On Monday 06 February 2006 16:25, Dennis Skinner wrote: > Guy Fraser wrote: > > there. I looked into it briefly for Cisco 5248 and determined > > that by setting the interface administratively down would boot > > the user, then setting it back to up would allow it to accept > > access again. The tricky part was matching the user to the > > interface so you would kick the right user. > > We have Ciscos here. You don't need to set the int to down. Just clear > the tty. You can use bash and expect to write a script. You will need > to find which tty to clear first (also doable via bash/expect/grep/awk). > > If you use tacacs, you can give a special user rights to only do very > specific commands which should limit the liability of having the > password in the script.
For cisco devices, we use the PoD server and radclient to send disconnect packets. Example config and radclient call are below. Kevin Bonner == example cisco config == aaa pod server auth-type any server-key YOUR_KEY ! ip radius source-interface Loopback0 ! access-list 101 remark Packet of Disconnect access-list 101 permit udp host AAA.BBB.CCC.DDD any eq 1700 access-list 101 deny udp any any eq 1700 log access-list 101 <other rules> access-list 101 permit ip any any ! interface Loopback0 ip address EEE.FFF.GGG.HHH 255.255.255.255 ip access-group 101 in ! == end cisco config == == radclient call == echo "[EMAIL PROTECTED]" | /usr/bin/radclient EEE.FFF.GGG.HHH:1700 disconnect YOUR_KEY == end radclient call ==
pgpPBM33269fW.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
