Date: Fri, 20 Jul 2001 13:01:16 +0300 From: Panagiotis Skoulikaritis <pskoul@egreta.gr> To: FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: need help configuring radius Message-ID: <3B58016C.1BDFCA38@egreta.gr> References: <003d01c110f9$46a368e0$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Ted I would like to thank you, you were very informative. Thanks Panagiotis Ted Mittelstaedt wrote: > First, you don't want to ask this here, instead you want to subscribe to > the portmaster-radius mailing list at http://www.livingston.com/tech/archive/ > > Secondly, what your asking is not simple. For example there's a couple > of Reply attributes out there that might work - Port-Limit and MultLink Flag, > but these are not standard. You must check your NAS documentation to see > if it recognizes them and applies them to ISDN multilink calls. Further > they only work if you only have a single NAS. > > The usual method of doing what your wanting to do is to use a RADIUS server > such as cistron that has support for setting multiple login limits. The > way these servers work is if you only permit a single session for a user > they will authenticate the first session then deny all other auth attempts > as long as that session is logged in. Therein is the difficulty, however, > because RADIUS is a stateless protocol and as such there's no direct > connection > between the radius server and the NAS that the radius server can use to > synchronize a database of who is logged in and who isn't. > > What some people do to track logins is to depend on the start and stop > records, they increment a counter when they get a start record and > decrement it when they get a stop record. This works OK for small NAS > with just a few ports, there's a radius daemon at > > http://yardradius.on.openave.net/ > > that works quite well for that. > > However, for anything significant (more than 20 ports or so) you run into > synchronization problems. Some NAS have piss-poor accounting record control, > Portmasters have been known under heavy load to not bother sending start > accounting records or sending duplicates. Also RADIUS is UDP so you could > lose the packet anyway. Then you get into a situation where the radius > server thinks a user is logged on when they really arent thus the next time > they call in the NAS won't let them logon. > > More sophisticated servers like cistron get around this problem by issuing > an SNMP query to the NAS every time they see what they think is a simultaneous > login attempt, to check and see if the first login is really there. This > requires some fooling around with scripts and ucd-snmp. Also it's very > NAS dependent - if you have a collection of NAS from different manufacturer > then your going to really be hosed and some NAS (USR for example) don't > give out that data via SNMP so you have to do other scripting with Telnet > scripts. > > At our site we started out with the free radius 2.01 daemon Livingston handed > out > then finally dumped it for YARD because of the simultaneous use thing. But > I only lasted about 8 months with dealing with that because of the problems of > keeping the radius daemon in sync with a big nas with many T1's coming into > it. > I finally scrapped all that and went to ICradius > (ftp://ftp.innercite.com/pub/icradius) which is a modified cistron > that runs on a mysql server. It also has several web-based interfaces to > it which helped greatly because we have admins that I don't trust with UNIX > command line access. Also having all the accounting in a SQL server is > extremely > useful, beforehand we used to have to futz with all these icky perl scripts > to attempt to get reporting off the monthly detail files which were huge. Now > we can query usage on the fly which helps with troubleshooting as well as the > customers that call up claiming they never used the service and why are we > billing them. There's also some other tiered billing things that become > possible with SQL queries that I won't get into. But I will warn you, > although it's a great radius server it's very complicated and not simple to > setup on FreeBSD. It's easy to see why the commercial radius servers like > Steel Belted Radius are selling so well. > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com > > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Panagiotis > >Skoulikaritis > >Sent: Friday, July 20, 2001 12:14 AM > >To: FreeBSD Questions > >Subject: need help configuring radius > > > > > >Hello > > > >I need help with configuring my radius server. > >I would like to distinguish on how my users log in depending on their > >contract with either 64 kbps isdn or 128 kbps isdn. So far I' m using > >the attribute NAS-Port-Type = ISDN, but this way every user that has > >this attribute can use both channels of the isdn even though they > >haven't subscribe for that. Any help would be appreciated. > > > >Thanks > > > >Panagiotis > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B58016C.1BDFCA38>