Skip to main content

43 Messages

 • 

688 Points

Tue, Mar 4, 2014 9:10 AM

Client authentication state

Hi,

I want to know if an user is authenticated or not. It seems it is not possible via snmp (I asked it before in this forum and I have no response) as there is no OID. I am wondering if it would be possible by requesting it through northbound interface. Has someone try it?

Regards
Alberto.

Responses

368 Messages

 • 

5.6K Points

7 years ago

I doubt you'll get that via SNMP. IT doesn't even make much sense to be able to get it that way. You can get that via syslog.

43 Messages

 • 

688 Points

7 years ago

Thanks,

Why not? with other vendors snmp is one way.

Via syslog I am getting joins/disconnects but it is not the real authentication state. I would be easy to ask ZD the status instead of tracking it.

Regards
Alberto.

368 Messages

 • 

5.6K Points

7 years ago

A, ok. Misread your post a bit. I guess it makes some sense, but still not a whole lot.

I'd be interested in knowing why the state is important to you?

43 Messages

 • 

688 Points

7 years ago

I use freeradius to authenticate users and I have configured an unique session per user (Simultaneous-Use := 1). Freeradius has its own variable to handle who is authenticate (or you can use a database, of course). But what happens?...In some cases there is a inconsistency between what radius thinks and the reality. For example, in some cases user could be disconnected and the radius server restart at the same time, so I have sticky sessions because Radius thinks user is authenticated but he is not, so it keeps trying to login until radius memory is cleaned. So, the only way to keep consistency is asking ZD the real state of the client.

368 Messages

 • 

5.6K Points

7 years ago

Which EAP method are you using?

43 Messages

 • 

688 Points

7 years ago

EAP-PEAP / EAP-TTLS. Why? are you thinking in something about?

368 Messages

 • 

5.6K Points

7 years ago

I'm just thinking you've got a strange problem. I'm actually not that involved in RADIUS but the whole idea is to basically derive keys. When those keys are made they are passed to the STA and some APs. So as long as those keys are valid the STA should be able to handshake and associate. What I don't know however is how restarting your FR affects clients and why what you say would affect them. So I'm actually thinking that this is something that can be solved within FR not Ruckus.

43 Messages

 • 

688 Points

7 years ago

Well, this inconsistency between freeradius and controllers is known. Some workaround valid for other vendors is asking via snmp (or even cli commands) the state of the client. This is done running a script called checkrad.pl (http://www.opensource.apple.com/sourc...) but I can't fit it to Ruckus because I have no method to get auth state.

368 Messages

 • 

5.6K Points

7 years ago

That's all news to me. Thanks for explaining.

43 Messages

 • 

688 Points

7 years ago

Your are welcome. If you have any question, don't hesitate to ask me. Don't you use 802.1x authentication for your clients? I think it is not so common in a enterprise heterogeneous environment with mobile clients (smartphones, tablets, laptops ...) but for the WISP side, it is the best choice if CPE has capabilities.