WISPr-Bandwidth question

kevin rat at yia.ca
Thu Dec 18 19:39:20 CET 2008


On Thu, 2008-12-18 at 15:05 +0100, Alan DeKok wrote:
> kevin wrote:
> > IOW, when using WISPr-Bandwidth, does that modify the client connection
> > at the client computer or does that occur at a proxy or firewall device?
> 
>   The RADIUS client (NAS) that receives the WISPr-Bandwidth attribute is
> responsible for enforcing it.

OK, I think I understand this better.  If I was using PPPOE or similar
(so long as it honoured the WISPr-Bandwidth attribute), the client would
handle and enforce these parameters.  A NAC would not be required if
authentication is direct by that method.

Sorry for the off-topic nature this thread is taking, but I'm thinking
out loud, here.

On the other hand, I think I've narrowed down my choices for NAC.  I
will look further into UNI-FY, but right now I think my best option,
without having to go to open-wrt or whatever, with some version of
chilli (or derivative) integration, is looking like ZeroShell:

http://www.zeroshell.net

Apparently, it can be configured to use a remote Radius server for AAA.
I'm just noticing that chilli based AAA has limitations which I don't
want to deal with.

I don't want to use a router with firmware update because I'd like more
options and don't want to deal with "vendor lock-in".  And from what I
can see, zeroshell offers a lot of extra, low-level control.  As
mentioned in another part of this thread, being able to manage office
users using WISPr-Bandwidth and similar controls, allowing me to
aggregate all bandwidth with a single point of authentication which is
what I'm looking at.  My own "cloud", if you will.

I know freeradius is part of the puzzle and I want to do this only once.
Changing from my old infrastructure, to a new, robust, and scalable
system.  I'm currently using smoothwall and I don't have the time,
energy, or resources to fix and modify to suit my needs and others like
pfsense or ipcop or wifidog seem to be at about similar as far as
limitations.

Cheers,

Kevin


> 
> > What I'm getting at is, is a captive portal necessary or can a person
> > simply have client authentication via freeradius and the client network
> > card handle managing its own bandwidth?  And if so, is there any
> > possibility that the client computer could be modified by someone with a
> > bit of skill to bypass those controls?
> 
>   No.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list