Running freeradius to handle WiFi access - session

I’m a computer science teacher in a secondary school. The school has a simple network composed of 8 Unifi WiFi AP + 1 controller that supports radius authentication and accounting . Everything is directly connected to a single router (there are also 30 PC connected via eth cable) .
The WiFi network “should be” used exclusively by teachers (around 70) but systematically, some “clever” students, using some sort of social engineering attack, are always able to retrieve the WPA2 WiFi passphrase and access the network. Hence after a couple of week the network is saturated (there are 700 students in school!). For that reason I would like to move to WPA2 enterprise auth.
I’ve installed on an old machine a lubuntu distro with freeradius + MySQL + DaloRadius and everything seems to work properly, at least locally!.
In freeradius I created a group called “teacher” and I associated all the teachers to that group. That group has also the attribute “Simultaneous-Use := 1 “ in the radgroupcheck table , obviously every user/teacher has its own “Cleartext-Password” in the radcheck table.
DESIRED REQUIREMENT: I do not want a bullet proof wifi network but a reliable solution at least for teachers. I can accept the fact that, after an account violation, some students can by able to use the network (eg. 3-4 contemporary sessions), but massive usage of the WiFi network shall be avoided.
Here are my dubts:
I’ve heard that ubiqui unifi hotspot are not so reliable in terms of accounting (sometime the session is not properly closed) so I could face some authentication problem also for the trusted user. According to the REQUIREMENT above, can I tune the freeradius attribute (Simultaneous-Use, Session Timeout, etc.) in order to avoid massive problem for teachers.
Other suggestions? Eg. A schell script in cron to unlock the leftopen session after some time. Lease time tuning on DHCP.

Related

How do I point the Windows Security prompt to a domain via batch script?

I provide technical support for students and staff at a college campus and I'm trying to write a batch script that will somewhat automate the process by which students on Windows machines connect to our (Windows) print server (I'd like to do this for Mac and Linux users eventually, but that's another post in and of itself).
Currently, in order to connect, students must run the following command:
\\deskprint.someuniversity.edu
(server and school name changed) either through the run command (XP and Vista), the start menu (7 and 10), or the start screen (8 and 8.1). Upon doing this, they must then enter their university login and password, as well as the domain for the university's network (we'll call it "taco"). Then, finally, they must click on the printer for their residence hall and install the driver.
Although we have tutorials for printing from all types of machines and devices, many students have issues connecting and must contact us to get connected. In order to simplify this process, I have written a simple batch script that prompts them for their university login without them having to remember the command to get to the prompt. All the student must do is run the script from their desktop and enter their login information. The current script is posted below.
#echo off
start \\deskprint.someuniversity.edu
For the most part, this solves the biggest issue students have, which is remembering the process for connecting to the server, as each version of Windows does it slightly differently (in addition, no one can ever seem to remember the address for the server and often type things such as 'www' instead of '\\' and the like).
Although this makes things somewhat easier, students still often forget to append '#taco' (the university's domain) to the end of their username. As a result, Windows will not accept their login information and will not connect them to the print server.
What should I do (if it can even be done) to tell Windows to point to the correct domain rather than using the computer's name as the domain?
Thanks!
Not sure it's possible to prefill the login so what about displaying the reminder in a message box:
#echo off
start \\deskprint.someuniversity.edu
msg "%username%" Don't forget to add #taco after your username, please!

updata download sizes at mikrotik

I have a PC as a mikrotik router at home, and also i have many power failures because the electricity network is undergoing maintenance ant this may last for months, and I noticed that what it's shown at the user profile is not updated instantly by the downloads(mega Bytes) at the active users, and after an electricity cut off, everything at the active user just resetted (I mean downloaded megabytes), and nothing is recorded.
How can I update it instantly or at least every hour, any ideas?
Several solutions to keep track of volatile data after a reboot:
Use a Radius server with accounting (data use will be automatically sent to the radius server and logged in database)
Use mikrotik API to query the "Mb used" from an external device and log it on a file.
Write a mikrotik script to query the data you need and log it into a file or on a non-volatile area (for example, comment on user)

Windows 7 freezes while uploading files via broadband service ( Both downloads & mobile data transfers work )

My windows 7 pc freezes when i try to upload something on the web, and it only happens when i use cable broadband connection.
Sometimes i can upload the file but most of time ( 8 out of 10 times ) it will freeze, to restart i need to switch off and on from main board.
Note:
When i connect my 3G phone to the PC it doesn't freeze, I am able to upload any file size.
Recently i formatted the computer and re-installed the windows 7, but it didn't solve the issue.
What could be wrong with the cable broadband, I am facing this ever since i get this connection ( 3 months ago ). Also, I would like to add that my pc does not freeze while downloading.
Please help!
Thank you.
Diagnose your broadband CPE-unit for any defective self-diagnostic warnings.
Check your Broadband service provider contract conditions vs. your real observations.
As you noted an 8/10 failure rate observation, namely check the (un)guaranteed ( real ) xDSL-Concentrator factor ( upStream grooming of 1:5, 1:10, 1:30, 1:50, ... make a big difference not only in PeakHour on upStream traffic shaping ( well, rather blocking...) )
Test your real achievable upStream speed against a few different speed test servers ( naturally do not opt to use your xDSL provider's own Speed Test Server, use rather another destination, outside of the control of the xDSL provider ).
Collect real achievable performance data -- several different Test Servers, a few dozens tests, round the 24/7 calendar to avoid objections on un-guarranteed performance and to be able to prove a reasonable and repetitive results for the non-compliance procedure in case the contracted terms & conditions are not fulfilled.

Is there a way asterisk reconnect calls when internet connection is missed

For being specific, I am using asterisk with a Heartbeat active/pasive cluster. There are 2 nodes in the cluster. Let's suppose Asterisk1 Asterisk2. Eveything is well configured in my cluster. When one of the nodes looses internet connection, asterisk service fails or the Asterisk1 is turned off, the asterisk service and the failover IP migrate to the surviving node (Asterisk2).
The problem is if we actually were processing a call when the Asterisk1 fell down asterisk stops the call and I can redial until asterisk service is up in asterisk2 (5 seconds, not a bad time).
But, my question is: Is there a way to make asterisk work like skype when it looses connection in a call? I mean, not stopping the call and try to reconnect the call, and reconnect it when asterisk service is up in Asterisk2?
There are some commercial systems that support such behavour.
If you want do it on non-comercial system there are 2 way:
1) Force call back to all phones with autoanswer flag. Requerment: Guru in asterisk.
2) Use xen and memory mapping/mirror system to maintain on other node vps with same memory state(same running asterisk). Requirment: guru in XEN. See for example this: http://adrianotto.com/2009/11/remus-project-full-memory-mirroring/
Sorry, both methods require guru knowledge level.
Note, if you do sip via openvpn tunnel, very likly you not loose calls inside tunnel if internet go down for upto 20 sec. That is not exactly what you asked, but can work.
Since there is no accepted answer after almost 2 years I'll provide one: NO. Here's why.
If you failover from one Asterisk server 1 to Asterisk server 2, then Asterisk server 2 has no idea what calls (i.e. endpoint to endpoing) were in progress. (Even if you share a database of called numbers, use asterisk realtime, etc). If asterisk tried to bring up both legs of the call to the same numbers, these might not be the same endpoints of the call.
Another server cannot resume the SIP TCP session of the other server since it closed with the last server.
The MAC source/destination ports may be identical and your firewall will not know you are trying to continue the same session.
etc.....
If you goal is high availability of phone services take a look at the VoIP Info web site. All the rest (network redundancy, disk redundancy, shared block storage devices, router failover protocol, etc) is a distraction...focus instead on early DETECTION of failures across all trunks/routes/devices involved with providing phone service, and then providing the highest degree of recovery without sharing ANY DEVICES. (Too many HA solutions share a disk, channel bank, etc. that create a single point of failure)
Your solution would require a shared database that is updated in realtime on both servers. The database would be managed by an event logger that would keep track of all calls in progress; flagged as LINEUP perhaps. In the event a failure was detected, then all calls that were on the failed server would be flagged as DROPPEDCALL. When your fail-over server spins up and takes over -- using heartbeat monitoring or somesuch -- then the first thing it would do is generate a set of call files of all database records flagged as DROPPPEDCALL. These calls can then be conferenced together.
The hardest part about it is the event monitor, ensuring that you don't miss any RING or HANGUP events, potentially leaving a "ghost" call in the system to be erroneously dialed in a recovery operation.
You likely should also have a mechanism to build your Asterisk config on a "management" machine that then pushes changes out to your farm of call-manager AST boxen. That way any node is replaceable with any other.
What you should likely have is 2 DB servers using replication techniques and Linux High-Availability (LHA) (1). Alternately, DNS round-robin or load-balancing with a "public" IP would do well, too. These machine will likely be light enough load to host your configuration manager as well, with the benefit of getting LHA for "free".
Then, at least N+1 AST Boxen for call handling. N is the number of calls you plan on handling per second divided by 300. The "+1" is your fail-over node. Using node-polling, you can then set up a mechanism where the fail-over node adopts the identity of the failed machine by pulling the correct configuration from the config manager.
If hardware is cheap/free, then 1:1 LHA node redundancy is always an option. However, generally speaking, your failure rate for PC hardware and Asterisk software is fairly lower; 3 or 4 "9s" out of the can. So, really, you're trying to get last bit of distance to the "5th 9".
I hope that gives you some ideas about which way to go. Let me know if you have any questions, and please take the time to "accept" which ever answer does what you need.
(1) http://www.linuxjournal.com/content/ahead-pack-pacemaker-high-availability-stack

Low latency/high performance network (ethernet) messaging

Background
I want to create a test application to test the network performance of different systems. To do this I plan to have that machine send out Ethernet frames over a private (otherwise non-busy) network to another machine (or device) that simply receives the message and sends it back. The sending application will record total roundtrip time (among other things).
The purpose of the tests is to see how a particular system (OS + components etc.) performs when it comes to networking traffic. This is illustrated as machine A in the picture below. Note that I'm not interested in the performance of the networking infrastructure (switches, cables etc) - I'm trying to test the performance of network traffic inside Machine A (i.e from when it hits the network card until it reaches user space)
We will (try to) measure all kind of things, one thing is the total roundtrip of the message but also things like interrupt latency of Machine A, general driver overhead etc. Machine A will be a real-time system. But to support these tests, I need a separate machine that can bounce back messages and in other ways add network stimuli to the tested system. This separate machine is Machine B in the picture below and is what this question is about.
My problem
I want to develop an application that can receive and return these messages with as consistent (and preferably low) latency as possible. I'm hoping to get latencies that are consistent within a few microseconds at least. For simplicity, I'd like to do this on a general purpose OS like Windows or Linux but I'm open for other suggestions. There will be no other load (CPU or otherwise) on the machine besides the operating system and my test application.
I've thought of the following approaches:
A normal application running in user space with a high priority
A thread running in kernel space to avoid the userspace/kernelspace transitions
An of-the-shelf device that already does this (I haven't found one though)
Questions
Are there any other approaches or perhaps frameworks that already does this? What else do I need to think of to gain a consistent and low latency? What approach is recommended?
You mentioned that you want to test the internal performance of Machine A, but "need a separate machine"; yet, you don't want to test network infrastructure performance.
You know much more about your requirements than I do; however, if I was testing network infrastructure in Machine A, I would set up my test like this:
There are couple of reasons for this:
You can use an Ethernet loopback cable to simulate the "pong" function performed by Machine B
Eliminating transit through infrastructure you don't care about is almost always a better solution when measuring performance
If you use this test method, be sure to note these points:
Ethernet performs a signal to noise test on the copper before it sets up a link. If you make your loopback bends too tight, you could introduce more latency if ethernet decides to fall back to a lower speed due to the kinks in the cable. There is no minimum length for copper ethernet cabling.
As you're probably aware, combinations of NICs / driver versions / OS can have a significant affect on intra-host latency. I work for a network equipment manufacturer, and one of the guys in the office used to work as an applications engineer for SolarFlare. He claims that many of the Wall Street trading systems use SolarFlare's NICs due to the low latency SolarFlare engineers their products for; he also said SolarFlare's drivers give you user-space access to the NIC buffers. Caveat: third-hand info, and I cannot verify myself.
If you loop the frames to Machine A, set the source and destination mac-address to the burned-in-address on the NIC
Even if you need to receive a modified "pong" frame from Machine B, you could still use this topology and simply rewrite packet fields on the receive-side of your code in Machine A. Put as many (or few) instrumentation points as you like in Machine A's "modules" to compare frame timestamps.
FYI:
The embedded systems I mentioned in my comments on your question are for measuring latency of network infrastructure, not end hosts. This is the best method I can think of for instrumenting host latency.
As an off the shelf solution, I would suggest taking a look at Solace, Tibco and AMQP. These are all enterprise messaging frameworks used extensively in trading applications. AMQP is open source and capable of handling throughputs of up to 100,000 messages per second. I am not sure of the latencies of other frameworks. There is a Java or C++ implementation of the AMQP message router. The C++ one of course returns higher performance.
Edit I've just heard of a new product called UltraMessaging which can provide 7,000,000 messages per second throughput with Java, C++ or C# clients. Crikey.
Best regards,

Resources