Microsoft SoH Support

[Phil Mayers]

On 09/10/10 15:01, Garber, Neal wrote:
>> Thanks to a lot of work by Phil Mayers, the server now has support for
>> Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.
>
> Wow!  That *must* have been a lot of work!  Thank you Phil.
>
> Does this mean FreeRADIUS can now act as a Health Policy Server?

Yes, though it's not 100%. Specifically the code can challenge clients 
for an SoH, and the client will submit it and FreeRadius decode it. 
There is not (yet) support for FreeRadius generating and emitting an 
SoHR, because I don't have a working example of such, and decoding the 
MS-SOH spec is REALLY REALLY hard without at least some working data to 
compare to the awful spec language!

It's fairly useful though - you can enable it, and SoH-enabled clients 
will submit info like:

[peap] Processing SoH request
	SoH-Supported = yes
	SoH-MS-Machine-OS-vendor = Microsoft
	SoH-MS-Machine-OS-version = 5
	SoH-MS-Machine-OS-release = 1
	SoH-MS-Machine-OS-build = 2600
	SoH-MS-Machine-SP-version = 3
	SoH-MS-Machine-SP-release = 0
	SoH-MS-Machine-Processor = x86
	SoH-MS-Machine-Name = "machine.test.ic.ac.uk"
	SoH-MS-Correlation-Id = 0x...
	SoH-MS-Machine-Role = client
	SoH-MS-Windows-Health-Status = "firewall error down"
	SoH-MS-Windows-Health-Status = "antivirus error down"
	SoH-MS-Windows-Health-Status = "auto-updates warn service-down"
	SoH-MS-Windows-Health-Status = "security-updates ok all-installed"
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "host/machine.test.ic.ac.uk"

This can be punted to a virtual server, and you can assign a vlan or 
reject authentication etc.

I've tested it with WinXP SP3, Vista and Win7. There is one compile fix 
needed which must have snuck through (attached)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: soh-compile-fix.patch
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101011/b9cd895b/attachment.ksh>