Client authentication state

  • 1
  • Question
  • Updated 4 years ago
Hi,

I want to know if an user is authenticated or not. It seems it is not possible via snmp (I asked it before in this forum and I have no response) as there is no OID. I am wondering if it would be possible by requesting it through northbound interface. Has someone try it?

Regards
Alberto.
Photo of Alberto de la Cruz

Alberto de la Cruz

  • 42 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
I doubt you'll get that via SNMP. IT doesn't even make much sense to be able to get it that way. You can get that via syslog.
Photo of Alberto de la Cruz

Alberto de la Cruz

  • 42 Posts
  • 1 Reply Like
Thanks,

Why not? with other vendors snmp is one way.

Via syslog I am getting joins/disconnects but it is not the real authentication state. I would be easy to ask ZD the status instead of tracking it.

Regards
Alberto.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
A, ok. Misread your post a bit. I guess it makes some sense, but still not a whole lot.

I'd be interested in knowing why the state is important to you?
Photo of Alberto de la Cruz

Alberto de la Cruz

  • 42 Posts
  • 1 Reply Like
I use freeradius to authenticate users and I have configured an unique session per user (Simultaneous-Use := 1). Freeradius has its own variable to handle who is authenticate (or you can use a database, of course). But what happens?...In some cases there is a inconsistency between what radius thinks and the reality. For example, in some cases user could be disconnected and the radius server restart at the same time, so I have sticky sessions because Radius thinks user is authenticated but he is not, so it keeps trying to login until radius memory is cleaned. So, the only way to keep consistency is asking ZD the real state of the client.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Which EAP method are you using?
Photo of Alberto de la Cruz

Alberto de la Cruz

  • 42 Posts
  • 1 Reply Like
EAP-PEAP / EAP-TTLS. Why? are you thinking in something about?
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
I'm just thinking you've got a strange problem. I'm actually not that involved in RADIUS but the whole idea is to basically derive keys. When those keys are made they are passed to the STA and some APs. So as long as those keys are valid the STA should be able to handshake and associate. What I don't know however is how restarting your FR affects clients and why what you say would affect them. So I'm actually thinking that this is something that can be solved within FR not Ruckus.
Photo of Alberto de la Cruz

Alberto de la Cruz

  • 42 Posts
  • 1 Reply Like
Well, this inconsistency between freeradius and controllers is known. Some workaround valid for other vendors is asking via snmp (or even cli commands) the state of the client. This is done running a script called checkrad.pl (http://www.opensource.apple.com/sourc...) but I can't fit it to Ruckus because I have no method to get auth state.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
That's all news to me. Thanks for explaining.
Photo of Alberto de la Cruz

Alberto de la Cruz

  • 42 Posts
  • 1 Reply Like
Your are welcome. If you have any question, don't hesitate to ask me. Don't you use 802.1x authentication for your clients? I think it is not so common in a enterprise heterogeneous environment with mobile clients (smartphones, tablets, laptops ...) but for the WISP side, it is the best choice if CPE has capabilities.