-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So those of you who have been following our RADIUS saga will be happy to know that with the latest 5.41 build of Steel Belted RADIUS from Funk/Juniper, all of our outstanding issues have gone away. Well, mostly, but the remaining one does not appear to be an SBR problem. Hopefully someone can tell us if we're on the right track.
We have 650+ Cisco IOS APs that all tunnel back to a WLSM. Now, due to a deficiency in the IOS and/or WLSM code, all 802.1X/WPA2 authentication requests are tunneled up from the APs through the WLSM to the RADIUS server, so as far as SBR is concerned, all authentication requests come from the WLSM, but the APs don't send accounting records up through the WLSM, so they send accounting records directly to SBR themselves. The last issue that we were trying to resolve with SBR was that accounting records only logged the outer identity for EAP-PEAP (and probably EAP-TTLS as well, but we're running PEAP), not the inner identity. SBR 5.41 includes a "FullName" attribute in accounting records, though, that has the inner identity. The problem manifests itself in that we are getting a ton of accounting records that have "Unknown" in the FullName field. I haven't done a conclusive correlation, but those records appear to be generated when a client roams from one AP to another. I am not exhaustively familiar with the 802.11 spec, but based on my knowledge of how things work, it seems to me that under the WLSM arrangement that we have, the inner identity will only be known on first authentication. When I roam to another AP, I don't have to go through a full reauthentication because again as far as SBR is concerned, my authentication came from the WLSM, not the AP. So the AP that I roam to is only going to send an accounting packet that SBR isn't going to know to associate with my inner identity, and thus "Unknown" gets logged in the accounting packet for the inner identity. The outer identity gets properly logged because the AP can see that just fine. Does it sound like I'm on the right track here? What we're planning on doing is starting to log both the FullName (inner) and User-Name (outer) attributes. At least in this case we have a chance of tracing a MAC address back to an accounting record that has an actual valid username associated with it. We're only seeing these unknown records from a little over 10% of our APs, and some of them are generating thousands of the records, so longer-term, of course, we need to exercise some better RF management so that users don't roam as often. But that's another exercise for another day. For now, I just need to see if my reasoning is sound. Thanks!!! -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRQ9Mdg5UB5zJHgFjEQKybgCg6wFLCHWjmsco1RnHjJ0BMLPZqtAAn0fe JMB1v61lQ4KbfLP135Mp9TlG =EjiY -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.