Re: Microsoft SoH Support

Mon, 11 Oct 2010 05:16:44 -0700 

On 09/10/10 15:01, Garber, Neal wrote:

Thanks to a lot of work by Phil Mayers, the server now has support for
Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.


Wow!  That *must* have been a lot of work!  Thank you Phil.

Does this mean FreeRADIUS can now act as a Health Policy Server?



Yes, though it's not 100%. Specifically the code can challenge clients 
for an SoH, and the client will submit it and FreeRadius decode it. 
There is not (yet) support for FreeRadius generating and emitting an 
SoHR, because I don't have a working example of such, and decoding the 
MS-SOH spec is REALLY REALLY hard without at least some working data to 
compare to the awful spec language!



It's fairly useful though - you can enable it, and SoH-enabled clients 
will submit info like:


[peap] Processing SoH request
        SoH-Supported = yes
        SoH-MS-Machine-OS-vendor = Microsoft
        SoH-MS-Machine-OS-version = 5
        SoH-MS-Machine-OS-release = 1
        SoH-MS-Machine-OS-build = 2600
        SoH-MS-Machine-SP-version = 3
        SoH-MS-Machine-SP-release = 0
        SoH-MS-Machine-Processor = x86
        SoH-MS-Machine-Name = "machine.test.ic.ac.uk"
        SoH-MS-Correlation-Id = 0x...
        SoH-MS-Machine-Role = client
        SoH-MS-Windows-Health-Status = "firewall error down"
        SoH-MS-Windows-Health-Status = "antivirus error down"
        SoH-MS-Windows-Health-Status = "auto-updates warn service-down"
        SoH-MS-Windows-Health-Status = "security-updates ok all-installed"
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "host/machine.test.ic.ac.uk"


This can be punted to a virtual server, and you can assign a vlan or 
reject authentication etc.



I've tested it with WinXP SP3, Vista and Win7. There is one compile fix 
needed which must have snuck through (attached)

diff --git a/src/modules/rlm_soh/rlm_soh.c b/src/modules/rlm_soh/rlm_soh.c
index 027e0f6..c5aa1fe 100644
--- a/src/modules/rlm_soh/rlm_soh.c
+++ b/src/modules/rlm_soh/rlm_soh.c
@@ -205,7 +205,7 @@ static int soh_authorize(UNUSED void * instance, REQUEST 
*request)
 
        RDEBUG("SoH radius VP found");
        /* decode it */
-       rv = soh_verify(request->packet->vps, vp->vp_octets, vp->length);
+       rv = soh_verify(request, request->packet->vps, vp->vp_octets, 
vp->length);
 
        return RLM_MODULE_OK;
 }

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to