Well... Radius is (or used to be) a strict client/server protocol where
the server is passively waiting for requests from the client and
reacting (or not) to them as it sees apropriate.
Now, the client is the NAS and the server (in our case) is Radiator.
There should be no way for the server to asynchronously send anything to
the client (the NAS).
But if you want to disconnect a user who dialed-in to the NAS from the
server, you have to do just that.
RFC2822 (Extended RADIUS Practices) says:
6.4. Authorization Changes:
To implement an active changes to a running session, such as filter
changes or timeout and disconnect, at least one vendor has added a
RADIUS server to his NAS. This server accepts messages sent from
an
application in the network, and upon matching some session
information, will perform such operations.
Messages sent from Server to NAS
- Change Filter Request
- Change Filter Ack / Nak
- Disconnect Request
- Disconnect Response
Filters are used to limit the access the user has to the network by
restricting the systems and protocols he can send packets to. Upon
fulfilling some registration with an authorization server, the
service provider may wish to remove those restrictions, or
disconnect
the user.
So, in fact, the NAS should have a minimal radius server inside and
you should have a radius client... but Radiator has radpwtst which is
precisely, a radius client...
Browsing a little bit among old docs, I found an Internet-Draft, draft-
chiba-radius-dynamic-authorization-00.txt: Dynamic Authorization...
browsing ftp.ietf.org I see it's expired and no longer on line...
anyway, if you want it, I can send it by mail.
This draft is written by a couple of guys from Cisco, so I suspect there
is at least a Cisco box with this behaviour... anyway, you MUST see your
NAS documentation to check that this is available and how it works... I
think I once saw a whitepaper about the Nortel CVX supporting this.
The draft says, the client's client (i.e. radpwtst) must send a Radius
Disconnect Request packet with the username, or session-id, or IP
address of the user to disconnect and the client turned into server
(the NAS) should disconnect it and send a Disconnect ACK packet or not
disconnect it and send a Disconnect NAK packet.
Also, you should see when and why you do disconnect it... maybe from a
radwho.cgi... it shouldn't be hard to add a link to every line saying
disconnect this guy and launching radpwtst with the apropriate
options...
HTH.
El 20 Oct 2001 a las 16:13, lloyd dagoc escribió:
hello,
just wondering if RADIATOR can send a signal to NAS to disconnect a
particular usercan RADIATOR do that? if yes , how?
= )
thanks
lloyd
inter.net philippines incorporated
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Mariano Absatz
El Baby
--
I wish for a world of peace, harmony, nakedness.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.