NoCatAuth Patches
IPFW2
This patch adds support for the FreeBSD IPFW2 (and possibly IPFW)
firewall software.
Features
- IP form original MAC filter - This helps to stop spoofing of IP
to bypass the gateway. You would have to spoof both the MAC and
IP, which is possible, but is more technically challenging.
- Class based resource limiting - Places all clients of a specific
class into queues and pipes that limit bandwidth or any other dummynet
features.
- Implementation of stats.fw - For using in Accounting patch.
To Do
- NAT support.
- Firewall sets for easier enable/disable of NoCatAuth rules.
Files
- The patch
against NoCatAuth 0.82. (Updated
7/14/2003)
- A patch
for ipfw2 (against FreeBSD 4.8) for use with stats.fw (optional if you
don't
use Accounting). (Updated
6/16/2003)
NOTE: As of 7/12/2003 this patch was committed to FreeBSD-Current so
you may not need it today.
Accounting
This patch adds accounting support to NoCatAuth. Accounting can
be
sent to file or RADIUS. Additional modules can be added by
implementing the Accounting interface. Plans for log, syslog and
BDI accounting are in the works.
At this time all the accounting changes are tied into the RADIUS
patches. If you are not going to use RADIUS it won't hurt to
install the patch anyway. In the future I will try to split out
the patches, but don't hold me to it. See RADIUS
below for the patches.
Features
- InOctets and OutOctets - Number of bytes in and out during
session.
- Session-Id - A unique session identifier for recording per
session accounting.
- Start - Records the start of the session.
- Stop - Records the stop of the session including Session-Time and
In/OutOctets.
- Update - Timer based update for In/OutOctets. Useful for
graphing In/OutOctets over time.
- LastPacketTime - On supported firewalls (ipfw2 at the moment)
gives the last time a packet has been seen from this client. Can
be used to determine Session-Time more accurately when Session-Timeout
occurs.
- stats.fw - A per firewall implementation script for accounting.
- IPFW - FreeBSD 4.8 (Others untested but should work), see IPFW2.
- IPTables - No LastPacketTime support.
To Do
- Acct-Terminate-Cause - Reason for termination. (logout,
timeout, kickoff, shutdown).
- stats.fw - Other firewalls
RADIUS
This patch is mostly accounting additions, but does include some
authentication changes.
Features
- Groups and group admins - For assigning clients to groups and
designating them as admin. This feature uses a vendor specific
attribute in RADIUS. See etc/dictionary.nocat and import into
your RADIUS dictionary.
- Session timeout - Logs user off after timeout expires.
Attribute Session-Timeout.
- Accounting - Start, Stop, and periodic Update. See Accounting above.
- NAS-IP-Address - Attribute set to gateway's IP address.
(Authentication, required for Simultaneous-Use)
- NAS-Port - Attribute set to 0. (Authentication, required for
Simultaneous-Use)
- Authen::Radius - now in nocat/lib directory to avoid conflicts
wiith CPAN version.
- Simultaneous-Use - Script to detect unterminated sessions (works but untested).
(FreeRADIUS)
To Do
Files
- The patch
against NoCatAuth 0.82. (Updated 10/15/2003)
This patch now includes Athen::Radius and dictionary.nocat.
SNMP
A module to add SNMP based monitoring and logging to the gateway and
authserv. You will be able to query a gateway for a table of
peers containing all the known stats. The authserv will maintain
counts of failed, successful and other authentication metrics.
Certain events within the gateway and authserv will trigger traps.
To Do
Contact
Please email any questions you have to nocat@lists.nocat.net so that
everyone can learn from it. If you have any patches to submit
please email them to jbarrett@amduat.net.