All VopRadius users,
I'm working with Sylvain Savignac at Vircom on this issue. The problem is that most wholesale ports providers do not provide support for watchdog packets between the NAS and your radius which means there is no process in place to reconcile the list of users actually online. If the NAS restarts or otherwise is unable to send the stop packet to radius the user ends up with a ghost record in radius. When the user tries to log back on if you have port-limit = 1 the user is rejected based on simultaneous login limit exceeded. This operational issue is not going to go away unless a creative solution is implemented. In my opinion just such a solution was suggested some time ago on this mail list. The recommendation is as follows: " if the calling station-id was stored with the rest of the users information in the online users table in radius, a ghost user could be cleaned up when they try to reconnect from the same phone number." The assumption is that it would not be impossible to be simultaneous from the same originating number.
I would appreciate feedback from others on this list with thoughts on this solution.
Thanks,
Steven Bastardi
The Home Town Network Inc.
Doesn't do any good for users who have their phone number blocked. At least 1/2 of our customers don't show any dialed from phone number.
Jim Craig
TDE Internet
* * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any accompanying documents contain confidential information intended for a specific individual and purpose. The information contained within is private and protected by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this communication in error, please notify us by return e-mail or by telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank you in advance for your strict compliance and assistance.
----- Original Message -----
* * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any accompanying documents contain confidential information intended for a specific individual and purpose. The information contained within is private and protected by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this communication in error, please notify us by return e-mail or by telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank you in advance for your strict compliance and assistance.
- From: Gene DuCharme
- To: [EMAIL PROTECTED]
- Sent: Thursday, May 20, 2004 7:02 AM
- Subject: [VOPRadius] globalpops
- Allowing multiple logins on our end seems to me to be opening the door for abuse.
- It would seem to me that there has to be a way for radius to check say every 20 minutes if the customer is still there.????
- High Speed Internet at it's Best
- Gene DuCharme
- Owner Inland North West Internet
- 401 S. Park St.
- Chewelah, Wa.
- 99109
- [EMAIL PROTECTED]
- http://www.inwi.net
- tel:
- fax:
- mobile: 509-935-8923
- 509-935-8923
- 509-936-0633
- Signature powered by Plaxo Want a signature like this?
- Add me to your address book...
- -----Original Message-----
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ramsey Abu-Absi
- Sent: Wednesday, May 19, 2004 2:11 PM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
- Is that working OK for you?
- Thanks,
- Ramsey
- At 04:48 PM 5/19/2004, you wrote:
- They have a custom tweaked Radius. They suggested we put our GP users on a profile allowing 2 logins or unlimited logins.
- Keep our local users on a profile with 1 login per user.
- CF
- ----- Original Message -----
- From: Ramsey Abu-Absi
- To: [EMAIL PROTECTED]
- Sent: Wednesday, May 19, 2004 3:47 PM
- Subject: [VOPRadius] globalpops
- Hi Cary,
- Thanks - you make a valid point; perhaps I was a bit harsh in my earlier messages. Their ghosting policy is as you describe. However, my frustration has been that although they are letting the ghosted user log in, they are getting a reject from my server because my server does not know that this is in fact happening. If they could send a stop record first, then the problem would be solved.
- Now this brings up a question I hadn't thought of before: Can VOP perform the same logic (i.e. check the called-from number, and if it is the same as the active session, allow the user to log in)? This would also provide us with a fix.
- Given that at least two of us are dealing with this, I'd be most appreciative if someone from Vircom wouldn't mind weighing in on this. Otherwise, I'll contact support.
- Thanks,
- Ramsey
- At 04:29 PM 5/19/2004, Cary Fitch wrote:
- I have dealt with their tech staff and their "chief guru". They are a class operation. Two of them were at our Peercon meeting.
- They have a "good" ghosting policy, verify not only by your radius, but by the number the person is calling from, and can knock off a ghosted user, to allow the same person back on from the same number, but not a different number.
- They also give the user the benefit of the doubt until it is shown he is an "ab-user".
- As to wrong passwords, unless that is a caching issue, I don't know about that. (They do caching, so if they can't reach you, they can still allow your users on line.)
- Cary Fitch
- ----- Original Message -----
- From: Brad Johnson
- To: [EMAIL PROTECTED]
- Sent: Wednesday, May 19, 2004 3:05 PM
- Subject: [VOPRadius] globalpops
- Will Do! Thanks to all who replied.
- Brad Johnson
- Systems Administrator
- Local Link Network Operations
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramsey Abu-Absi
- Sent: Wednesday, May 19, 2004 2:57 PM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
- Let me know if you have any luck!
- Ramsey
- At 03:46 PM 5/19/2004, you wrote:
- Well, if I find that I�m not getting stop packets for users, I�ll be making their tech staff unhappy. If they say �we sent it� and they don�t know why its not getting to us, its still their problem in my opinion (their service model).
- Brad Johnson
- Systems Administrator
- Local Link Network Operations
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gene DuCharme
- Sent: Wednesday, May 19, 2004 11:37 AM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
- We use them and set up as (other-no security)
- And yes we have had some problems with radius not receiving the stop packet. When I talked directly with Corey Pops at Global Pops he explained if you try to stay with their teir 1 system you will have less problems with ghosting. Although I have come in in the morning and found several customers ghosted who I know do not stay on 1000 or more minutes.
- I just checked my logs and they customers are being logged.
- High Speed Internet at it's Best
- Gene DuCharme
- Owner
- Inland North West Internet
- 401 S. Park St.
- Chewelah, Wa.
- 99109
- [EMAIL PROTECTED]
- http://www.inwi.net
- tel:
- fax:
- mobile:
- 509-935-8923
- 509-935-8923
- 509-936-0633
- Signature powered by Plaxo
- Want a signature like this?
- Add me to your address book...
- -----Original Message-----
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Johnson
- Sent: Wednesday, May 19, 2004 9:00 AM
- To: [EMAIL PROTECTED]
- Subject: [VOPRadius] globalpops
- What client type is used with globalpops. I have client definitions setup and have tried with �other� and �Radius Server� and authentication is working however, I get no radius errors when a bad login is used, nor do I get an entry in onlineusers when a good login is used and gets connected.
- Also, does globalpops pass on stop packets for users they detect as a ghost � or am I going to have ghost issues with them?
- Brad Johnson
- Systems Administrator
- Local Link Network Operations
- * * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL message and any accompanying documents contain confidential information intended for a specific individual and purpose. The information contained within is private and protected by law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this message is strictly prohibited. If you have received this communication in error, please notify us by return e-mail or by telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank you in advance for your strict compliance and assistance.
