[VOPRadius] "Ghost users causing simultaneous login limit exceeded" (wholesale ports)

[Cary Fitch]

A less creative and faster solution is to give them a profile that allows multiple logons (2?) if you are renting ports, not by the account.    GlobalPops normal ghosting and dual user policy will handle them then.  You can tell GlobalPops to only allow one logon per user... and they will handle clearing ghosting   You may show some duplicate logins... but if you aren't keeping track of hours on your system, it won't make a difference.   CF ----- Original Message ----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 20, 2004 10:26 AM Subject: [VOPRadius] "Ghost users causing simultaneous login limit exceeded" (wholesale ports) HI,   I have the ghost issue now and then and it is a pain to clear.   Creative solution.  Works for me.   Thanks,  Andy ----- Original Message ----- From: Steven Bastardi To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Thursday, May 20, 2004 11:19 AM Subject: [VOPRadius] "Ghost users causing simultaneous login limit exceeded" (wholesale ports) All VopRadius users,   I'm working with Sylvain Savignac at Vircom on this issue.  The problem is that most wholesale ports providers do not provide support for watchdog packets between the NAS and your radius which means there is no process in place to reconcile the list of users actually online.  If the NAS restarts or otherwise is unable to send the stop packet to radius the user ends up with a ghost record in radius.  When the user tries to log back on if you have port-limit = 1 the user is rejected based on simultaneous login limit exceeded.  This operational issue is not going to go away unless a creative solution is implemented.  In my opinion just such a solution was suggested some time ago on this mail list.  The recommendation is as follows: " if the calling station-id was stored with the rest of the users information in the online users table in radius, a ghost user could be cleaned up when they try to reconnect from the same phone number."  The assumption is that it would not be impossible to be simultaneous from the same originating number.    I would appreciate feedback from others on this list with thoughts on this solution.   Thanks, Steven Bastardi The Home Town Network Inc.     ----- Original Message ----- From: Gene DuCharme To: [EMAIL PROTECTED] Sent: Thursday, May 20, 2004 7:02 AM Subject: [VOPRadius] globalpops Allowing multiple logins on our end seems to me to be opening the door for abuse.    It would seem to me that there has to be a way for radius to check say every 20 minutes if the customer is still there.????   High Speed Internet at it's Best Gene DuCharme Owner Inland North West Internet 401 S. Park St. Chewelah, Wa. 99109 [EMAIL PROTECTED] http://www.inwi.net tel: fax: mobile: 509-935-8923 509-935-8923 509-936-0633 Signature powered by Plaxo Want a signature like this? Add me to your address book... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ramsey Abu-Absi Sent: Wednesday, May 19, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: [VOPRadius] globalpops Is that working OK for you? Thanks, Ramsey At 04:48 PM 5/19/2004, you wrote: They have a custom tweaked Radius.  They suggested we put our GP users on a profile allowing 2 logins or unlimited logins.   Keep our local users on a profile with 1 login per user.   CF ----- Original Message ----- From: Ramsey Abu-Absi To: [EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 3:47 PM Subject: [VOPRadius] globalpops Hi Cary, Thanks - you make a valid point; perhaps I was a bit harsh in my earlier messages.  Their ghosting policy is as you describe.  However, my frustration has been that although they are letting the ghosted user log in, they are getting a reject from my server because my server does not know that this is in fact happening.  If they could send a stop record first, then the problem would be solved. Now this brings up a question I hadn't thought of before:  Can VOP perform the same logic (i.e. check the called-from number, and if it is the same as the active session, allow the user to log in)?  This would also provide us with a fix. Given that at least two of us are dealing with this, I'd be most appreciative if someone from Vircom wouldn't mind weighing in on this.  Otherwise, I'll contact support. Thanks, Ramsey At 04:29 PM 5/19/2004, Cary Fitch wrote: I have dealt with their tech staff and their "chief guru".  They are a class operation.  Two of them were at our Peercon meeting.   They have a "good" ghosting policy, verify not only by your radius, but by the number the person is calling from, and can knock off a ghosted user, to allow the same person back on from the same number, but not a different number.   They also give the user the benefit of the doubt until it is shown he is an "ab-user".   As to wrong passwords, unless that is a  caching issue, I don't know about that.  (They do caching, so if they can't reach you, they can still allow your users on line.)   Cary Fitch ----- Original Message ----- From: Brad Johnson To: [EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 3:05 PM Subject: [VOPRadius] globalpops Will Do! Thanks to all who replied. Brad Johnson   Systems Administrator     Local Link Network Operations From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramsey Abu-Absi Sent: Wednesday, May 19, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: [VOPRadius] globalpops Let me know if you have any luck! Ramsey At 03:46 PM 5/19/2004, you wrote: Well, if I find that I�m not getting stop packets for users, I�ll be making their tech staff unhappy. If they say �we sent it� and they don�t know why its not getting to us, its still their problem in my opinion (their service model). Brad Johnson   Systems Administrator     Local Link Network Operations From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gene DuCharme Sent: Wednesday, May 19, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: [VOPRadius] globalpops We use them and set up as (other-no security) And yes we have had some problems with radius not receiving the stop packet.  When I talked directly with Corey Pops at Global Pops he explained if you try to stay with their teir 1 system you will have less problems with ghosting.  Although I have come in in the morning and found several customers ghosted who I know do not stay on 1000 or more minutes. I just checked my logs and they customers are being logged.   High Speed Internet at it's Best Gene DuCharme Owner Inland North West Internet 401 S. Park St. Chewelah, Wa. 99109 [EMAIL PROTECTED] http://www.inwi.net tel: fax: mobile: 509-935-8923 509-935-8923 509-936-0633   Signature powered by Plaxo Want a signature like this? Add me to your address book... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Johnson Sent: Wednesday, May 19, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: [VOPRadius] globalpops What client type is used with globalpops. I have client definitions setup and have tried with �other� and �Radius Server� and authentication is working however, I get no radius errors when a bad login is used, nor do I get an entry in onlineusers when a good login is used and gets connected. Also, does globalpops pass on stop packets for users they detect as a ghost � or am I going to have ghost issues with them? Brad Johnson   Systems Administrator     Local Link Network Operations * * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any accompanying documents contain confidential information intended for a specific individual and purpose. The information contained within is private and protected by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this communication in error, please notify us by return e-mail or by telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank you in advance for your strict compliance and assistance. * * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any accompanying documents contain confidential information intended for a specific individual and purpose. The information contained within is private and protected by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this communication in error, please notify us by return e-mail or by telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank you in advance for your strict compliance and assistance. * * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any accompanying documents contain confidential information intended for a specific individual and purpose. The information contained within is private and protected by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this communication in error, please notify us by return e-mail or by telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank you in advance for your strict compliance and assistance.