Re: Ippool Or DHCP Server.
Let me just make sure I'm clear on this idea... Your AP will give out private IP addresses from a DHCP pool (presumably with 802.11x so you get the good WPA-Enterprise security) and then the machine must launch a PPP tunnel (over PPTP/L2TP I presume?) which then authenticates to the RADIUS server (again) to get a real IP address so it can start playing on the network? Well, It seem to be right, and I also think that this is hell alot of work... Any other way. my situation here is a little different. It is not through Wireless (AP) BUT through a Wire Switch. A 24 Port 10/100 Switch and wired to the users client :) That seems like an awful lot of effort, and an attempt to shoehorn two solutions into one (not clearly defined) problem. The problem is the ip address assignment from radius (ippool or Dhcpd for the best control) Regards, Thank You Chan Min Wai -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Craig Huckabee wrote: Paul Hampson wrote: On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... Write a script in that adds the authenticated client's MAC address and the IP Address you've assigned to the DHCP server's config and reloads the DHCP server. It'll also have to get rid of other stanzas for that MAC address/IP address (trusting rlm_ippool to know what IP addresses are free, which means you need to be getting Accounting packets, I expect.) Woo That meant when any user login my dhcp server is reloading... WOO, that is hell a lot of work and If there are multiple users login at the same time... hehe my dhcpd server will kept on reload without doing anything good :( However I found something like this... http://www.ietf.org/internet-drafts/draft-ietf-dhc-agentopt-radius-08.txt Hopping someone will be able read into it. This assumes rlm_ippool can even work with 802.1x... What does it use for NAS-Port? Put this in an rlm_exec with (wait=1) after your rlm_ippool module. Again, this assumes 802.1x (did I call it 802.11x earlier???) happens before DHCP does. ^_^ 802.1x turns the physical port on in the case of a wired network, or completes the association of a client to a wireless AP in a wireless seetup. The next step is usually your protocol level setup, i.e. getting an IP address. The RADIUS server would normally be out of the loop at the protocol level. You can write a script, or just let the DHCP server give out addresses out of a pool, etc. Write a script? What kind of script doing that? Anywhere to find them? and what kind of script I'm looking for? BTW, all the question I'm asking is about Radius with wired network (on a 10/100 Base-T) And the users I'm looking at is about 100K ~500K ;) Regards, Thank You Chan Min Wai -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Paul Hampson wrote: On Wed, Nov 03, 2004 at 02:19:21PM +0800, Chan Min Wai wrote: Dana Hudes wrote: On Wed, 3 Nov 2004, Chan Min Wai wrote: Go back to the defintion of RADIUS: Remote Authentication Dial-In User System. Now think. How do dialup users connect? They use SLIP/PPP. PPP has provision for sending the IP address info for the connection. It is part of the NCP (authentication happens in LCP). Now you are connecting on an WLAN. There is no PPP. So how can the client get an IP address when you set it to 'obtain IP address automatically'? Same as on a wired LAN: BOOTP or DHCP. The 802.11 MAC doesn't get you IP address. I see So unless that, this Switch is smart enough to do a PPP connection and only then this IP address will be able to be distribute by the switch to the client. No, WLAN has nothing to do with PPP. PPP is the Point to Point Protocol, it is a protocol for talking over lines with two ends and passing layer3 traffic across them. It is a layer 2 protocol. WLAN uses a different layer2 protocol (or protocols?), defined in the 802.11 standards. Well, I guess if someone extended PPPoE to PPPo802.11, then yes? But that would be very very daft... I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... So no other way round to distribute ip address (other then using DHCP Server) In _theory_ the RADIUS server can send an IP address to the AP to give to the device (via DHCP) but I don't think any do... (Of course, I could be wrong... 802.1x happens before an IP address is assigned, right?) If you need a solution like that, maybe a self-built AP using a WLAN card that lets you use hostAP or similar? Strikes me as a major pain, frankly. my other Question is, how I recorded what IP I've been assign to them using that way? Should be in the Accounting-Start packet. If you don't get an Accounting-Start packet (which is quite likely _) then no, no way to record it via RADIUS. You _might_ be able to rlm_exec a script to go fetch it from the AP's web-based management interface, but that seems like an awful lot of hard work to me. -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Chan Min Wai [EMAIL PROTECTED] wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... No. Feel free to implement that, though. I'm sure many people would find it useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
On Wed, 3 Nov 2004, Chan Min Wai wrote: So unless that, this Switch is smart enough to do a PPP connection and only then this IP address will be able to be distribute by the switch to the client. What switch? Made by whom? What model? I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... No, that's not how its done. DHCP manages its own address pools. The trouble btw is that ISC dhcpd does not support the DHCP Authentication protocol. There is therefore no need for it to talk to RADIUS. You are apparently not understanding that freeradius is what we call a AAA server: Authentication, Authorization, and Accounting . That's fine but freeradius only speaks RADIUS. If you haven't a RADIUS client you don't talk to it. Normally, freeradius talks to a NAS which is the RADIUS client and the NAS talks to the remote user host (normally via PPP). Now, freeradius is supporting wireless but you need to have it talk to something which understands. my other Question is, how I recorded what IP I've been assign to them using that way? it gets logged on the host running freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Dana Hudes wrote: On Wed, 3 Nov 2004, Chan Min Wai wrote: So unless that, this Switch is smart enough to do a PPP connection and only then this IP address will be able to be distribute by the switch to the client. What switch? Made by whom? What model? It is a 24 Port 10/100 Switch by D-link , Model DES-3326S It do support 802.11x in this switch. I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... No, that's not how its done. DHCP manages its own address pools. The trouble btw is that ISC dhcpd does not support the DHCP Authentication protocol. There is therefore no need for it to talk to RADIUS. You are apparently not understanding that freeradius is what we call a AAA server: Authentication, Authorization, and Accounting . That's fine but freeradius only speaks RADIUS. If you haven't a RADIUS client you don't talk to it. Normally, freeradius talks to a NAS which is the RADIUS client and the NAS talks to the remote user host (normally via PPP). Now, freeradius is supporting wireless but you need to have it talk to something which understands. I think I understand. And I wonder, what happen If I setup a ppp server one level higher then the switch and let this ppp server talk radius with the freeradius server. Will this ppp server be a bottle neck later? (obeviously that is OT :) ) but I do really hope that the switch know -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... Write a script in that adds the authenticated client's MAC address and the IP Address you've assigned to the DHCP server's config and reloads the DHCP server. It'll also have to get rid of other stanzas for that MAC address/IP address (trusting rlm_ippool to know what IP addresses are free, which means you need to be getting Accounting packets, I expect.) This assumes rlm_ippool can even work with 802.1x... What does it use for NAS-Port? Put this in an rlm_exec with (wait=1) after your rlm_ippool module. Again, this assumes 802.1x (did I call it 802.11x earlier???) happens before DHCP does. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Paul Hampson wrote: On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... Write a script in that adds the authenticated client's MAC address and the IP Address you've assigned to the DHCP server's config and reloads the DHCP server. It'll also have to get rid of other stanzas for that MAC address/IP address (trusting rlm_ippool to know what IP addresses are free, which means you need to be getting Accounting packets, I expect.) This assumes rlm_ippool can even work with 802.1x... What does it use for NAS-Port? Put this in an rlm_exec with (wait=1) after your rlm_ippool module. Again, this assumes 802.1x (did I call it 802.11x earlier???) happens before DHCP does. ^_^ 802.1x turns the physical port on in the case of a wired network, or completes the association of a client to a wireless AP in a wireless seetup. The next step is usually your protocol level setup, i.e. getting an IP address. The RADIUS server would normally be out of the loop at the protocol level. You can write a script, or just let the DHCP server give out addresses out of a pool, etc. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
On Wed, 3 Nov 2004, Chan Min Wai wrote: freeradius has assign the IP,but I don't know how to make the XP supplicant to obtain this IP? Any suggestion? You can't assign IP's that way. Use a DHCP server. Alan DeKok. ippool cannot assign IP to xp supplicant. and Alan Suggest to use a DHCP server. My Question is, what is the use of ippool then? What are their different? My situation is that I want to assign Ip address to my client (which using xp supplicant) From my Switch (work as 802.11x client) Go back to the defintion of RADIUS: Remote Authentication Dial-In User System. Now think. How do dialup users connect? They use SLIP/PPP. PPP has provision for sending the IP address info for the connection. It is part of the NCP (authentication happens in LCP). Now you are connecting on an WLAN. There is no PPP. So how can the client get an IP address when you set it to 'obtain IP address automatically'? Same as on a wired LAN: BOOTP or DHCP. The 802.11 MAC doesn't get you IP address. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Dana Hudes wrote: On Wed, 3 Nov 2004, Chan Min Wai wrote: Go back to the defintion of RADIUS: Remote Authentication Dial-In User System. Now think. How do dialup users connect? They use SLIP/PPP. PPP has provision for sending the IP address info for the connection. It is part of the NCP (authentication happens in LCP). Now you are connecting on an WLAN. There is no PPP. So how can the client get an IP address when you set it to 'obtain IP address automatically'? Same as on a wired LAN: BOOTP or DHCP. The 802.11 MAC doesn't get you IP address. I see So unless that, this Switch is smart enough to do a PPP connection and only then this IP address will be able to be distribute by the switch to the client. So no other way round to distribute ip address (other then using DHCP Server) my other Question is, how I recorded what IP I've been assign to them using that way? Regards, Thank You -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
On Wed, Nov 03, 2004 at 02:19:21PM +0800, Chan Min Wai wrote: Dana Hudes wrote: On Wed, 3 Nov 2004, Chan Min Wai wrote: Go back to the defintion of RADIUS: Remote Authentication Dial-In User System. Now think. How do dialup users connect? They use SLIP/PPP. PPP has provision for sending the IP address info for the connection. It is part of the NCP (authentication happens in LCP). Now you are connecting on an WLAN. There is no PPP. So how can the client get an IP address when you set it to 'obtain IP address automatically'? Same as on a wired LAN: BOOTP or DHCP. The 802.11 MAC doesn't get you IP address. I see So unless that, this Switch is smart enough to do a PPP connection and only then this IP address will be able to be distribute by the switch to the client. No, WLAN has nothing to do with PPP. PPP is the Point to Point Protocol, it is a protocol for talking over lines with two ends and passing layer3 traffic across them. It is a layer 2 protocol. WLAN uses a different layer2 protocol (or protocols?), defined in the 802.11 standards. Well, I guess if someone extended PPPoE to PPPo802.11, then yes? But that would be very very daft... So no other way round to distribute ip address (other then using DHCP Server) In _theory_ the RADIUS server can send an IP address to the AP to give to the device (via DHCP) but I don't think any do... (Of course, I could be wrong... 802.1x happens before an IP address is assigned, right?) If you need a solution like that, maybe a self-built AP using a WLAN card that lets you use hostAP or similar? Strikes me as a major pain, frankly. my other Question is, how I recorded what IP I've been assign to them using that way? Should be in the Accounting-Start packet. If you don't get an Accounting-Start packet (which is quite likely _) then no, no way to record it via RADIUS. You _might_ be able to rlm_exec a script to go fetch it from the AP's web-based management interface, but that seems like an awful lot of hard work to me. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html