. Have you found out how you can transfer the IP address the WLAN
AP receives to the Wireless user? It would be interesting to hear if
there is a method to do that.
The usual case with WPA-Enterprise is that the authentication completes
first and the client has then access to the network so it can query the
DHCP server. I guess this is what you had first place.
There is one hack that might be possible: configure WPA-Enterprise
authentication as it is normally done. Configure your DHCP server so
that it always asks RADIUS for IP addresses. I think this is technically
possible, but a good questions is does it make any sense :)
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list