\On May 23, 2008, at 10:47 PM, Tuc at T-B-O-H.NET wrote: > Hi, > > What it boils down to is that when you auth, you have the potential > for a "Session-Timeout" reply. Lets say its 120 minutes. You get > back that > you are authorized with that attribute. > > You send the accounting start record and off the user goes. 10 > minutes > into the session, the operators/a process/whatever decides to change > your Radius > entry so that the new Session-Timeout would be 5 minutes. How, if at > all, does > the NAS become aware of this?
Our in house tools use Radius COA(change of authorization) to make changes to accounts while they are online if the NAS they are on supports it, so you might look into seeing if your NAS/Radius servers can support it (We use COA with Radiator against Cisco 7200s terminating PPPoE sessions all the time). Basically our tools will update the user database with whatever accounts changes where requested, consult the sessions tables to see if they can locate the user online, and if so will issue the radius COA with the updated attribute. We normally use it to dynamically Apply ACLS(Change-Filter-Request) or to kick them offline (Disconnect-Request). Not 100% sure if you can dynamically adjust the Session-Timeout, but you could build some intelligence into the tool to say, adjusting session timeout to 5 minutes, they already been online greater than 5 minutes. so update their Attributes, and the send the disconnect-request). When they log back in they will know have the 5 minute session timeout.. HTH, -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Meets quality standards: Compiles without errors. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/