Re: (PM) Radius (fwd)

Jon Lewis (jlewis@inorganic5.fdt.net)
Thu, 6 Nov 1997 20:10:31 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Sam Lehrfeld: "(PM) 2 x 56K"
Previous message: Systems Administrator: "Re: (PM) Radius (fwd)"

On Thu, 6 Nov 1997, Jacob Suter wrote:

> bought my Portmaster with the understanding that radius (or something
> else from livingston) would be controlling multi logins soon.. that was
> 21 months ago, and a lot of radiuses ago, and it still remains.

Get Cistron radiusd...it's got this feature and is free AFAIK.

> Why not a 'is this luser already logged in' system? Lets say you have
> pm1-pm8... luser logs into pm8, it checks the 'users' file, sees that
> he has a max-ports of 1... at that point calling all the portmasters and
> going "is this luser already logged in?"... A finger-like software with

This doesn't scale well. Imagine 8 pm30's. With 240 ports, you probably
have new connections comming in every few seconds, sometimes several a
second. I doubt the PM's would deal well with being "fingered" several
times a second.

A more reasonable method IMO is periodic probing of all the NAS's, and
then doing the right thing when a user is logged in more times than
allowed. That may be to run a command that boots them off, emails them,
logs it for billing purposes, etc.

> *sigh* it seems like such an easy thing to fix, and its not.

IIRC, Cistron radiusd does it by keeping a utmp-like file on the server
that tracks who's logged in. Trouble is, I don't think (I've not looked
closely) it has any facility for keeping in sync with the secondary radius
server...so imagine user X logs into a NAS and his start record goes to
radiusd1. He then logs out, and for some reason, his stop record goes to
radiusd2. Now, assuming most radius auth/acct data goes to radiusd1, user
X is effectively locked out until you fix the radiusd1 utmp-like file,
which will probably be just to wipe the file, and then you lose
multi-login protection for everyone already logged in.

I wouldn't trust this sort of thing unless radiusd1 and radiusd2 could
somehow communicate every few minutes or less to keep the state info in
sync.

------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.

Next message: Sam Lehrfeld: "(PM) 2 x 56K"
Previous message: Systems Administrator: "Re: (PM) Radius (fwd)"