Hi all, I've a little problem with freeradius and I hope that someone could help me. I have 3 ap with coovachilli (configured to work with my freeradius 2.x server) connected to 3 xDSL. All work correct but when an user roam from an ap to another he have to reauhenticate itself (because the nas changed). I'm intrested to use UnLang to make freeradius able to check if user mac is already present in radacct table and if yes authorize user automatically. In this way every time an user roam from ap to another it colud be reauthentiated without asking for password. It is possible? Could anoyone help me in this? Rgds -- Filippo Sallemi
On 24/08/11 17:21, Filippo Sallemi wrote:
Hi all,
I've a little problem with freeradius and I hope that someone could help me. I have 3 ap with coovachilli (configured to work with my freeradius 2.x server) connected to 3 xDSL. All work correct but when an user roam from an ap to another he have to reauhenticate itself (because the nas changed).
I'm intrested to use UnLang to make freeradius able to check if user mac is already present in radacct table and if yes authorize user automatically. In this way every time an user roam from ap to another it colud be reauthentiated without asking for password.
It is possible? Could anoyone help me in this?
Rgds
Sounds do-able. I don't remember how CoovaChilli works with all this but there is an option for it to use the MAC address to perform authentication. http://coova.org/CoovaChilli/chilli.conf <quote> macauth If this option is given ChilliSpot will try to authenticate all users based on their mac address alone. The User-Name sent to the radius server will consist of the MAC address and an optional suffix which is specified by the macsuffix option. If the macauth option is specified the macallowed option is ignored. </quote> I think if this fails you 'drop-through' to the Captive Portal. If you enable this and then check what is sent. You will then need to setup a custom 'Auth' section to perform the MAC lookup in your (guess) DB of Auth'ed users and then let this succeed. You may also want/need then to 'kill' the other session (CoA?) on the other AP. This might also work without 'macauth' in but I think that would be the most 'transparent'. This type of thing is not my bread and butter work but I have used both FreeRADIUS and CoovaChilli. -- General remark -- It sounds like your setup is trying to do load balancing of data over 3 xDSL lines. You are trying to do this by having 3 APs/NASs on 3 lines. In setups like this I have 'normally' seen, for example, 3 APs linked to 1 NAS (CoovaChilli). Off the back of the NAS you can load-balance your traffic. The APs just do the WiFi bit and you can roam between them the CoovaChilli in this case does the Captive Portal (DHCP/DNS/.../?). Not knowing anything about your setup or usage scenario I don't know is this is 'better' or just 'different'. BTW 'roaming' has different meanings depending on what part of the system you are talking about. In this case you mean WiFi AP roaming and not what might be understood as provider roaming which would involve RADIUS proxying (most probably). WiFi AP roaming has no real direct RADIUS relevance, especially if the APs are setup like I mentioned. Then a device just talks to one AP or another, there is no re-auth required. Regards Chris
Hi all,
I've a little problem with freeradius and I hope that someone could help me. I have 3 ap with coovachilli (configured to work with my freeradius 2.x server) connected to 3 xDSL. All work correct but when an user roam from an ap to another he have to reauhenticate itself (because the nas changed).
You can change the SQL query to check another table and conditions, but consider the first connection procedure.
Thank you for reply, but probably I miss some important information. I need to have coovachilli running on every ap that have a xDSL connection (Gateway) because my network is a layer2 mesh network so I have all my nodes configured with the same channel and evey node can comunicate with other node of my mesh network. Also every AP with xDSL connection are located in place geographically far so it's not possible an xDSL load balancing scenario. I know the mac-auth feature of coovachilli but with this feature I miss username and password authentication (absolutelly required on my network). Every user have setted Simultaneous-Use to 1 Here my current scenario: 1. New client is associated to the network and the user is redirected to UAM Login page 2. the user put username and password and perform a login. 3. the user is now authenticated and can surf the web 4. at this time the gateway of this user die and the network configure itself to use another gateway (whit another istance of coovachilli) so the user would be forced to perform another login but Simultaneous-Use block access for this user (because is already logged in) My thinked scenario (whit mac-auth): 1. New client is associated to the network and the user is redirected to UAM Login page 2. the user put username and password and perform a login. 3. the user is now authenticated and can surf the web 4. at this time the gateway of this user die and the network configure itself to use another gateway (with another istance of coovachilli) so the new gateway should try to find a record to the radacct table with client macaddr and stoptime=0 and if present grant the access. Now I want to know the right way to do this or look some good doc. Rgds 2011/8/24 Toledo, Luis Carlos <lscrlstld@gmail.com>:
Hi all,
I've a little problem with freeradius and I hope that someone could help me. I have 3 ap with coovachilli (configured to work with my freeradius 2.x server) connected to 3 xDSL. All work correct but when an user roam from an ap to another he have to reauhenticate itself (because the nas changed).
You can change the SQL query to check another table and conditions, but consider the first connection procedure.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Filippo Sallemi
I don't have a coovachilli setup to test with but I believe that when I looked at this feature (macauth) year(s) ago, if the MAC authentication failed it then Chilli then dropped-through to the UAM login. It was not a flat-out failure. This would 'just' mean that you would receive a MAC RADIUS Auth request for each new WiFi association. If that authenticates then you are good. If not then you hit the UAM. You could then have some Unlang in freeradius that looks for the MAC auth packets. You can do direct SQL queries in Unlang, so you can do something like this in an 'authenticate' section: if ( "%{sql:SELECT 1 FROM radacct WHERE calling-station-id = '%{request:Calling-Station-Id}' AND stoptime=0}" ) { ok } I don't claim that this is good or safe, but it might reach your goals. You may need some extra bits in 'authorize' but without looking at a macauth Auth packet I could not say. You would also only want to run the query on a macauth request if you can tell them apart from the UAM Auth packets (an extra 'if'). good luck Chris On 25/08/11 15:53, Filippo Sallemi wrote:
Thank you for reply, but probably I miss some important information.
I need to have coovachilli running on every ap that have a xDSL connection (Gateway) because my network is a layer2 mesh network so I have all my nodes configured with the same channel and evey node can comunicate with other node of my mesh network. Also every AP with xDSL connection are located in place geographically far so it's not possible an xDSL load balancing scenario.
I know the mac-auth feature of coovachilli but with this feature I miss username and password authentication (absolutelly required on my network).
Every user have setted Simultaneous-Use to 1
Here my current scenario: 1. New client is associated to the network and the user is redirected to UAM Login page 2. the user put username and password and perform a login. 3. the user is now authenticated and can surf the web 4. at this time the gateway of this user die and the network configure itself to use another gateway (whit another istance of coovachilli) so the user would be forced to perform another login but Simultaneous-Use block access for this user (because is already logged in)
My thinked scenario (whit mac-auth): 1. New client is associated to the network and the user is redirected to UAM Login page 2. the user put username and password and perform a login. 3. the user is now authenticated and can surf the web 4. at this time the gateway of this user die and the network configure itself to use another gateway (with another istance of coovachilli) so the new gateway should try to find a record to the radacct table with client macaddr and stoptime=0 and if present grant the access.
Now I want to know the right way to do this or look some good doc.
Rgds
2011/8/24 Toledo, Luis Carlos <lscrlstld@gmail.com>:
Hi all,
I've a little problem with freeradius and I hope that someone could help me. I have 3 ap with coovachilli (configured to work with my freeradius 2.x server) connected to 3 xDSL. All work correct but when an user roam from an ap to another he have to reauhenticate itself (because the nas changed).
You can change the SQL query to check another table and conditions, but consider the first connection procedure.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Many thanks! If I do this only on mac-auth request I think that it's great but now I have another problem the radacct table consistency. If an user change gateway I have to update radacct table closing the previous session and open a new session. It right? If yes which section should I add the radacct update query? Rgds 2011/8/25 Chris Moules <chris@gms.lu>:
I don't have a coovachilli setup to test with but I believe that when I looked at this feature (macauth) year(s) ago, if the MAC authentication failed it then Chilli then dropped-through to the UAM login. It was not a flat-out failure. This would 'just' mean that you would receive a MAC RADIUS Auth request for each new WiFi association. If that authenticates then you are good. If not then you hit the UAM.
You could then have some Unlang in freeradius that looks for the MAC auth packets. You can do direct SQL queries in Unlang, so you can do something like this in an 'authenticate' section:
if ( "%{sql:SELECT 1 FROM radacct WHERE calling-station-id = '%{request:Calling-Station-Id}' AND stoptime=0}" ) { ok }
I don't claim that this is good or safe, but it might reach your goals.
You may need some extra bits in 'authorize' but without looking at a macauth Auth packet I could not say. You would also only want to run the query on a macauth request if you can tell them apart from the UAM Auth packets (an extra 'if').
good luck
Chris
On 25/08/11 15:53, Filippo Sallemi wrote:
Thank you for reply, but probably I miss some important information.
I need to have coovachilli running on every ap that have a xDSL connection (Gateway) because my network is a layer2 mesh network so I have all my nodes configured with the same channel and evey node can comunicate with other node of my mesh network. Also every AP with xDSL connection are located in place geographically far so it's not possible an xDSL load balancing scenario.
I know the mac-auth feature of coovachilli but with this feature I miss username and password authentication (absolutelly required on my network).
Every user have setted Simultaneous-Use to 1
Here my current scenario: 1. New client is associated to the network and the user is redirected to UAM Login page 2. the user put username and password and perform a login. 3. the user is now authenticated and can surf the web 4. at this time the gateway of this user die and the network configure itself to use another gateway (whit another istance of coovachilli) so the user would be forced to perform another login but Simultaneous-Use block access for this user (because is already logged in)
My thinked scenario (whit mac-auth): 1. New client is associated to the network and the user is redirected to UAM Login page 2. the user put username and password and perform a login. 3. the user is now authenticated and can surf the web 4. at this time the gateway of this user die and the network configure itself to use another gateway (with another istance of coovachilli) so the new gateway should try to find a record to the radacct table with client macaddr and stoptime=0 and if present grant the access.
Now I want to know the right way to do this or look some good doc.
Rgds
2011/8/24 Toledo, Luis Carlos <lscrlstld@gmail.com>:
Hi all,
I've a little problem with freeradius and I hope that someone could help me. I have 3 ap with coovachilli (configured to work with my freeradius 2.x server) connected to 3 xDSL. All work correct but when an user roam from an ap to another he have to reauhenticate itself (because the nas changed).
You can change the SQL query to check another table and conditions, but consider the first connection procedure.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Filippo Sallemi
participants (3)
-
Chris Moules -
Filippo Sallemi -
Toledo, Luis Carlos