From owner-freebsd-questions Fri Jul 20 2:53: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from calypso.egreta.gr (calypso.egreta.gr [213.170.192.14]) by hub.freebsd.org (Postfix) with ESMTP id ACFF137B401 for ; Fri, 20 Jul 2001 02:52:54 -0700 (PDT) (envelope-from pskoul@egreta.gr) Received: from egreta.gr (ntnms.egreta.gr [213.170.192.68]) by calypso.egreta.gr (8.9.2/8.9.1) with ESMTP id MAA17104 for ; Fri, 20 Jul 2001 12:48:42 +0300 (EET DST) Message-ID: <3B58016C.1BDFCA38@egreta.gr> Date: Fri, 20 Jul 2001 13:01:16 +0300 From: Panagiotis Skoulikaritis X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en,el MIME-Version: 1.0 To: FreeBSD Questions Subject: Re: need help configuring radius References: <003d01c110f9$46a368e0$1401a8c0@tedm.placo.com> Content-Type: text/plain; charset=iso-8859-7 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Ted I would like to thank you, you were very informative. Thanks Panagiotis Ted Mittelstaedt wrote: > First, you don't want to ask this here, instead you want to subscribe to > the portmaster-radius mailing list at http://www.livingston.com/tech/archive/ > > Secondly, what your asking is not simple. For example there's a couple > of Reply attributes out there that might work - Port-Limit and MultLink Flag, > but these are not standard. You must check your NAS documentation to see > if it recognizes them and applies them to ISDN multilink calls. Further > they only work if you only have a single NAS. > > The usual method of doing what your wanting to do is to use a RADIUS server > such as cistron that has support for setting multiple login limits. The > way these servers work is if you only permit a single session for a user > they will authenticate the first session then deny all other auth attempts > as long as that session is logged in. Therein is the difficulty, however, > because RADIUS is a stateless protocol and as such there's no direct > connection > between the radius server and the NAS that the radius server can use to > synchronize a database of who is logged in and who isn't. > > What some people do to track logins is to depend on the start and stop > records, they increment a counter when they get a start record and > decrement it when they get a stop record. This works OK for small NAS > with just a few ports, there's a radius daemon at > > http://yardradius.on.openave.net/ > > that works quite well for that. > > However, for anything significant (more than 20 ports or so) you run into > synchronization problems. Some NAS have piss-poor accounting record control, > Portmasters have been known under heavy load to not bother sending start > accounting records or sending duplicates. Also RADIUS is UDP so you could > lose the packet anyway. Then you get into a situation where the radius > server thinks a user is logged on when they really arent thus the next time > they call in the NAS won't let them logon. > > More sophisticated servers like cistron get around this problem by issuing > an SNMP query to the NAS every time they see what they think is a simultaneous > login attempt, to check and see if the first login is really there. This > requires some fooling around with scripts and ucd-snmp. Also it's very > NAS dependent - if you have a collection of NAS from different manufacturer > then your going to really be hosed and some NAS (USR for example) don't > give out that data via SNMP so you have to do other scripting with Telnet > scripts. > > At our site we started out with the free radius 2.01 daemon Livingston handed > out > then finally dumped it for YARD because of the simultaneous use thing. But > I only lasted about 8 months with dealing with that because of the problems of > keeping the radius daemon in sync with a big nas with many T1's coming into > it. > I finally scrapped all that and went to ICradius > (ftp://ftp.innercite.com/pub/icradius) which is a modified cistron > that runs on a mysql server. It also has several web-based interfaces to > it which helped greatly because we have admins that I don't trust with UNIX > command line access. Also having all the accounting in a SQL server is > extremely > useful, beforehand we used to have to futz with all these icky perl scripts > to attempt to get reporting off the monthly detail files which were huge. Now > we can query usage on the fly which helps with troubleshooting as well as the > customers that call up claiming they never used the service and why are we > billing them. There's also some other tiered billing things that become > possible with SQL queries that I won't get into. But I will warn you, > although it's a great radius server it's very complicated and not simple to > setup on FreeBSD. It's easy to see why the commercial radius servers like > Steel Belted Radius are selling so well. > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com > > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Panagiotis > >Skoulikaritis > >Sent: Friday, July 20, 2001 12:14 AM > >To: FreeBSD Questions > >Subject: need help configuring radius > > > > > >Hello > > > >I need help with configuring my radius server. > >I would like to distinguish on how my users log in depending on their > >contract with either 64 kbps isdn or 128 kbps isdn. So far I' m using > >the attribute NAS-Port-Type = ISDN, but this way every user that has > >this attribute can use both channels of the isdn even though they > >haven't subscribe for that. Any help would be appreciated. > > > >Thanks > > > >Panagiotis > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message