[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] ARAP Support and How To?
From: |
Gerald |
Subject: |
Re: [Help-gnu-radius] ARAP Support and How To? |
Date: |
Fri, 19 Nov 2004 12:43:12 -0500 (EST) |
On Thu, 18 Nov 2004, Cian Phillips wrote:
> I set up GNU radius on a freeBSD box with some really simple
Two good choices. :-)
> enable the Apple Remote Access Protocol stuff. There are attribute
> definitions in dict/standard but I have no idea how to use them.
Yikes. A quick look at the ARAP documentation and it seems like it's
not for the faint of heart. You may wind up writing more code than you
anticipated to make gnu-radius support it. Just grepping through the
source code and CVS logs I don't see where any ARAP code has been added
to gnu-radius. The dictionary just has the attributes in it already.
> I can connect both locally and remotely using radauth and I can see
> the messages in the logs.. (they say authentication succeeded but I
> guess the ARAP client is looking for a challenge response?
Actually your config is giving you the false sense that you are actually
doing ARAP. More on that in a second.
> I'm guessing I have to add some ARAP stuff to the clients file????
I'd guess the ARAP support in gnu-radius stops at the entries in the
dictionaries and that if it required code change it isn't supported
yet. If you were fluent in guild you can write a module to handle the
information you need to make it work, but I can't offer examples.
> <feeling really dense>
Don't. ARAP is an extension of RADIUS and therefore a little more
complicated to set up. Add to that I don't think there is any code in
gnu-radius that actually supports ARAP and it just won't work with
gnu-radius.
> DEFAULT Auth-Type = Accept,
> Simultaneous-Use = 10
> Service-Type = Framed-User,
> Framed-Protocol = PPP
Here is the part of your config misleading you. You've told gnu-radius
to Accept anything. Any request that comes in with Service-Type
of Framed-User &/or Framed-Protocol PPP will match this entry and
gnu-radius will fire off an Access-Accept message. This isn't actually
authenticating a user. This is also an extremely insecure setup since
basically any request that comes in to this radius server will be
allowed.
The NAS is talking to RADIUS and RADIUS is firing off accept messages
but what I've read of ARAP there is more to the process than just
Accepting and I don't think the code is there to support the Dictionary
entries.
I also think you are the first to ask about ARAP (in gnu-radius at least).
Gerald