[RADIATOR] how to terminate user session
Heikki Vatiainen
hvn at open.com.au
Wed Feb 20 07:51:26 CST 2013
On 02/19/2013 02:50 PM, Thomas Kurian wrote:
> My radiator is currently handling only accounting function .But
> authentication of users is done by another 3rd party AAA server. Both of
> these AAA servers are integrated to the cisco ISG (NAS) . My requirement
> is to further use my radiator to terminate/disconnect live user
> sessions. Can you send me an example of the configuration lines to be
> added in radius.cfg, explaining how it is done and where to place it in
> my radiator config seen below?
How to disconnect users depends on your requirements. A general approach
might be using PostAuthHook that runs system("/path/to/radpwtst ...
options") where the options depend on what NAS the requires.
The radpwtst options would probably resemble what you have below but the
details depend on the NAS.
> Please explain both scenarios with COA configuration & packet of
> disconnect configuration . Can this be done only with radpwtst command
> (explain how) or is there another method?
radpwtst has everything you need to create and send requests. Other
method might be creating a request and passing it to AuthBy RADIUS
clause so that Radiator would send (and retransmit if needed) the
request. That would be more work and calling radpwtst is a quicker way
to get this tested.
> Also explain what entries are to be entered for the respective
> attributes for the below command (saw this from old radiator archives
> but its not properly explained):-
Please see the reference manual section 8 about radpwtst. It has all the
options listed.
> radpwtst -trace 4 -bind_address 192.168.249.12 -auth_port 3799 -noauth
> -noacct -s somenas -secret somesecret -time -code Disconnect-Request
> User-Name="adc" NAS-IP-Address="192.168.238.141" Event-Timestamp=1212606218
>
>
>
> Following is my current config file: -
>
>
> AcctPort 1813
> AuthPort 1812
>
> LogDir /var/log/radius
> DbDir /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 4
>
> # You will probably want to add other Clients to suit your work site,
> # one for each NAS you want to work with
>
>
> <Client DEFAULT>
> Secret ******
> DupInterval 0
> </Client>
>
>
> <Client 10.50.1.4>
> Secret *****
> DupInterval 0
> NasType Cisco
> IgnoreAcctSignature
> </Client>
>
> # Accept processing of other accounting requests of the genre stop
>
>
>
> <Realm>
> <AuthBy SQL>
>
> DBSource dbi:ODBC:*****
> DBUsername *****
> DBAuth *****
>
>
> AccountingStopsOnly
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME, User-Name
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef TIME_STAMP,Event-Timestamp,integer-date
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>
>
>
> AcctSQLStatement update quotasubscribers set monthlycounter =
> monthlycounter + 0%{Acct-Output-Octets}, totalcounter = totalcounter +
> 0%{Acct-Output-Octets}, timestamp = %{Event-Timestamp} \
> where username='%n' \
> And Type = 'Q'
>
>
>
> </AuthBy>
> #Log accounting to a detail file
> AcctLogFileName %L/detail
>
>
> </Realm>
>
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list