Reauthenticate Every minute
Timothy White
timwhite88 at gmail.com
Fri Mar 30 03:40:54 CEST 2012
On Mon, Mar 26, 2012 at 6:03 AM, Mutheu <mutheu at lavabit.com> wrote:
<snip>
>
> pfsense/Monowall have 'reauthentication' feature and contrary to what many people think, the user is only presented the login screen once and the NAS 'remembers' the infor and each minute, it resends the infor to freeradius and until radius gives "access-reject". So I can "sell" to the client so long as he has balance. A user who started with 30mins (session-timeout) may end up using internet for less than 10mins or so if he 'bought' items.
>
> I hope this sheds light.
This makes sense Mutheu. I investigated a similar system and didn't
continue due to complexity (and it didn't solve the problem cleanly we
wanted to solve). We use the coaport in Coova Chilli (Change of
Authorisation) which allows the radius server to send authentication
changes to the users session, i.e. reducing the users allowed time.
The problem at the time, was that it became difficult to recalculate
all the details for the user when there were multiple active sessions.
Having said that, it is possible to make it work, just not as nicely.
Part of the issue is having to reissue all the attributes for the
session, not just the changed ones, if you could just issue the
changes or the changed attributes, it would be great. Imagine, your
"selling" system just sends a -10 minutes to the NAS and the NAS just
substracts 10 from it's session timer. It's something I hope to be
able to do in the future, but maybe we need an extension to the COA
system to make it more usable.
The reason the Coova Chilli system can't "reauthenticate" is that it
never has the password in plain text, the login system does the CHAP
challenge/response in javascript, then transmits the CHAP response, so
Coova Chilli only gets the CHAP response, and can't "replay" the login
to reauthenticate. It's a security feature. The correct way to do it,
is the COA system, it's just not elegant yet.
Tim
More information about the Freeradius-Users
mailing list