Roaming support

Filippo Sallemi tonyputi at gmail.com
Thu Aug 25 18:02:10 CEST 2011


Many thanks!
If I do this only on mac-auth request I think that it's great but now
I have another problem the radacct table consistency. If an user
change gateway I have to update radacct table closing the previous
session and open a new session.
It right?
If yes which section should I add the radacct update query?

Rgds

2011/8/25 Chris Moules <chris at gms.lu>:
> I don't have a coovachilli setup to test with but I believe that when I looked at this feature (macauth) year(s) ago, if the MAC
> authentication failed it then Chilli then dropped-through to the UAM login. It was not a flat-out failure. This would 'just'
> mean that you would receive a MAC RADIUS Auth request for each new WiFi association. If that authenticates then you are good. If
> not then you hit the UAM.
>
> You could then have some Unlang in freeradius that looks for the MAC auth packets.
> You can do direct SQL queries in Unlang, so you can do something like this in an 'authenticate' section:
>
> if ( "%{sql:SELECT 1 FROM radacct WHERE calling-station-id = '%{request:Calling-Station-Id}' AND stoptime=0}" ) {
>        ok
> }
>
> I don't claim that this is good or safe, but it might reach your goals.
>
> You may need some extra bits in 'authorize' but without looking at a macauth Auth packet I could not say. You would also only
> want to run the query on a macauth request if you can tell them apart from the UAM Auth packets (an extra 'if').
>
> good luck
>
> Chris
>
>
> On 25/08/11 15:53, Filippo Sallemi wrote:
>> Thank you for reply, but probably I miss some important information.
>>
>> I need to have coovachilli running on every ap that have a xDSL
>> connection (Gateway) because my network is a layer2 mesh network so I
>> have all my nodes configured with the same channel and evey node can
>> comunicate with other node of my mesh network.
>> Also every AP with xDSL connection are located in place geographically
>> far so it's not possible an xDSL load balancing scenario.
>>
>> I know the mac-auth feature of coovachilli but with this feature I
>> miss username and password authentication (absolutelly required on my
>> network).
>>
>> Every user have setted Simultaneous-Use to 1
>>
>> Here my current scenario:
>> 1. New client is associated to the network and the user is redirected
>> to UAM Login page
>> 2. the user put username and password and perform a login.
>> 3. the user is now authenticated and can surf the web
>> 4. at this time the gateway of this user die and the network configure
>> itself to use another gateway (whit another istance of coovachilli) so
>> the user would be forced to perform another login but Simultaneous-Use
>> block access for this user (because is already logged in)
>>
>> My thinked scenario (whit mac-auth):
>> 1. New client is associated to the network and the user is redirected
>> to UAM Login page
>> 2. the user put username and password and perform a login.
>> 3. the user is now authenticated and can surf the web
>> 4. at this time the gateway of this user die and the network configure
>> itself to use another gateway (with another istance of coovachilli) so
>> the new gateway should try to find a record to the radacct table with
>> client macaddr and stoptime=0 and if present grant the access.
>>
>> Now I want to know the right way to do this or look some good doc.
>>
>> Rgds
>>
>> 2011/8/24 Toledo, Luis Carlos <lscrlstld at gmail.com>:
>>>> Hi all,
>>>>
>>>> I've a little problem with freeradius and I hope that someone could help
>>>> me.
>>>> I have 3 ap with coovachilli (configured to work with my freeradius
>>>> 2.x server) connected to 3 xDSL. All work correct but when an user
>>>> roam from an ap to another he have to reauhenticate itself (because
>>>> the nas changed).
>>>>
>>> You can change the SQL query to check another table and conditions, but
>>> consider the first connection procedure.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>>>
>>
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>



-- 
Filippo Sallemi




More information about the Freeradius-Devel mailing list