On Sat 14 Jul 2007, Arran Cudbard-Bell wrote: > Peter Nixon wrote: > > On Sat 14 Jul 2007, Arran Cudbard-Bell wrote: > >> Peter Nixon wrote: > >>> On Fri 13 Jul 2007, Arran Cudbard-Bell wrote: > >>>> Alan DeKok wrote: > >>>>> Arran Cudbard-Bell wrote: > >>>>>> Seriously, i've actually gone to the trouble of ringing their > >>>>>> support line and submitting bug reports, and absolutely nothing has > >>>>>> happened ?! It's getting to the funny rotten egg smelling stuff in > >>>>>> the aircon ducts, and petrol bombs stage :\ > >>>>> > >>>>> I'll talk to them. :) > >>>>> > >>>>> Part of the problem is that if no RADIUS server supports it, > >>>>> there's less of a need for them to support it. > >>>> > >>>> *poke* *poke*, the codes in radclient *poke* *poke* > >>>> > >>>> Actually isn't it just a matter of sending a standard RADIUS packet > >>>> with a POD packet type to a specified UDP port on the NAS ... > >>> > >>> Yep. You will generally need to know the the disconnect key, but you > >>> will notice that I added a field titled "XAscendSessionSvrKey" to > >>> radacct a while back.. A couple of lines of perl and it all just > >>> works... > >> > >> Is that just the SessionId on most NASes ? > > > > No > > > >> Erg i'm going to have to read RFC 3576 :( > > > > I suggest you start with my summary here: > > http://wiki.freeradius.org/Disconnect_Messages > > > > Cheers > > Ok > X-Ascend-Session-Svr-Key isn't included in the standard list of > identification attributes in RFC 3576... > And seeing as it's a VSA for Ascend boxes, I don't see why it would be > used in any other kit ?
Cisco's use it. Maybe we should call the DB colum disconnect-key or something similar... > RFC just states that a packet with Code 40 should be sent, including a > list of identification attributes, and an optional Service-Type attr > with value Authorize Only, if only requesting termination of a session > and not CoA, to avoid ambiguous meanings of attributes, and ease > translation to Diameter. > On NAK NAS is also supposed to send an Error-Cause attr, describing the > reason for the NAK. > > The fact that the Request Authenticator matches, should be enough to > ensure the Disconnect Message came from an authorised local RADIUS > server, and the RFC describes a reverse proxying method to use for use > when proxying... > > Just need HP kit to support POD and CoA now ... :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html