Re: Disconnect-Request packet
On Friday 29 July 2005 13:43, N White wrote: I understand this now, and why it would be... as you put it yuck. Ha Ha! Well thanks for answering my question and explaining it to me. Looks like some custom scripting for me then. :-) My only problem now is going to be figuring out how to send disconnect packets to different types of server. Thanks for your help! Cisco call this a Packet of Disconnect (Death? =) and Ascend Max-TNT's have their own radius server running on the NAS to handle disconnect packets (though I've found the TNT to have several annoying bugs). Those are two devices I've used to send disconnect packets to. Kevin Bonner pgpEQcVf1DXol.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
[EMAIL PROTECTED] (Paul Hampson) wrote: This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. Exaclty. Coupled with the problem that the server is *supposed* to validate the disconnect request by running it through the *proxying* code, to see if it came FROM the site an Access-Request would have been proxied TO. Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
Alan DeKok wrote: [EMAIL PROTECTED] (Paul Hampson) wrote: This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. Exaclty. Coupled with the problem that the server is *supposed* to validate the disconnect request by running it through the *proxying* code, to see if it came FROM the site an Access-Request would have been proxied TO. Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I understand this now, and why it would be... as you put it yuck. Ha Ha! Well thanks for answering my question and explaining it to me. Looks like some custom scripting for me then. :-) My only problem now is going to be figuring out how to send disconnect packets to different types of server. Thanks for your help! -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
N White [EMAIL PROTECTED] wrote: Yes 192.168.1.1 is the NAS. Then it's running FreeRADIUS. The error message you quoted above: ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED Can ONLY be produced from FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
Alan DeKok wrote: N White [EMAIL PROTECTED] wrote: Yes 192.168.1.1 is the NAS. Then it's running FreeRADIUS. The error message you quoted above: ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED Can ONLY be produced from FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? Thanks! -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
N White [EMAIL PROTECTED] wrote: That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? No. And I *still* don't understand your situation. You claim 192.18.1.1 is the NAS, and you also claim it's FreeRADIUS. That makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
On Thu, Jul 28, 2005 at 06:20:35PM -0700, N White wrote: That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? Nope, you have to write custom scripts. FreeRADIUS has nothing to do with (and wants nothing to do with) the disconnect packets. Usually, you would have a script that checks for whatever condition you're basing the disconnect on, and calls radclient (or telnet, or whatever the interface your NAS/downstream provides for this) to do the disconnect. (I've also seen SNMP and SOAP, and I really don't think FreeRADIUS is the right tool to automate a phone call to the NOC. ^_^) While you _could_ integrate disconnect into FreeRADIUS using a mechanism similar to checkrad, it'd be pretty daft, since the authentication checks the wrong details (this is an administrative request, not a user request) and sends the wrong way (this is an unsolicited packet to a NAS, not to a RADIUS proxy). This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. (I vaugely remember someone discussing a static reverse-NAS route config file at some point. Luckily, no one tried to turn that into code) Bash and perl are both simpler and easier shells for this than FreeRADIUS. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disconnect-Request packet
Ok. I am trying to figure out how to disconnect a user, or to tell the radius server to send a disconnect packet to the NAS for a specific user. This is the command I am using: echo User-Name = nickwhite | radclient 192.168.1.1 disconnect mysecret -x This is the debug output from the radius server: ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED I also came across this: http://www.freeradius.org/faq/#4.3 But why then is there a command as part of radclient to disconnect, and what does that response exactly mean. Is there any way to accomplish this?(disconnecting a user via radclient?) Thanks -- --- | Nick White | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
N White [EMAIL PROTECTED] wrote: Ok. I am trying to figure out how to disconnect a user, or to tell the radius server to send a disconnect packet to the NAS for a specific user. This is the command I am using: echo User-Name = nickwhite | radclient 192.168.1.1 disconnect mysecret -x Is 192.168.1.1 the IP address of the NAS? ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED FreeRADIUS doesn't listen for disconnect packets. And, you're sending the disconnect packet to the authentication port. There's a special port for disconnects, but I forget what it is. But why then is there a command as part of radclient to disconnect, and what does that response exactly mean. Is there any way to accomplish this?(disconnecting a user via radclient?) Send the disconnect packet to the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
Alan DeKok wrote: N White [EMAIL PROTECTED] wrote: Ok. I am trying to figure out how to disconnect a user, or to tell the radius server to send a disconnect packet to the NAS for a specific user. This is the command I am using: echo User-Name = nickwhite | radclient 192.168.1.1 disconnect mysecret -x Is 192.168.1.1 the IP address of the NAS? ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED FreeRADIUS doesn't listen for disconnect packets. And, you're sending the disconnect packet to the authentication port. There's a special port for disconnects, but I forget what it is. But why then is there a command as part of radclient to disconnect, and what does that response exactly mean. Is there any way to accomplish this?(disconnecting a user via radclient?) Send the disconnect packet to the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told the RADIUS server to send a disconnect to the NAS that the client(user) is connected to. I've tried sending the disconnect to the NAS(Portmaster). Any particular port? Thanks. -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
N White wrote: Alan DeKok wrote: N White [EMAIL PROTECTED] wrote: Ok. I am trying to figure out how to disconnect a user, or to tell the radius server to send a disconnect packet to the NAS for a specific user. This is the command I am using: echo User-Name = nickwhite | radclient 192.168.1.1 disconnect mysecret -x Is 192.168.1.1 the IP address of the NAS? ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED FreeRADIUS doesn't listen for disconnect packets. And, you're sending the disconnect packet to the authentication port. There's a special port for disconnects, but I forget what it is. But why then is there a command as part of radclient to disconnect, and what does that response exactly mean. Is there any way to accomplish this?(disconnecting a user via radclient?) Send the disconnect packet to the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told the RADIUS server to send a disconnect to the NAS that the client(user) is connected to. I've tried sending the disconnect to the NAS(Portmaster). Any particular port? Thanks. My apology. 192.168.1.1 is the IP of the RADIUS server, NOT the NAS. Sorry about that. -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told the RADIUS server to send a disconnect to the NAS that the client(user) is connected to. I've tried sending the disconnect to the NAS(Portmaster). Any particular port? Not sure about Portmaster, but the general default port for disconnect is 1700 I think. cheers, Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html