Hi, > Hi, > > What it boils down to is that when you auth, you have the potential > for a "Session-Timeout" reply. Lets say its 120 minutes. You get back that > you are authorized with that attribute. > > You send the accounting start record and off the user goes. 10 minutes > into the session, the operators/a process/whatever decides to change your > Radius > entry so that the new Session-Timeout would be 5 minutes. How, if at all, does > the NAS become aware of this?
RFC 3576 - Change of Authorization - CoA the NAS and the server have to support it. with this, you can change many variables that are part of the AAA - eg Session-Timeout, their Address etc etc Accounting packets are very different - just 'heres some data' and 'thankyou' responses really. Like many people I am very worried about DoS abilities due to lack of verification of this data. - I could spoof the NAS and send a 'they've been on for 7200 minutes' packet and et voila. everyone gets disconnected :-( alan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
