Re: (RADIATOR) signal to NAS

2001-10-22 Thread Mariano Absatz 


Well... Radius is (or used to be) a strict client/server protocol where 
the server is passively waiting for requests from the client and 
reacting (or not) to them as it sees apropriate.

Now, the client is the NAS and the server (in our case) is Radiator. 
There should be no way for the server to asynchronously send anything to 
the client (the NAS).

But if you want to disconnect a user who dialed-in to the NAS from the 
server, you have to do just that.

RFC2822 (Extended RADIUS Practices) says:

 6.4.  Authorization Changes:
 
To implement an active changes to a running session, such as filter
changes or timeout and disconnect, at least one vendor has added a
RADIUS server to his NAS. This server accepts messages sent from 
an
application in the network, and upon matching some session
information, will perform such operations.
 
Messages sent from Server to NAS
 
 - Change Filter Request
 - Change Filter Ack / Nak
 - Disconnect Request
 - Disconnect Response
 
Filters are used to limit the access the user has to the network by
restricting the systems and protocols he can send packets to.  Upon
fulfilling some registration with an authorization server, the
service provider may wish to remove those restrictions, or 
disconnect
the user.
 

So, in fact, the NAS should have a minimal radius server inside and 
you should have a radius client... but Radiator has radpwtst which is 
precisely, a radius client...

Browsing a little bit among old docs, I found an Internet-Draft, draft-
chiba-radius-dynamic-authorization-00.txt: Dynamic Authorization... 
browsing ftp.ietf.org I see it's expired and no longer on line... 
anyway, if you want it, I can send it by mail.

This draft is written by a couple of guys from Cisco, so I suspect there 
is at least a Cisco box with this behaviour... anyway, you MUST see your 
NAS documentation to check that this is available and how it works... I 
think I once saw a whitepaper about the Nortel CVX supporting this.

The draft says, the client's client (i.e. radpwtst) must send a Radius 
Disconnect Request packet with the username, or session-id, or IP 
address of the user to disconnect and the client turned into server 
(the NAS) should disconnect it and send a Disconnect ACK packet or not 
disconnect it and send a Disconnect NAK packet.

Also, you should see when and why you do disconnect it... maybe from a 
radwho.cgi... it shouldn't be hard to add a link to every line saying 
disconnect this guy and launching radpwtst with the apropriate 
options...

HTH.


El 20 Oct 2001 a las 16:13, lloyd dagoc escribió:

 hello,
 
 just wondering if RADIATOR can send a signal to NAS to disconnect a 
 particular usercan RADIATOR do that? if yes , how?
 
 
 = )
 thanks
 lloyd
 inter.net philippines incorporated
 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.

--
Mariano Absatz
El Baby
--
I wish for a world of peace, harmony,  nakedness.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) signal to NAS

2001-10-22 Thread moto kawasaki 


Hi all,

I'd suggest SNMP and MIB on the NAS might be helpful to disconnect
a given user (or connection).



Thanks.

mek


From: Mariano Absatz [EMAIL PROTECTED]
Subject: Re: (RADIATOR) signal to NAS
Date: Mon, 22 Oct 2001 16:52:27 -0300
Message-ID: 3BD44ECB.26941.24CBA61C@localhost

radiator Well... Radius is (or used to be) a strict client/server protocol where 
radiator the server is passively waiting for requests from the client and 
radiator reacting (or not) to them as it sees apropriate.
radiator 
radiator Now, the client is the NAS and the server (in our case) is Radiator. 
radiator There should be no way for the server to asynchronously send anything to 
radiator the client (the NAS).

radiator But if you want to disconnect a user who dialed-in to the NAS from the 
radiator server, you have to do just that.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) signal to NAS

2001-10-18 Thread Hugh Irvine 


Hello Lloyd -

On Saturday 20 October 2001 18:13, lloyd dagoc wrote:
 hello,

 just wondering if RADIATOR can send a signal to NAS to disconnect a
 particular usercan RADIATOR do that? if yes , how?


Radiator cannot do it directly, however if your NAS software supports the new 
radius Disconnect-Request, you can use radpwtst to send it.

This subject has been discussed on the list previously, so do a search on the 
archive (www.open.com.au/archives/radiator).

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.