Re: [Openvpn-devel] Re: Re: Radius support (Authentification, Authorization and Accounting)

Fri, 03 Jun 2005 13:03:53 -0700 

On Fri, 3 Jun 2005, Ralf [UTF-8] Lübben wrote:

> Hello,
> 
> I have again two questions about the counter for the bytes send and
> received:
> 
> What is the datatype of the counters? 
> Radius only knows 32-bit unsingned integers.

Right now the counters are 32 bits, but they may be expanded to 64 bits in 
the future.

> Which traffic is counted?
> Is only the real payload counted without the encryption overhead?
> What about the keepalive packets? 
> I see there is always a little bit of traffic.
> Is it possible to count only the real payload or must I subtract the other
> bytes from the counters in the plugin?

OpenVPN internally keeps track of most of these, but right now only the 
total number of bytes sent over the TCP or UDP socket (including 
encryption overhead, keepalives, etc.) is included.

James


> James Yonan wrote:
> 
> > On Tue, 17 May 2005, Torge Szczepanek wrote:
> > 
> >> Am Dienstag, den 17.05.2005, 15:20 +0400 schrieb Ralf Lübben:
> >> 
> >> > I want to send following attribute:
> >> > Username
> >> > Password
> >> > NAS-Port = number of the tun interface
> >> 
> >> This is bad, since you must send a unique identifier to the Radius
> >> Server for every connected client if I understand this correctly.
> >> 
> >> The Radius servers decides based on a unique NAS-IP-Address:NAS-Port
> >> pair which IP-Addresse should be handed out to the client and which is
> >> in use.
> >> 
> >> Example:
> >> 
> >> NAS:XXX.XXX.XXX.40 port:0x0 - ipaddr:YYY.YYY.76.YYY active:1 cli:0 num:1
> >> NAS:XXX.XXX.XXX.40 port:0x1 - ipaddr:YYY.YYY.75.YYY active:1 cli:0 num:1
> >> [...]
> >> NAS:XXX.XXX.XXX.40 port:0x10 - ipaddr:YYY.YYY.76.YYY active:1 cli:0
> >> num:1
> >> NAS:XXX.XXX.XXX.40 port:0x11 - ipaddr:YYY.YYY.78.YYY active:1 cli:0
> >> num:1
> >> NAS:XXX.XXX.XXX.40 port:0x12 - ipaddr:YYY.YYY.72.YYY active:1 cli:0
> >> num:1
> >> NAS:XXX.XXX.XXX.40 port:0x13 - ipaddr:YYY.YYY.73.YYY active:1 cli:0
> >> num:1
> >> [...]
> >> NAS:XXX.XXX.XXX.40 port:0x100 - ipaddr:YYY.YYY.78.YYY active:0 cli:0
> >> num:0
> >> NAS:XXX.XXX.XXX.40 port:0x103 - ipaddr:YYY.YYY.77.YYY active:0 cli:0
> >> num:0
> >> 
> >> Since the tun interface is the same for every connected client connected
> >> to the same openvpn process, this will not work. One might correct me,
> >> if I am wrong on this.
> >> 
> >> So at the moment one has to generate a unique client id (NAS-Port) for
> >> every connected user. This should be done in a way that the first client
> >> gets the id (NAS-Port) 0 assigned. The next one the id 1 and so on. On
> >> disconnect the id should be reused.
> >> 
> >> For example:
> >> 
> >> client 1 connects, gets id 0
> >> client 2 connects, gets id 1
> >> client 3 connects, gets id 2
> >> client 4 connects, gets id 3
> >> client 2 disconnects, releases id 1
> >> client 3 disconnects, releases id 2
> >> client 5 connects, gets id 1
> >> client 6 connects, gets id 2
> >> [...]
> >> 
> >> 
> >> I wondered whether it is possible to have a seperate tunx interface for
> >> each connected client. That would solve the problem and mimic the
> >> behaviour of ppp Connections, where you have a seperated ppp Interface
> >> for each connected client.
> >> Is this easy possible or would that mean to rewrite most parts of
> >> OpenVPN?
> > 
> > It's more like the opposite:  1.x supported a specific tunx interface and
> > port for each client.  2.0 was rewritten to allow all clients to share a
> > single tun/tap interface and TCP/UDP port.  The 2.0 approach tends to be
> > preferred because it scales better and is easier to manage.
> > 
> > James
> > 
> > 
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Oracle Space Sweepstakes
> > Want to be the first software developer in space?
> > Enter now for the Oracle Space Sweepstakes!
> > http://ads.osdn.com/?ad_idt12&alloc_id344&opclick
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> a projector? How fast can you ride your desk chair down the office luge track?
> If you want to score the big prize, get to know the little guy.  
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Reply via email to