|
All VopRadius users,
I'm working with Sylvain Savignac at Vircom on this
issue. The problem is that most wholesale ports providers do not provide
support for watchdog packets between the NAS and your radius which
means there is no process in place to reconcile the list of users actually
online. If the NAS restarts or otherwise is unable to send the stop packet
to radius the user ends up with a ghost record in radius. When the user
tries to log back on if you have port-limit = 1 the user is rejected based
on simultaneous login limit exceeded. This operational issue is not
going to go away unless a creative solution is implemented. In my opinion
just such a solution was suggested some time ago on this mail list. The
recommendation is as follows: " if the calling station-id was stored with the
rest of the users information in the online users table in radius, a ghost user
could be cleaned up when they try to reconnect from the same phone
number." The assumption is that it would not be impossible to be
simultaneous from the same originating number.
I would appreciate feedback from others on this
list with thoughts on this solution.
Thanks,
Steven Bastardi
The Home Town Network Inc.
----- Original Message -----
Sent: Thursday, May 20, 2004 7:02
AM
Subject: [VOPRadius] globalpops
Allowing multiple logins on our end seems to me to be opening the door
for abuse.
It
would seem to me that there has to be a way for radius to check say every
20 minutes if the customer is still there.????
Is that working OK for
you?
Thanks,
Ramsey
At 04:48 PM 5/19/2004, you wrote:
They have
a custom tweaked Radius. They suggested we put our GP users on a
profile allowing 2 logins or unlimited logins.
Keep our local users on a profile with 1 login per
user.
CF
- ----- Original Message -----
- From: Ramsey
Abu-Absi
- To: [EMAIL PROTECTED]
- Sent: Wednesday, May 19, 2004 3:47 PM
- Subject: [VOPRadius] globalpops
- Hi Cary,
- Thanks - you make a valid point; perhaps I was a bit harsh in my
earlier messages. Their ghosting policy is as you describe.
However, my frustration has been that although they are letting the
ghosted user log in, they are getting a reject from my server because my
server does not know that this is in fact happening. If they could
send a stop record first, then the problem would be solved.
- Now this brings up a question I hadn't thought of before: Can
VOP perform the same logic (i.e. check the called-from number, and if it
is the same as the active session, allow the user to log in)? This
would also provide us with a fix.
- Given that at least two of us are dealing with this, I'd be most
appreciative if someone from Vircom wouldn't mind weighing in on
this. Otherwise, I'll contact support.
- Thanks,
- Ramsey
- At 04:29 PM 5/19/2004, Cary Fitch wrote:
- I have dealt with their tech staff and their
"chief guru". They are a class operation. Two of them were
at our Peercon meeting.
- They have a "good" ghosting policy, verify
not only by your radius, but by the number the person is calling from,
and can knock off a ghosted user, to allow the same person back on from
the same number, but not a different number.
- They also give the user the benefit of the
doubt until it is shown he is an "ab-user".
- As to wrong passwords, unless that is
a caching issue, I don't know about that. (They do caching,
so if they can't reach you, they can still allow your users on
line.)
- Cary Fitch
- ----- Original Message -----
- From: Brad Johnson
- To: [EMAIL PROTECTED]
- Sent: Wednesday, May 19, 2004 3:05 PM
- Subject: [VOPRadius] globalpops
- Will Do! Thanks to all who
replied.
-
- Brad Johnson
- Systems
Administrator
- Local Link
Network Operations
- From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Ramsey Abu-Absi
- Sent: Wednesday, May 19, 2004 2:57 PM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
-
- Let me know if you have any
luck!
- Ramsey
- At 03:46 PM 5/19/2004, you wrote:
- Well, if I find that I�m not
getting stop packets for users, I�ll be making their tech staff unhappy.
If they say �we sent it� and they don�t know why its not getting to us,
its still their problem in my opinion (their service model).
-
- Brad Johnson
- Systems Administrator
- Local Link Network Operations
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Gene DuCharme
- Sent: Wednesday, May 19, 2004 11:37 AM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
-
- We use them and set up as
(other-no security)
-
- And yes we have had some
problems with radius not receiving the stop packet. When I talked
directly with Corey Pops at Global Pops he explained if you try to stay
with their teir 1 system you will have less problems with
ghosting. Although I have come in in the morning and found several
customers ghosted who I know do not stay on 1000 or more minutes.
-
- I just checked my logs and
they customers are being logged.
-
- High Speed Internet at
it's Best
- Gene DuCharme
- Owner
- Inland North West
Internet
- 401
S. Park St.
- Chewelah, Wa.
- 99109
- [EMAIL PROTECTED]
- http://www.inwi.net
- tel:
- fax:
- mobile:
- 509-935-8923
- 509-935-8923
- 509-936-0633
-
-
- Signature powered by
Plaxo
- Want a signature like
this?
- Add
me to your address book...
- -----Original Message-----
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brad Johnson
- Sent: Wednesday, May 19, 2004 9:00 AM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
- What client type is used with globalpops. I
have client definitions setup and have tried with �other� and �Radius
Server� and authentication is working however, I get no radius errors
when a bad login is used, nor do I get an entry in onlineusers when a
good login is used and gets connected.
-
- Also, does globalpops pass on stop packets
for users they detect as a ghost � or am I going to have ghost issues
with them?
-
- Brad Johnson
- Systems Administrator
- Local Link Network Operations
-
- * * * C O N F I D E N T I A L I
T Y S T A T E M E N T * * * This E-MAIL message and any accompanying
documents contain confidential information intended for a specific
individual and purpose. The information contained within is private and
protected by law. If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution, or the taking of
any action in reliance on the contents of this message is strictly
prohibited. If you have received this communication in error, please
notify us by return e-mail or by telephone at 419-661-1233 so that we
can prevent a reoccurrence. Thank you in advance for your strict
compliance and assistance.
* * * C O N F
I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any
accompanying documents contain confidential information intended for a
specific individual and purpose. The information contained within is private
and protected by law. If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution, or the taking of any
action in reliance on the contents of this message is strictly prohibited.
If you have received this communication in error, please notify us by return
e-mail or by telephone at 419-661-1233 so that we can prevent a
reoccurrence. Thank you in advance for your strict compliance and
assistance.
* * * C O N F I D E N T I A L I T Y S T A T E M E
N T * * * This E-MAIL message and any accompanying documents contain
confidential information intended for a specific individual and purpose. The
information contained within is private and protected by law. If you are not
the intended recipient, you are hereby notified that any disclosure, copying,
distribution, or the taking of any action in reliance on the contents of this
message is strictly prohibited. If you have received this communication in
error, please notify us by return e-mail or by telephone at 419-661-1233 so
that we can prevent a reoccurrence. Thank you in advance for your strict
compliance and assistance.
|
