Re: (PM) Radius (fwd)

Karl Denninger (karl@Mcs.Net)
Thu, 6 Nov 1997 22:29:35 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Karl Denninger : "Re: (PM) Radius (fwd)"
Previous message: Stephen Fisher: "Re: (PM) We're live at 56K!"

On Thu, Nov 06, 1997 at 11:17:15PM -0500, Chris Wilson wrote:
> On Thu, 6 Nov 1997, Jacob Suter wrote:
>
> > Why not a 'is this luser already logged in' system? Lets say you have
> > pm1-pm8... luser logs into pm8, it checks the 'users' file, sees that
> > he has a max-ports of 1... at that point calling all the portmasters and
> > going "is this luser already logged in?"... A finger-like software with
> > real security would work.
> >
> > *sigh* it seems like such an easy thing to fix, and its not.
>
> Exactly, not that easy of a thing to fix. Yeah, you could write a hack to
> handle it on a small scale, but what about if you've got hundreds of PM's,
> most of the simple solutions simply won't scale. If you've got multiple
> RADIUS servers geographically dispersed, you can't just keep a users
> "table" of who is logged in, since they could login off any server. You
> could do a SNMP check, but what happens if you've got some backbone
> congestion and authentication takes years.

Oh, there's a way to do it :-)

As Megazone has pointed out, its not 100% idiot-proof, but its pretty damn
close. MCPPP-style checks for max channels doesn't do it - you could have
multiple clusters of units in different locations, and they can't "see" each
other in that way.

The real issue here is that Radius isn't deterministic on the accounting
side. There are reasons to think that sucks, but there are also reasons to
think that its a good thing. Frankly, I go with the "sucks" theory most of
the time, on the premise that if things are screwed up badly enough that
accounting data is getting delayed or lost then you have bigger problems
and are better off not letting people in until they're fixed (lest you be
unable to bill the customer for their use).

--
-- 
Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex modem support is now available
Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.





 Next message: Karl Denninger : "Re: (PM) Radius (fwd)"
 Previous message: Stephen Fisher: "Re: (PM) We're live at 56K!"