[RADIATOR] how to terminate user session

Wed Feb 20 07:51:26 CST 2013

On 02/19/2013 02:50 PM, Thomas Kurian wrote:

> My radiator is currently handling only accounting function .But 
> authentication of users is done by another 3rd party AAA server. Both of 
> these AAA servers are integrated to the cisco ISG (NAS) . My requirement 
> is to further use my radiator to terminate/disconnect live user 
> sessions. Can you send me an example of the configuration lines to be 
> added in radius.cfg, explaining how it is done and where to place it in 
> my radiator config seen below?

How to disconnect users depends on your requirements. A general approach
might be using PostAuthHook that runs system("/path/to/radpwtst ...
options") where the options depend on what NAS the requires.

The radpwtst options would probably resemble what you have below but the
details depend on the NAS.

> Please explain both scenarios with COA configuration & packet of 
> disconnect configuration . Can this be done only with radpwtst command 
> (explain how) or is there another method?

radpwtst has everything you need to create and send requests. Other
method might be creating a request and passing it to AuthBy RADIUS
clause so that Radiator would send (and retransmit if needed) the
request. That would be more work and calling radpwtst is a quicker way
to get this tested.

> Also explain what entries are to be entered for the respective 
> attributes for the below command (saw this from old radiator archives 
> but its not properly explained):-

Please see the reference manual section 8 about radpwtst. It has all the
options listed.

> radpwtst -trace 4 -bind_address 192.168.249.12 -auth_port 3799 -noauth 
> -noacct -s somenas -secret somesecret -time -code Disconnect-Request 
> User-Name="adc" NAS-IP-Address="192.168.238.141" Event-Timestamp=1212606218
> 
> 
> 
> Following is my current config file: -
> 
> 
> AcctPort 1813
> AuthPort 1812
> 
> LogDir /var/log/radius
> DbDir /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 4
> 
> # You will probably want to add other Clients to suit your work site,
> # one for each NAS you want to work with
> 
> 
> <Client DEFAULT>
> Secret ******
> DupInterval 0
> </Client>
> 
> 
> <Client 10.50.1.4>
> Secret *****
> DupInterval 0
> NasType Cisco
> IgnoreAcctSignature
> </Client>
> 
> # Accept processing of other accounting requests of the genre stop
> 
> 
> 
> <Realm>
> <AuthBy SQL>
> 
> DBSource dbi:ODBC:*****
> DBUsername *****
> DBAuth *****
> 
> 
> AccountingStopsOnly
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME, User-Name
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef TIME_STAMP,Event-Timestamp,integer-date
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> 
> 
> 
> AcctSQLStatement update quotasubscribers set monthlycounter = 
> monthlycounter + 0%{Acct-Output-Octets}, totalcounter = totalcounter + 
> 0%{Acct-Output-Octets}, timestamp = %{Event-Timestamp} \
> where username='%n' \
> And Type = 'Q'
> 
> 
> 
> </AuthBy>
> #Log accounting to a detail file
> AcctLogFileName %L/detail
> 
> 
> </Realm>
> 
> 

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.