Wondered if someone has managed to get wpa enterprise accounting working with vouchers?? What i am trying to achieve is have a voucher that is used to authenticate the client with the wireless SSID with a time limit. Its better this way as you don't have to have a captive portal (its a pain with older phones) So essentially when the time limit runs out it boots you off the wifi ;)
The authentication is working fine, enter username and password to join the wireless but the time limits i have setup in the voucher profiles are not applying. I think it has something to do with the accounting as in the MESHDesk there is no option to enable accounting only authentication.
Any ideas?
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You need to set the following RADIUS attributes in the profile for the user:
- Session-Timeout = ((time in seconds, e.g. 600))
- Termination-Action = "RADIUS-Request"
If you search for the terms above in your favourite search engine, you'll find a few examples, but it's documented in section 3.17 of RFC3580. https://tools.ietf.org/html/rfc3580
Note that this should work with RADIUS-compliant access points. Not all incarnations are full-featured, and I know for a fact that many captive portals (including CoovaChilli) ignore this functionality.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Oh, and on the accounting part of your question: you are aware that the captive portal login is a one-time thing if you choose to associate the user's MAC address with their permanent login, right?
That bit aside, if you're controlling the AP through MESHdesk and want AP-based RADIUS accounting, you may need to manually hack RADIUSdesk/MESHdesk into adding the /etc/config/wireless settings for accounting.
You'll need to amend /usr/share/nginx/html/cake2/rd_cake/Controller/NodesController.php by adding lines for "acct_server" and "acct_secret" wherever you find "auth_server". If you don't know the OpenWRT configuration parameters, refer this: http://wiki.openwrt.org/doc/uci/wireless.
Also remember that you can still achieve what you want to do with a captive portal: CoovaChilli supports a sort of 802.1X portal "pre-auth" by configuring your RADIUS-compliant AP to authenticate through the CoovaChilli RADIUS proxy. You'll need to configure HS_RADPROXY_* in /etc/chilli/config (use /etc/chilli/defaults as a guide.)
Finally, on captive portals being a pain with older phones: have you tried doing WPA with EAP-TLS on a Nokia E-71, or perhaps an iMate SPJAS? I'll take a captive portal that prompts me to set it up once any day of the week over doing that on several devices.
Even though I consider the captive portal approach to be better than setting up phone-based 802.1X, my preference for low-touch or no-touch configuration would still be to pre-add the device's MAC address in BYOD manager for that user's permanent account.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Guys
Wondered if someone has managed to get wpa enterprise accounting working with vouchers?? What i am trying to achieve is have a voucher that is used to authenticate the client with the wireless SSID with a time limit. Its better this way as you don't have to have a captive portal (its a pain with older phones) So essentially when the time limit runs out it boots you off the wifi ;)
The authentication is working fine, enter username and password to join the wireless but the time limits i have setup in the voucher profiles are not applying. I think it has something to do with the accounting as in the MESHDesk there is no option to enable accounting only authentication.
Any ideas?
Thanks
You need to set the following RADIUS attributes in the profile for the user:
- Session-Timeout = ((time in seconds, e.g. 600))
- Termination-Action = "RADIUS-Request"
If you search for the terms above in your favourite search engine, you'll find a few examples, but it's documented in section 3.17 of RFC3580.
https://tools.ietf.org/html/rfc3580
Note that this should work with RADIUS-compliant access points. Not all incarnations are full-featured, and I know for a fact that many captive portals (including CoovaChilli) ignore this functionality.
Oh, and on the accounting part of your question: you are aware that the captive portal login is a one-time thing if you choose to associate the user's MAC address with their permanent login, right?
That bit aside, if you're controlling the AP through MESHdesk and want AP-based RADIUS accounting, you may need to manually hack RADIUSdesk/MESHdesk into adding the /etc/config/wireless settings for accounting.
You'll need to amend /usr/share/nginx/html/cake2/rd_cake/Controller/NodesController.php by adding lines for "acct_server" and "acct_secret" wherever you find "auth_server". If you don't know the OpenWRT configuration parameters, refer this: http://wiki.openwrt.org/doc/uci/wireless.
Also remember that you can still achieve what you want to do with a captive portal: CoovaChilli supports a sort of 802.1X portal "pre-auth" by configuring your RADIUS-compliant AP to authenticate through the CoovaChilli RADIUS proxy. You'll need to configure HS_RADPROXY_* in /etc/chilli/config (use /etc/chilli/defaults as a guide.)
There are a number of configuration examples around. This is one of them: http://coova.org/node/4170
Finally, on captive portals being a pain with older phones: have you tried doing WPA with EAP-TLS on a Nokia E-71, or perhaps an iMate SPJAS? I'll take a captive portal that prompts me to set it up once any day of the week over doing that on several devices.
Even though I consider the captive portal approach to be better than setting up phone-based 802.1X, my preference for low-touch or no-touch configuration would still be to pre-add the device's MAC address in BYOD manager for that user's permanent account.