(RADIATOR) signal to NAS

Mariano Absatz radiator at lists.com.ar
Mon Oct 22 14:52:27 CDT 2001 

Well... Radius is (or used to be) a strict client/server protocol where 
the server is passively waiting for requests from the client and 
reacting (or not) to them as it sees apropriate.

Now, the client is the NAS and the server (in our case) is Radiator. 
There should be no way for the server to asynchronously send anything to 
the client (the NAS).

But if you want to disconnect a user who dialed-in to the NAS from the 
server, you have to do just that.

RFC2822 (Extended RADIUS Practices) says:

> 6.4.  Authorization Changes:
> 
>    To implement an active changes to a running session, such as filter
>    changes or timeout and disconnect, at least one vendor has added a
>    RADIUS "server" to his NAS. This server accepts messages sent from 
an
>    application in the network, and upon matching some session
>    information, will perform such operations.
> 
>    Messages sent from Server to NAS
> 
>     - Change Filter Request
>     - Change Filter Ack / Nak
>     - Disconnect Request
>     - Disconnect Response
> 
>    Filters are used to limit the access the user has to the network by
>    restricting the systems and protocols he can send packets to.  Upon
>    fulfilling some registration with an authorization server, the
>    service provider may wish to remove those restrictions, or 
disconnect
>    the user.
> 

So, in fact, the NAS should have a "minimal" radius server inside and 
you should have a radius client... but Radiator has radpwtst which is 
precisely, a radius client...

Browsing a little bit among old docs, I found an Internet-Draft, draft-
chiba-radius-dynamic-authorization-00.txt: "Dynamic Authorization"... 
browsing ftp.ietf.org I see it's expired and no longer on line... 
anyway, if you want it, I can send it by mail.

This draft is written by a couple of guys from Cisco, so I suspect there 
is at least a Cisco box with this behaviour... anyway, you MUST see your 
NAS documentation to check that this is available and how it works... I 
think I once saw a whitepaper about the Nortel CVX supporting this.

The draft says, the "client's client" (i.e. radpwtst) must send a Radius 
Disconnect Request packet with the username, or session-id, or IP 
address of the user to disconnect and the "client turned into server" 
(the NAS) should disconnect it and send a Disconnect ACK packet or not 
disconnect it and send a Disconnect NAK packet.

Also, you should see when and why you do disconnect it... maybe from a 
radwho.cgi... it shouldn't be hard to add a link to every line saying 
"disconnect this guy" and launching radpwtst with the apropriate 
options...

HTH.


El 20 Oct 2001 a las 16:13, lloyd dagoc escribió:

> hello,
> 
> just wondering if RADIATOR can send a signal to NAS to disconnect a 
> particular user....can RADIATOR do that? if yes , how?
> 
> 
> = )
> thanks
> lloyd
> inter.net philippines incorporated
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Mariano Absatz
El Baby
----------------------------------------------------------
I wish for a world of peace, harmony, & nakedness.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list