chilli features...
sophana
sophana at zizi.ath.cx
Sun Feb 10 22:33:38 UTC 2008
I think the reply message is not a very good idea. As david say, it WILL
be shown to the user. That's it.
Having an unknown attribute in a message does not bother anyone, as it
will simply be ignored by all software that don't know about it.
JB a écrit :
>
> Counterquestion: Why would an administrator or developer
> activate/implement the "chilli:drop" response, although there is no
> Chilli in use at all? I still think that Reply-Message would perfectly
> suit our needs, but don't get me wrong: While I also think that RFC
> compliance is very important, if having this feature in one of the
> next releases means to add a CoovaChilli VSA, that's fine with me.
>
> Just let me know if I can be of any assistance.
>
> JB
>
>
> wlan at mac.com (10.02.2008):
>
>> Admittedly, it wouldn't be the first time I've gone outside the scope
>> of the noted RFCs for vendor specific features. While I agree RFC
>> compliance is important and should be maintained as much as possible,
>> I also believe RADIUS is now being used for more than it was intended
>> and bending the rules are sometimes necessary. My opinion is that
>> it's better to interoperate with RFC compliant vendors rather than
>> being RFC compliant yourself. Meaning, if a non-chilli RADIUS client
>> got an Access-Reject with a Chilli VSA, I doubt it would care much.
>> But, if given an Access-Reject with reply-message "chilli:drop",
>> it'll likely show this message to the user. What is better, changing
>> the meaning of an attribute for a feature or extending RADIUS (which
>> was designed to be extendable)? I suppose the right answer is to
>> raise these issues in the working group, which could happen, but that
>> doesn't mean it can't be tried and tested first.
>>
>> That notwithstanding, one could argue the extra VSA fits into the RFC
>> 5080 clause:
>>
>> Attributes within an Access-Reject are
>> restricted to those necessary to route the message (e.g., Proxy-
>> State), attributes providing the user with an indication that access
>> has been denied (e.g., an EAP-Message attribute containing an EAP-
>> Failure), or attributes conveying an error message (e.g., a Reply-
>> Message or Error-Cause attribute).
>>
>> Ok, not really, but maybe a little.
>>
>> David
>>
>> On Feb 10, 2008, at 9:44 AM, JB wrote:
>>
>>> Hi,
>>>
>>> you're welcome.
>>>
>>> I guess using a chilli VSA would break the RADIUS RFCs, which say
>>> that only very few attributes are allowed in an Access-Reject
>>> response ([1] and [2]). Reply-Message is one of them.
>>>
>>> You're right, having an optional parameter like "droptimeout" is
>>> probably a good idea. Not sending a "normal" Access-Reject (with an
>>> explanatory message) means that nothing good came from this MAC
>>> address. Administrators may like to block them for a longer period
>>> than the normal session/dhcp/idle timeouts without increasing the
>>> load of the RADIUS server or its database backend.
>>>
>>> Just let me know if I can help testing this feature.
>>>
>>> JB
>>>
>>> [1] http://rfc.net/rfc2865.html#p20
>>> [2] http://rfc.net/rfc5080.html#s2.6.1.
>>>
>>>
>>> wlan at mac.com (10.02.2008):
>>>
>>>> Hi, and thanks for your feedback.
>>>>
>>>> I have been working with the feature, but it still needs more
>>>> testing before I put it in the wild.
>>>>
>>>> Your suggestion for using the Reply-Message is a good one. Though,
>>>> might as well use a different attribute; probably a new chilli VSA.
>>>>
>>>> 'Sessions' are maintained in chilli, subject to various timeouts
>>>> for dhcp lease, idle timeout, etc. So, sessions (or 'connections',
>>>> as referred to in the code) are handled the same way - keyed on the
>>>> client's MAC address. When a session is in drop state, of course,
>>>> all packets are immediately dropped until the session gets cleared.
>>>> Perhaps it would be an idea to set a specific time period for this
>>>> state.
>>>>
>>>> David
>>>>
>>>> On Feb 9, 2008, at 8:08 PM, JB wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I just stumbled across this idea for a new feature for CoovaChilli:
>>>>>
>>>>> wlan at mac.com wrote:
>>>>>> Right now, when you use MAC authentication, if an access-reject
>>>>>> is returned, the user will still get assigned an IP address and
>>>>>> will then be given the captive portal. This is good as a way to
>>>>>> have certain devices bypass the captive portal. But, it would
>>>>>> also be nice to use MAC authentication as a way to manage blocked
>>>>>> devices. I'm considering an option which will have chilli drop
>>>>>> all traffic from clients that get an access-reject during mac
>>>>>> authentication. When clients are in the 'drop' state, all traffic
>>>>>> from them is ignored.
>>>>>
>>>>>
>>>>> I think that would be a great feature! Or has this been already
>>>>> implemented? If not, here are my two cents:
>>>>>
>>>>> Why not (mis)use the Reply-Message attribute from RADIUS to
>>>>> achieve this? If the value of Reply-Message is a certain "code",
>>>>> like "chilli:drop", then Chilli knows it should ignore all further
>>>>> requests from this MAC address. Basically, there would be three
>>>>> ways to handle a response from an Access-Request request (apart
>>>>> from errors or the like):
>>>>>
>>>>> Access-Accept -> UAM "success"
>>>>> Access-Reject and Reply-Message is not "chilli:drop" -> UAM "failed"
>>>>> Access-Reject and Reply-Message is "chilli:drop" -> Drop request(s)
>>>>>
>>>>> This way, we would neither break the current behaviour nor the
>>>>> RFCs. No need to turn this feature on or off in chilli because the
>>>>> logic (maybe along with black-/white-lists) resides in the RADIUS
>>>>> server.
>>>>>
>>>>> Would there still be some sort of session handling? How long would
>>>>> chilli drop requests until it "asks" RADIUS again?
>>>>>
>>>>> JB
>>>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>
>
More information about the Chilli
mailing list