Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
technical:ppsk-radius [2024/04/29 07:57] – system | technical:ppsk-radius [2024/04/29 09:03] (current) – [Advanced Private PSK Flow] system | ||
---|---|---|---|
Line 7: | Line 7: | ||
====== PPSK support in FreeRADIUS ====== | ====== PPSK support in FreeRADIUS ====== | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | * FreeRADIUS offers support for Perl and Python | + | * FreeRADIUS offers support for loadable modules in Perl and Python. |
- | * RADIUSdesk includes a couple of Perl modules with FreeRADIUS to help where the use of Unlang | + | * RADIUSdesk includes a couple of Perl modules with its FreeRADIUS |
* The RADIUS protocol in its most traditional implementation does not allow communication back to the RADIUS client, e.g. to terminate a user's session with a NAS. | * The RADIUS protocol in its most traditional implementation does not allow communication back to the RADIUS client, e.g. to terminate a user's session with a NAS. | ||
- | * With the development of the RADIUS protocol, a mechanism was created over time to reach the client via Change Of Authority (COA) and Packet Of Disconnect (POD) requests from the RADIUS server to the RADIUS client. | + | * As new enhancements were added to the RADIUS protocol, a mechanism was added to reach the client via Change Of Authority (COA) and Packet Of Disconnect (POD) requests from the RADIUS server to the RADIUS client. |
- | * In a way, the RADIUS client took on features of the RADIUS server. | + | * We can say that the RADIUS client took on features of the RADIUS server. |
* This mechanism works well in an environment where the RADIUS server can reach the RADIUS client directly at IP level (no NAT firewalls in between) | * This mechanism works well in an environment where the RADIUS server can reach the RADIUS client directly at IP level (no NAT firewalls in between) | ||
- | * Unfortunately, | + | * Unfortunately, |
- | * Mikrotik generally uses the API that is part of RouterOS. | + | * In RADIUSdesk we use the API that is part of RouterOS |
* In MESHdesk and APdesk we use the MQTT system (or heartbeat fallback). | * In MESHdesk and APdesk we use the MQTT system (or heartbeat fallback). | ||
* With this in mind, let us look at the flow of a simple Private PSK implementation on RADIUSdesk as well as a more advanced Private PSK implementation with data restrictions. | * With this in mind, let us look at the flow of a simple Private PSK implementation on RADIUSdesk as well as a more advanced Private PSK implementation with data restrictions. | ||
Line 32: | Line 32: | ||
{{ : | {{ : | ||
</ | </ | ||
+ | * The **Intelligent VLAN Engine** runs on the RADIUSdesk server and is crucial if you want to implement Private PSK with data restrictions. | ||
+ | * It constantly monitors a user's usage and if it detects that a certain limit has been reached, it will act accordingly. | ||
+ | * This usually starts by sending a disconnect instruction to the AP or mesh node the user is currently connected to. | ||
+ | * The user's device will attempt to reconnect to the same SSID after it has been disconnected. | ||
+ | * The **Intelligent VLAN Engine** will now apply the new restrictions to the newly established connection, if there are any. | ||
+ | * The **Intelligent VLAN Engine** also removes restrictions by disconnecting and reconnecting a user when it detects that a restriction needs to be lifted, e.g. when a daily, weekly or monthly limit no longer applies | ||
---- | ---- | ||