next message in archive
next message in thread
previous message in archive
previous message in thread
Index of Subjects
Index of Subjects On Thu, 25 May 2000, Ian White wrote: > And then theres issues around graphical stuff.. things like some sort of > standard for kicking off PPP users (again.. compatability.. need to > implement something that works for PM3s, portslaves, etc.).. perhaps > include a standard radius server. This is kind-of a difficult one from what I remember since there is no radius command which kills a user. The Radius daemon responds to requests from the remote access concentrator it does not initiate anything. The radius daemon can tell the remote access concentrator what "type" of session to setup for a user but once that user session has started radius has no way of communicating to the remote access unit that it would like the session to end. Often there are Radius extensions which allow you to mold the user session to how you would like. For example Ascend provides the "Ascend-Maximum-Call-Duration" attribute which basically tells an Ascend remote access concentrator, setup a user session which will not last longer than so many minutes. It doesn't work by the radius daemon sending a request to kill the account it just tells the RAC unit what type of session to setup when things are initially being setup. This probably won't help however because there is no standardized (non-proprietary) radius directive which does this so although it works for Ascend equipment it isn't going to work for everyone. There are a few ways to kill off sessions if you are willing to do some proprietary stuff. Most units will speak SNMP and will respond to SNMP requests. When I was playing around with this stuff the perl mods for dealing with SNMP requests were fairly complex and were taking me too much time to figure out so I droped it. The other thing to do which is much easier is to is to write an expect script. Expect is a Tcl extension language built for interfacing directly with the terminal. Basically you build the program to telnet into the command line interface of your RAC and input the appropriate keystrokes to kill off the user of your choice. Just a warning however, there are ways of slowing down keystrokes in expect. Use them. I had some serious problems with buffer overload on my Max 4000 which was causing it to crash because the expect script was sending info too fast. If you don't want to go proprietary however you can do things the way we do now. I have a script which runs once every 10 minutes and rewrites the radius users file. The script goes through the radius logs and figures out how much time each user has spend dialed in. If they have spent too much time dialed in already then I simply don't write an entry for them in the radius file. I rotate the logs once per week so they don't get too big to parse. This means that the time limits are weekly limits. ie) People are allowed 8 hours of dialup time per week on our system. We don't care how much time they spend telneting into our system. We have plenty of processor to spare but dialup is at a premium. To ensure that people don't simply dial in and then never hangup again you must however set a maximum session timelimit on your RAC. Anyways, it it helps I can try to revamp my radius users file rewriter code. ------------------------------------------------------------- System Administrator for the Vancouver Community Network Jason Currell | currell@vcn.bc.ca voice #: (604)257-3811 | modem #: (604) 638-0189
next message in archive
next message in thread
previous message in archive
previous message in thread
Index of Subjects