[RADIATOR] Disconnect user via radpwtst or other method?
Hugh Irvine
hugh at open.com.au
Fri Mar 27 15:40:08 CST 2009
Hello Andrew, Hello Tim -
It goes without saying that you should be very careful with your NAS
access lists to strictly control this function.
regards
Hugh
On 28 Mar 2009, at 03:18, Andrew D. Clark wrote:
> On Friday 27 March 2009 10:49:42 Tim Dancer wrote:
> > Hi all,
> >
> > Is it possible to disconnect a user from the radius side using
> > radpwtst? How do people normally handle this function?
> >
> > Thanks,
> > Tim
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
> This is usually accomplished through methods such as RADIUS dynamic
> authorization (aka Packet of Disconnect or Change of Authorization).
> See RFC3576. In general, there's a RADIUS server running on the NAS
> that processes CoA messages, and then some RADIUS client sends a CoA
> message (such as Disconnect-Request) with the attributes the NAS
> requires to process the disconnect. radpwtst can generate such
> messages, but be clear on what is the RADIUS server and what is the
> RADIUS client in this case.
>
> Here's a sample showing a successful disconnect request with an ACK
> (this is using a Trapeze NAS - note the NAS is the RADIUS server in
> this case).
>
> adc at bastion-2:~$ radpwtst -trace 4 -bind_address 192.168.249.12 -
> auth_port
> 3799 -noauth -noacct -s somenas -secret somesecret -time -code
> Disconnect-Request User-Name="adc" NAS-IP-Address="192.168.238.141"
> Event-Timestamp=1212606218
>
> Wed Jun 4 14:01:32 2008: DEBUG: Reading dictionary
> file '/etc/radiator/dictionary'
> sending Disconnect-Request...
> Wed Jun 4 14:01:32 2008: DEBUG: Packet dump:
> *** Sending to 192.168.238.141 port 3799 ....
> Code: Disconnect-Request
> Identifier: 2
> Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Attributes:
> User-Name = "adc"
> NAS-IP-Address = 192.168.238.141
> Event-Timestamp = 1212606218
>
> Wed Jun 4 14:01:32 2008: DEBUG: Packet dump:
> *** Received from 192.168.238.141 port 3799 ....
> Code: Disconnect-Request-ACKed
> Identifier: 2
> Authentic: &<132>O<242><233>nB<188><206><8>Uk<137>Z<175><170>
> Attributes:
> Event-Timestamp = 1212606092
>
> OK
> time for 1 iterations: 0 s
>
>
> --
> Andrew D. Clark
> Network Operations Engineer
> University of Minnesota, Networking/Telecom Services
> 2218 University Ave SE
> Minneapolis, MN 55414-3029
> Phone: 612-626-4880
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list