Re: (RADIATOR) Orinoco AP-500/1000 MAC auth problem
Hello, ... I don't need this Reply Attributes, really. Are you really sure this is needed in your environment? If this is the truth, perhaps we should talk about Firmware versions, but since AP500 V.3.83 it was really not necessary to spend reply attributes here in my environment, just empty Access Accept packets. My AP-500 has V3.95. Since the AP serves more than just one wireless device, it seems reasonable that AP needs to know which MAC address username the RADIUS is granting the access. NAS-IP-address I know for sure is necessary in my case since the AP is behind a firewall, and the AP request (on behalf of the wireless device) is NATed and sent through a router to the RADIUS in another network. The inbound message from the RADIUS to the router certainly has to provide NAS-IP-address information for the router to know which device behind the firewall should pick up (without a broadcast through the entire subnet). First, I'm also running a lot of AP-500 with Firmware v.3.95 and MAC address based authorization, handled by a radius server (radiator) with more than 400 wireless users in the moment, still very fast growing. The AP sends an access-request with the following attributes to the radius server: ### Code: Access-Request Identifier: 134 Authentic: 1641831461358r20628Q9154195169225Y Attributes: NAS-IP-Address = 212.17.1.7 User-Name = 00022d-0eaae0 User-Password = G`173'192242!147:1371750n0182 Code: Access-Accept Identifier: 134 Authentic: 1641831461358r20628Q9154195169225Y Attributes: ### the radius server checks in my configuration just the User-Name, and this is in this context the MAC-addr in the format xx-xx. The password sent by the AP is just the shared secret between the AP and teh radius server, you have no user based passwords without 802.1X. My AP-500 has V3.95. Since the AP serves more than just one wireless device, it seems reasonable that AP needs to know which MAC address The NAS knows already the MAC address, because he sends the Access-Request with the Identifier (e.g.134, see the example above), the Access-Accept has this same Identifier and then the NAS knows the accepted MAC username the RADIUS is granting the access. NAS-IP-address I know for sure is necessary in my case since the AP is behind a firewall, and the AP request (on behalf of the wireless device) is NATed and sent through a router to the RADIUS in another network. The inbound message from the RADIUS to the router certainly has to provide NAS-IP-address information for the router to know which device behind the firewall should pick up (without a broadcast through the entire subnet). do you really believe your NAT Router is able to decode the radius Accept packet, gaining the Radius Attribute NAS-IP-address and then sending this to the proper target. Please tell me the vendor and model of this wonderfull device. No, normally this is done by a state table, IP addrs, protocol and ports so the NAT router knows to where to send the answer packets, I'm quite sure this is also in your environment. Regards Charly P.S. please send us a snippet of your config and your users file for MAC based WLAN authentication -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration Tel.: ++49 731 50-22499 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Loadbalance
hi hugh, in our setup having 2 radius server (wiht 2 instance of radiator running on each machine) and 1 oracle server. will there be an advantage if we are going to use radiator loadbalancing if our ras port grows from the current 1,500 ports to 5,000 ports? d oracle database is hosting both prepaid and post paid system with peak and off-peak rating and with credit limit on postpaid customers. all dial-up are terminated through L2TP. our radius servers are idle most of the time. the highest utilization that we are getting during peak hour is from 15% to 20% only. will the radius capacity increase if we add 2 more instance of radiator on the radius server (having a total of 4 instance per server). one of the 4 instances will be configured as proxy (loadbalancer to the 3 remaining instance of radius). do you have a reference site that uses loadbalancing feature of radiator? thank you === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Loadbalance
Hello Ray - I don't think using loadbalancing in the way you describe will gain you anything. You would probably do better running two instances of Radiator, one to process authentication requests and the other to process accounting requests. This tends to work better, because there are twice as many accounting requests as authentication requests (start and stop for every access). There is usually more overhead involved in processing accounting requests as well, but if it is in a seperate process, it doesn't get in the way of the authentication requests. The loadbalancing is really designed to spread requests across seperate machines, which of course you should have in any case. regards Hugh On Wednesday, September 25, 2002, at 11:40 AM, [EMAIL PROTECTED] wrote: hi hugh, in our setup having 2 radius server (wiht 2 instance of radiator running on each machine) and 1 oracle server. will there be an advantage if we are going to use radiator loadbalancing if our ras port grows from the current 1,500 ports to 5,000 ports? d oracle database is hosting both prepaid and post paid system with peak and off-peak rating and with credit limit on postpaid customers. all dial-up are terminated through L2TP. our radius servers are idle most of the time. the highest utilization that we are getting during peak hour is from 15% to 20% only. will the radius capacity increase if we add 2 more instance of radiator on the radius server (having a total of 4 instance per server). one of the 4 instances will be configured as proxy (loadbalancer to the 3 remaining instance of radius). do you have a reference site that uses loadbalancing feature of radiator? thank you === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Loadbalance
hi hugh, does this mean if we ever encounter performance problem (i.e. slow auth, lost stop records) we need to separate the authetication from accounting. and accquire additional radius server to handle accounitng packets. and may be, add a load balancing server (radiator)to spread the work among 3 servers? thanks, ray - Original Message - From: Hugh Irvine [EMAIL PROTECTED] Date: Wednesday, September 25, 2002 10:07 am Subject: Re: (RADIATOR) Loadbalance Hello Ray - I don't think using loadbalancing in the way you describe will gain you anything. You would probably do better running two instances of Radiator, one to process authentication requests and the other to process accounting requests. This tends to work better, because there are twice as many accounting requests as authentication requests (start and stop for every access). There is usually more overhead involved in processing accounting requests as well, but if it is in a seperate process, it doesn't get in the way of the authentication requests. The loadbalancing is really designed to spread requests across seperate machines, which of course you should have in any case. regards Hugh On Wednesday, September 25, 2002, at 11:40 AM, [EMAIL PROTECTED] wrote: hi hugh, in our setup having 2 radius server (wiht 2 instance of radiator running on each machine) and 1 oracle server. will there be an advantage if we are going to use radiator loadbalancing if our ras port grows from the current 1,500 ports to 5,000 ports? d oracle database is hosting both prepaid and post paid system with peak and off-peak rating and with credit limit on postpaid customers. all dial-up are terminated through L2TP. our radius servers are idle most of the time. the highest utilization that we are getting during peak hour is from 15% to 20% only. will the radius capacity increase if we add 2 more instance of radiator on the radius server (having a total of 4 instance per server). one of the 4 instances will be configured as proxy (loadbalancer to the 3 remaining instance of radius). do you have a reference site that uses loadbalancing feature of radiator? thank you === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
