While an "out of the box" solution is where I'll probably end up, I'm battling with myself over the idea of how to best manage bandwidth on a network including multiple remote locations, with both wired and wireless connections. I'm moving to using freeradius to authenticate (which ultimately will be done by MAC for initial ease of setup) but I'm trying to figure out where the Bandwidth attributes actually are used. IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls? Hope that made sense. Cheers, Kevin
Hello Kevin, I can't answer definitively, but I would assume that it would be done on your NAS(depending on your hardware these rules "could" be propagated to the child devices). It would defy all logic for it to be done on the client, Just as you would in an unauthenticated wired/wireless network it is always best to control traffic at the distribution point. Hope that helps. Take Care, Leigh Martell On Wed, Dec 17, 2008 at 12:14 PM, kevin <rat@yia.ca> wrote:
While an "out of the box" solution is where I'll probably end up, I'm battling with myself over the idea of how to best manage bandwidth on a network including multiple remote locations, with both wired and wireless connections.
I'm moving to using freeradius to authenticate (which ultimately will be done by MAC for initial ease of setup) but I'm trying to figure out where the Bandwidth attributes actually are used.
IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls?
Hope that made sense.
Cheers,
Kevin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, Leigh... Yes, that does make more sense. How you explained it. So basically, I would need to put a NAC (network access controller) at each remote location. BUT... I wouldn't necessarily have to put a "traditional" captive portal at each location, even though they would probably provide pretty much the same features. thx... Kevin On Wed, 2008-12-17 at 12:49 -0500, Leigh Martell wrote:
Hello Kevin,
I can't answer definitively, but I would assume that it would be done on your NAS(depending on your hardware these rules "could" be propagated to the child devices). It would defy all logic for it to be done on the clie nt, Just as you would in an unauthenticated wired/wireless network it is always best to control traffic at the distribution point.
Hope that helps.
Take Care, Leigh Martell
On Wed, Dec 17, 2008 at 12:14 PM, kevin <rat@yia.ca> wrote: While an "out of the box" solution is where I'll probably end up, I'm battling with myself over the idea of how to best manage bandwidth on a network including multiple remote locations, with both wired and wireless connections.
I'm moving to using freeradius to authenticate (which ultimately will be done by MAC for initial ease of setup) but I'm trying to figure out where the Bandwidth attributes actually are used.
IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls?
Hope that made sense.
Cheers,
Kevin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device?
When you use bandwidth control attributes they are used by your NAS (AP, router, switch, captive portal ...). You should read NAS documentation to find the most approprite one for you (wired connection is hardly going to use WISPr attributes). Ivan Kalik Kalik Informatika ISP
kevin wrote:
IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device?
The RADIUS client (NAS) that receives the WISPr-Bandwidth attribute is responsible for enforcing it.
What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls?
No. Alan DeKok.
On Thu, 2008-12-18 at 15:05 +0100, Alan DeKok wrote:
kevin wrote:
IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device?
The RADIUS client (NAS) that receives the WISPr-Bandwidth attribute is responsible for enforcing it.
OK, I think I understand this better. If I was using PPPOE or similar (so long as it honoured the WISPr-Bandwidth attribute), the client would handle and enforce these parameters. A NAC would not be required if authentication is direct by that method. Sorry for the off-topic nature this thread is taking, but I'm thinking out loud, here. On the other hand, I think I've narrowed down my choices for NAC. I will look further into UNI-FY, but right now I think my best option, without having to go to open-wrt or whatever, with some version of chilli (or derivative) integration, is looking like ZeroShell: http://www.zeroshell.net Apparently, it can be configured to use a remote Radius server for AAA. I'm just noticing that chilli based AAA has limitations which I don't want to deal with. I don't want to use a router with firmware update because I'd like more options and don't want to deal with "vendor lock-in". And from what I can see, zeroshell offers a lot of extra, low-level control. As mentioned in another part of this thread, being able to manage office users using WISPr-Bandwidth and similar controls, allowing me to aggregate all bandwidth with a single point of authentication which is what I'm looking at. My own "cloud", if you will. I know freeradius is part of the puzzle and I want to do this only once. Changing from my old infrastructure, to a new, robust, and scalable system. I'm currently using smoothwall and I don't have the time, energy, or resources to fix and modify to suit my needs and others like pfsense or ipcop or wifidog seem to be at about similar as far as limitations. Cheers, Kevin
What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On the other hand, I think I've narrowed down my choices for NAC. I will look further into UNI-FY, but right now I think my best option, without having to go to open-wrt or whatever, with some version of chilli (or derivative) integration, is looking like ZeroShell:
Apparently, it can be configured to use a remote Radius server for AAA. I'm just noticing that chilli based AAA has limitations which I don't want to deal with.
I don't want to use a router with firmware update because I'd like more options and don't want to deal with "vendor lock-in". And from what I can see, zeroshell offers a lot of extra, low-level control. As mentioned in another part of this thread, being able to manage office users using WISPr-Bandwidth and similar controls, allowing me to aggregate all bandwidth with a single point of authentication which is what I'm looking at. My own "cloud", if you will.
Have you actually found somewhere that ZeroShell can use that attribute? I had a quick look at front and radius page and I would have some serious doubts. "The previous tuning can be applied on Ethernet Interfaces, VPNs, bridges and VPN bondings." I don't think that per user settings that you can pass with radius are supported. You can probably just fix the setting that will be the same for everybody. Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan DeKok -
kevin -
Leigh Martell -
tnt@kalik.net