[c-nsp] Discussion list for RADIUS?
Robert Blayzor
rblayzor.bulk at inoc.net
Sun May 25 08:28:39 EDT 2008
On May 24, 2008, at 9:29 AM, Tuc at T-B-O-H.NET wrote:
> The issue wasn't so much that the Session-Timeout would BE change,
> its
> that with usage it DOES change.
I'm confused, why does the Session-Timeout change? Do you mean you
have timed usage accounts and they're only allowed X amount of time
over a series of logins for a particular period?
> I basically was trying to avoid having to keep
> track of time in my application. More of Radius telling me "Hey, its
> time to
> go" instead of my deciding it.
Ok, I think what I just mentioned is what you're trying to do. But
yes, the only way to do that is for you to account the time and
dynamically size the Session-Timeout, the only way to enforce that
change is either via a CoA or re-authorization after login.
> There is a large section where a user may be
> provisioned, and during the session the provisioning rejected
> (Credit card
> disallowed, fraud, TOS violation) but the main crux was trying not
> to keep
> the "limits" locally. I guess the protocol doesn't allow for it, so
> I have to
> keep track/time/count myself.
That's really the only way. But CoA is very handy for resetting
settings manually or changing ACL's and other attributes on the fly.
I don't see why you couldn't push a new Session-Timeout online... I
believe if you sent a Session-Timeout of (1) and the user has already
been online a while, that would probably drop the session. Never
tried that though! :-)
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
More information about the cisco-nsp
mailing list