Re: (RADIATOR) Replay Check Items Q.

1999-07-27 Thread Hugh Irvine 

At 1:22 AM 27/7/99, Ben-Nes Michael wrote:
Hi All
Sorry for asking so many Q.


No problem - we'll try to help.

what is the best Framed-MTU for modems PPP ?


Well, this is a tricky question, and there is no single "good" answer. This
will depend on many factors including the NAS, modems in use, connect
speed, TCP/IP implementation in the client, etc., etc.

The theory says that larger packets will be better for things like file
transfers, while smaller packets will be better for "interactive" use (ie.
keystrokes and such). This is because, once a packet transfer is started on
the wire, it will continue until completion. It is easy to see that at
56kbps, a 1500 byte packet will take approx. 1/3 of a second to transfer
(modulo compression and so forth). You would have to do a detailed packet
trace to profile the packet sizes against response times and do some
experiments.

Of course, in most real world situations, the packet sizes on the modem
links won't have too much effect on overall performance, due to the
vaguaries of network congestion elsewhere.

the standard Livingston radius have "Filter-Id" does cisco 2511 accept
it ?


You will have to check the Cisco documentation.

I used a samples from the goodies directory for building up a
mysql/radius server, but when someone is logged i don't see him on
RADONLINE :-(


Your config file will have to include the lines:

SessionDatabase SQL
DBSource 
DBUsername ...
DBAuth 
/SessionDatabase

The example in the goodies directory works correctly.

How can i limit users for 20 hours (for example) ?


Again, this is NAS dependent, you will have to check your documentation.

hth

Hugh


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Replay Check Items Q.

1999-07-27 Thread James Pickering 

On Mon, 26 Jul 1999, Ben-Nes Michael wrote:

 the standard Livingston radius have "Filter-Id" does cisco 2511 accept
 it ?

The Cisco's do accept Filter-Id to choose ACL's but personally I prefer to
use per-user ACL's as the AS5300's I maintain for a client have many
different uses/users. The per-user ACL's also allow you to modify ACL's on
the fly in the radius server. One realm uses an applications LDAP
based security configuration to allow very restricted PPP connections
to that application, which I do using the per-user ACL's.

Something like the following works well for me: 

AddToReply \
cisco-avpair="ip:inacl#3=permit tcp any x.x.x.x 0.0.0.0 eq abcd",\
cisco-avpair="ip:inacl#4=deny icmp any any administratively-prohibited",\
cisco-avpair="ip:inacl#5=deny ip any any"

Trap: AddToReply isn't cumulative, you can use it only once.

You may need to add the following IOS configuration:
radius-server vsa send

--
   ++
  / James Pickering/
 / Email: [EMAIL PROTECTED]   /
++


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.