[c-nsp] Discussion list for RADIUS?
Patrick Muldoon
doon.bulk at inoc.net
Sat May 24 00:03:55 EDT 2008
\On May 23, 2008, at 10:47 PM, Tuc at T-B-O-H.NET wrote:
> Hi,
>
> What it boils down to is that when you auth, you have the potential
> for a "Session-Timeout" reply. Lets say its 120 minutes. You get
> back that
> you are authorized with that attribute.
>
> You send the accounting start record and off the user goes. 10
> minutes
> into the session, the operators/a process/whatever decides to change
> your Radius
> entry so that the new Session-Timeout would be 5 minutes. How, if at
> all, does
> the NAS become aware of this?
Our in house tools use Radius COA(change of authorization) to make
changes to accounts while they are online if the NAS they are on
supports it, so you might look into seeing if your NAS/Radius servers
can support it (We use COA with Radiator against Cisco 7200s
terminating PPPoE sessions all the time).
Basically our tools will update the user database with whatever
accounts changes where requested, consult the sessions tables to see
if they can locate the user online, and if so will issue the radius
COA with the updated attribute.
We normally use it to dynamically Apply ACLS(Change-Filter-Request) or
to kick them offline (Disconnect-Request). Not 100% sure if you can
dynamically adjust the Session-Timeout, but you could build some
intelligence into the tool to say, adjusting session timeout to 5
minutes, they already been online greater than 5 minutes. so update
their Attributes, and the send the disconnect-request). When they
log back in they will know have the 5 minute session timeout..
HTH,
-Patrick
--
Patrick Muldoon
Network/Software Engineer
INOC (http://www.inoc.net)
PGPKEY (http://www.inoc.net/~doon)
Key ID: 0x370D752C
Meets quality standards: Compiles without errors.
More information about the cisco-nsp
mailing list