Roaming support

Chris Moules chris at gms.lu
Thu Aug 25 16:51:13 CEST 2011


I don't have a coovachilli setup to test with but I believe that when I looked at this feature (macauth) year(s) ago, if the MAC
authentication failed it then Chilli then dropped-through to the UAM login. It was not a flat-out failure. This would 'just'
mean that you would receive a MAC RADIUS Auth request for each new WiFi association. If that authenticates then you are good. If
not then you hit the UAM.

You could then have some Unlang in freeradius that looks for the MAC auth packets.
You can do direct SQL queries in Unlang, so you can do something like this in an 'authenticate' section:

if ( "%{sql:SELECT 1 FROM radacct WHERE calling-station-id = '%{request:Calling-Station-Id}' AND stoptime=0}" ) {
	ok
}

I don't claim that this is good or safe, but it might reach your goals.

You may need some extra bits in 'authorize' but without looking at a macauth Auth packet I could not say. You would also only
want to run the query on a macauth request if you can tell them apart from the UAM Auth packets (an extra 'if').

good luck

Chris


On 25/08/11 15:53, Filippo Sallemi wrote:
> Thank you for reply, but probably I miss some important information.
> 
> I need to have coovachilli running on every ap that have a xDSL
> connection (Gateway) because my network is a layer2 mesh network so I
> have all my nodes configured with the same channel and evey node can
> comunicate with other node of my mesh network.
> Also every AP with xDSL connection are located in place geographically
> far so it's not possible an xDSL load balancing scenario.
> 
> I know the mac-auth feature of coovachilli but with this feature I
> miss username and password authentication (absolutelly required on my
> network).
> 
> Every user have setted Simultaneous-Use to 1
> 
> Here my current scenario:
> 1. New client is associated to the network and the user is redirected
> to UAM Login page
> 2. the user put username and password and perform a login.
> 3. the user is now authenticated and can surf the web
> 4. at this time the gateway of this user die and the network configure
> itself to use another gateway (whit another istance of coovachilli) so
> the user would be forced to perform another login but Simultaneous-Use
> block access for this user (because is already logged in)
> 
> My thinked scenario (whit mac-auth):
> 1. New client is associated to the network and the user is redirected
> to UAM Login page
> 2. the user put username and password and perform a login.
> 3. the user is now authenticated and can surf the web
> 4. at this time the gateway of this user die and the network configure
> itself to use another gateway (with another istance of coovachilli) so
> the new gateway should try to find a record to the radacct table with
> client macaddr and stoptime=0 and if present grant the access.
> 
> Now I want to know the right way to do this or look some good doc.
> 
> Rgds
> 
> 2011/8/24 Toledo, Luis Carlos <lscrlstld at gmail.com>:
>>> Hi all,
>>>
>>> I've a little problem with freeradius and I hope that someone could help
>>> me.
>>> I have 3 ap with coovachilli (configured to work with my freeradius
>>> 2.x server) connected to 3 xDSL. All work correct but when an user
>>> roam from an ap to another he have to reauhenticate itself (because
>>> the nas changed).
>>>
>> You can change the SQL query to check another table and conditions, but
>> consider the first connection procedure.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>>
> 
> 
> 



More information about the Freeradius-Devel mailing list