[c-nsp] Discussion list for RADIUS?
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Sat May 24 03:36:41 EDT 2008
Hi,
> Hi,
>
> What it boils down to is that when you auth, you have the potential
> for a "Session-Timeout" reply. Lets say its 120 minutes. You get back that
> you are authorized with that attribute.
>
> You send the accounting start record and off the user goes. 10 minutes
> into the session, the operators/a process/whatever decides to change your Radius
> entry so that the new Session-Timeout would be 5 minutes. How, if at all, does
> the NAS become aware of this?
RFC 3576 - Change of Authorization - CoA
the NAS and the server have to support it. with this, you can
change many variables that are part of the AAA - eg Session-Timeout,
their Address etc etc
Accounting packets are very different - just 'heres some data'
and 'thankyou' responses really. Like many people I am very worried
about DoS abilities due to lack of verification of this data.
- I could spoof the NAS and send a 'they've been on for 7200 minutes'
packet and et voila. everyone gets disconnected :-(
alan
More information about the cisco-nsp
mailing list