Re: (ASCEND) Radius: stop users from dialin two times (fwd)

To: ascend-users@bungi.com (Ascend Users)
Subject: Re: (ASCEND) Radius: stop users from dialin two times (fwd)
From: MegaZone <megazone@megazone.org>
Date: Tue, 30 Mar 1999 15:36:54 -0800 (PST)
Organization: WPI Discordian Society, Undocumented Cabal of the Accursed Saint Shiranto Joe
Sender: owner-ascend-users@max.bungi.com

Once upon a time Oliver J. Albrecht shaped the electrons to say...
>that, a radius-based solution (tracking of active accounts) across multiple
>units might be a possible solution. I just wonder how well this works in 

Not 'might be' - it is.  Some servers have done this for a long while.
Cistron is the only free server that does it truly effectively, but most
commercial servers do it as well.

>practice and how the radius daemon keeps track of active accounts. Surely
>it can't be the radacct records, which are (YMMV) bound to get lost from
>time to time.

That is only part of it.  It will use RADIUS Accounting to maintain a state
table.

However, if a login request comes in for a user who is:
1. Already in the state table.
and
2. Has reached their allotted limit in number of ports.

Then the server will use another protocol - SNMP is preferred when possible,
as with PortMasters, Ciscos, and 3Com HiPer ARCs.  With MAXen they tend to
have to use finger as the desired info isn't available via SNMP.  The server
checks to make sure the sessions are indeed still active.  

If they are then the new login is denied.  If one or more of the sessions
is actually gone then is presumes a lost or delayed STOP packet, updates
the state table, and allows the new login.

The trouble here is with multiple servers - a free server like Cistron doesn't
provide for a way to sync multiple servers.  A commercial server like Lucent
RADIUS ABM does however.

>With all due respect to the standard and Ascends pollution of the
>radius attributes/dictionary, the "bogus crap" works just fine.

Yes it works.  But WHY?  Why NOT use the standard?  This is a headache for
anyone with a mixed environment, and for RADIUS server vendors who can
do one thing for everyone - EXCEPT Ascend.

That or Ascend users get the shaft when they can't use features in the
server.  Some servers have time of day limits and will automatically
generate things liek Port-Limit, Session-Timeout, etc, based on current
data, configuration profiles, etc.  And many times Ascend users just get
left out in the cold - it works with compliant systems only.

-MZ
-- 
-=*X I'm going down...  under that is! <URL:http://www.aussie-isp.net/> X*=-
<URL:mailto:megazone@megazone.org> Gweep, Discordian, Author, Engineer, me..
Join ISP/C Internet Service Providers' Consortium <URL:http://www.ispc.org/>
"A little nonsense now and then, is relished by the wisest men" 781-788-0130
<URL:http://www.megazone.org/>  <URL:http://www.gweep.net/>  Hail Discordia!

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: Re: (ASCEND) Radius: stop users from dialin two times
Next by Date: (ASCEND) 6.1.42 for Pipeline 130
Prev by thread: Re: (ASCEND) syslog message decode
Next by thread: Re: (ASCEND) Radius: stop users from dialin two times (fwd)
Index(es):
- Date
- Thread