[c-nsp] Discussion list for RADIUS?

[Tuc at T-B-O-H.NET]

> 
> Hi,
> > Hi,
> > 
> > 	What it boils down to is that when you auth, you have the potential
> > for a "Session-Timeout" reply. Lets say its 120 minutes. You get back that
> > you are authorized with that attribute.
> > 
> > 	You send the accounting start record and off the user goes. 10 minutes 
> > into the session, the operators/a process/whatever decides to change your Radius 
> > entry so that the new Session-Timeout would be 5 minutes. How, if at all, does
> > the NAS become aware of this? 
> 
> RFC 3576 - Change of Authorization - CoA
> 
> the NAS and the server have to support it.  with this, you can
> change many variables that are part of the AAA - eg Session-Timeout,
> their Address etc etc
> 
> Accounting packets are very different - just 'heres some data'
> and 'thankyou' responses really. Like many people I am very worried
> about DoS abilities due to lack of verification of this data.
> - I could spoof the NAS and send a 'they've been on for 7200 minutes'
> packet and et voila. everyone gets disconnected :-(
> 
> alan
> 
Hi,

	I guess I guided this a bit into the wrong territory. I didn't realize
there was a CoA.

	The issue wasn't so much that the Session-Timeout would BE change, its
that with usage it DOES change. I basically was trying to avoid having to keep
track of time in my application. More of Radius telling me "Hey, its time to
go" instead of my deciding it. There is a large section where a user may be
provisioned, and during the session the provisioning rejected (Credit card
disallowed, fraud, TOS violation) but the main crux was trying not to keep
the "limits" locally. I guess the protocol doesn't allow for it, so I have to
keep track/time/count myself.

	Thanks, I think I have everything I need! (Well, except for how to
"use" a file in perl thats a bareword (use $authorization_module;) . Tried
to : eval "use authorization_module;"  : but its just not working. But not
a c-nsp issue. :) )

		Thanks, Tuc