* This is the VOP Radius mailing list *
We will have to agree to disagree. I completely understand your point and
could get on board IF VOPRadius had some logic that found the real name of
the NAS and displayed it. It doesn't and on its best day will only display
the name you have configured in the client definitions. Since this is the
case ... I think it should do this always.
Thanks for the input and discussion. Debate is good!
Brad Johnson
Systems Administrator
Local Link Network Operations
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of WebWiz
Sent: Friday, May 21, 2004 8:15 PM
To: [EMAIL PROTECTED]
Subject: [VOPRadius] "Ghost users causing simultaneous login limit exceeded"
(wholesale ports)
* This is the VOP Radius mailing list *
Brad, I still think you're misunderstanding what I'm trying to say.
I understand that you have several NASes, but each NAS is set up as a
client in your Radius Config. In that scenario, the client *is* the
NAS, and VOP Radius can easily assign a name to the NAS in it's Online
Users display. Look at it this way: Client == NAS in this scenario.
But for GlobalPops, you set up TWO clients (rad01... and rad02...).
Those are "aggregator" Radius servers that accept AUTH requests from
multiple NASes and forward the requests on to you. You accept the AUTH
request from the GlobalPops Radius server because you know it. But
because it's passing on a request that came from a NAS that you DON'T
know, there's no way to assign a name to the NAS. In this situation
Client != NAS.
You're getting a request from 4.3.2.1 (hypothetically the IP of GP's
RADIUS server) that was originated on a NAS 4.3.80.33 (hypothetically
the IP of the NAS that took the call). VOP Radius *knows* what name
you've assigned to 4.3.2.1, but it doesn't know 4.3.80.33 from Adam.
In neither scenario does VOP Radius know or care what the "real" name of
the NAS is.
It sounds like you want VOP Radius to display the name of the CLIENT
through which the request was passed, rather than the name of the NAS
from which the request originated. That would be an enhancement request
for the folks at Vircom. My point is that this is an ENHANCEMENT
request. It's not a bug or a problem or an "issue".
And if we still disagree, that's cool. I'll agree to disagree amicably
and we can let these good people get back to whatever they were doing
before. ;)
Regards,
Eric Longman
Atl-Connect Internet Services
+-------------------------------------------------------+
| Atl-Connect Internet Services http://www.atlcon.net |
| 3600 Dallas Hwy Ste 230-288 770 590-0888 |
| Marietta, GA 30064-1685 [EMAIL PROTECTED] |
+-------------------------------------------------------+
Brad Johnson wrote:
> * This is the VOP Radius mailing list *
> I would argue that point. I have several NAS that each have real names. I
> specify the "NAS Name" in the client definition descriptively for the
> benefit of our support dept and in all cases the name used is the name in
> the client definition. Therefore I feel fairly confident in saying the
real
> NAS name has nothing to do with it at all.
>
> This being the case, the issue here is simply this ... When the NAS ip and
> the Radius IP match, it uses the "NAS Name" configured in the client
> definitions. When the NAS ip and the Radius IP do not match, it ignores
the
> "NAS Name" configured in the client definitions and uses N/A.
>
> I see no logical reason for this since the real NAS name never plays into
> the equation. Therefore I would call this an "issue with VOP Radius".
>
> I'm sure my support dept. is well more than bright enough to know that N/A
> means "NOT APPLICABLE" (hehe). As for the rest, I'm trying to avoid
> potential questions as I don't believe "OH, that must be a NAS outside of
> NOC's control" is the first reaction anyone's support staff would have.
> Secondly, it just plain bugs me.
>
> Brad Johnson
> Systems Administrator
> Local Link Network Operations
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of WebWiz
> Sent: Friday, May 21, 2004 3:06 PM
> To: [EMAIL PROTECTED]
> Subject: [VOPRadius] "Ghost users causing simultaneous login limit
exceeded"
> (wholesale ports)
>
> * This is the VOP Radius mailing list *
> Yes, it knows what CLIENT it goes with, but there's no associated name
> configured for the NAS (remember NAS does not equal CLIENT in this
> case). The display in VOP Radius just happens to display the name of
> the NAS rather than the name of the Client definition. In the case of a
> NAS that passed through a "remote" Radius Server before it got to your
> Radius server, how the heck could it possibly know the name of the NAS?
>
> Your support techs should be bright enough to comprehend that "N/A" for
> the name of the NAS means "Not Available" because it's a remote NAS
> that's out of your control.
>
> Regards,
> Eric Longman
> Atl-Connect Internet Services
>
> +-------------------------------------------------------+
> | Atl-Connect Internet Services http://www.atlcon.net |
> | 3600 Dallas Hwy Ste 230-288 770 590-0888 |
> | Marietta, GA 30064-1685 [EMAIL PROTECTED] |
> +-------------------------------------------------------+
>
>
>
> Brad Johnson wrote:
>
>>* This is the VOP Radius mailing list *
>>Right .... I just don't see why it would use N/A. If I have a NAS without
>
> a
>
>>client definition at all, radius won't allow authentication. This is
>>allowing it so it know what client definition the connections are for ....
>>and so I think it should use the NAS name.
>>
>>The name does me no good, but my support techs will question it.
>>
>>Brad Johnson
>> Systems Administrator
>> Local Link Network Operations
>>
>>
>>
>>-----Original Message-----
>>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>
> On
>
>>Behalf Of WebWiz
>>Sent: Friday, May 21, 2004 2:38 PM
>>To: [EMAIL PROTECTED]
>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>
> exceeded"
>
>>(wholesale ports)
>>
>>* This is the VOP Radius mailing list *
>>Actually, I think this is due to the fact that you probably DON'T have
>>the NAS set up in your client definitions. You've got a RadiusServer
>>between you and the NAS, but the accounting packets actually define for
>>you the NAS into which the user is calling.
>>
>>The scenario is this:
>>
>>[Caller] -> [NAS] -> [GP Radius] -> [Your Radius]
>>
>>The [GP Radius] is reporting to you the IP of the NAS that's actually
>>handling the call. You've defined [GP Radius] to your Radius server,
>>since it's the one sending you packets, but you haven't defined the
>>actual [NAS] since you don't have a list of those. Even if you did,
>>what benefit would you get from giving the NAS a name? You've got the
>>IP address in case you need to track down a problem.
>>
>>Regards,
>>Eric Longman
>>Atl-Connect Internet Services
>>
>>+-------------------------------------------------------+
>>| Atl-Connect Internet Services http://www.atlcon.net |
>>| 3600 Dallas Hwy Ste 230-288 770 590-0888 |
>>| Marietta, GA 30064-1685 [EMAIL PROTECTED] |
>>+-------------------------------------------------------+
>>
>>
>>
>>Brad Johnson wrote:
>>
>>
>>>Hmmm, got to be a VopRadius issue then . wouldn't you think?
>>>
>>>
>>>
>>>Brad Johnson
>>>
>>> Systems Administrator
>>>
>>> Local Link Network Operations
>>>
>>>
>>>
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>*From:* [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] *On Behalf Of *Ramsey Abu-Absi
>>>*Sent:* Friday, May 21, 2004 1:53 PM
>>>*To:* [EMAIL PROTECTED]
>>>*Subject:* [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>Yes - I get N/A too. On the END records, though, the NAS name shows up
>>>as the client name as it's set up in the client definitions.
>>>
>>>Thanks,
>>>Ramsey
>>>
>>>At 12:30 PM 5/21/2004, you wrote:
>>>
>>>Do you get "N/A" rather than your configured NAS Name in your online
>>>users listing for GP user? I'm getting that now .. Can't see why.
>>>
>>>Brad Johnson
>>> Systems Administrator
>>> Local Link Network Operations
>>>
>>>
>>>
>>>
>>>
>>>*From:* [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] *On Behalf Of *Cary Fitch
>>>*Sent:* Friday, May 21, 2004 11:19 AM
>>>*To:* [EMAIL PROTECTED]
>>>*Subject:* [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>We use a different user name for "national customers"
>>>
>>>[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> vs. just XXXXX for local users.
>>>
>>>We don't list Global Pops numbers where we have our own.
>>>We buy ports, not accounts.
>>>
>>>BTW GP also does total time limits over a rolling 30 day period for you
>>>if you like.
>>>
>>>CF
>>>
>>>Cary
>>>
>>>
>>>----- Original Message -----
>>>
>>>From: Brad Johnson <mailto:[EMAIL PROTECTED]>
>>>
>>>To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>>
>>>Sent: Friday, May 21, 2004 10:52 AM
>>>
>>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>And. ?
>>>
>>>Your NAS users have a different profile and can't travel . or can, but
>>>not to a GP number?
>>>
>>>Your GP users can't use your NAS . or can but can login several times?
>>>
>>>
>>>
>>>I'm trying to understand in what scenario this would be a solution.
>>>
>>>
>>>
>>>Brad Johnson
>>>
>>> Systems Administrator
>>>
>>> Local Link Network Operations
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>>[mailto:[EMAIL PROTECTED] On Behalf Of Cary Fitch
>>>
>>>Sent: Friday, May 21, 2004 10:43 AM
>>>
>>>To: [EMAIL PROTECTED]
>>>
>>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>Yes, we do.
>>>
>>>
>>>
>>>Cary
>>>
>>>----- Original Message -----
>>>
>>>From: Brad Johnson <mailto:[EMAIL PROTECTED]>
>>>
>>>To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>>
>>>Sent: Friday, May 21, 2004 10:38 AM
>>>
>>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>Heh, do you even have any of your own NAS? If so, do you allow multiple
>>>logins on those to, or do you restrict your users from traveling with
>>>their account?
>>>
>>>
>>>
>>>If your suggestion was any kind of solution for me (or most of us for
>>>that matter) this thread wouldn't have lived as long as it has.
>>>
>>>
>>>
>>>Brad Johnson
>>>
>>> Systems Administrator
>>>
>>> Local Link Network Operations
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>>>On Behalf Of Cary Fitch
>>>
>>>Sent: Friday, May 21, 2004 9:40 AM
>>>
>>>To: [EMAIL PROTECTED]
>>>
>>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>Give them a profile that allows multiple logins and let Global Pops
>>>handle limits.
>>>
>>>
>>>
>>>("I keep saying this,over, and over and over.")
>>>
>>>
>>>
>>>Cary Fitch
>>>
>>>----- Original Message -----
>>>
>>>From: Gene DuCharme <mailto:[EMAIL PROTECTED]>
>>>
>>>To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>>
>>>Sent: Friday, May 21, 2004 9:30 AM
>>>
>>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>The exact scenario that we get from GP is this:
>>>
>>>
>>>
>>>User connects, everything is just fine.
>>>
>>>They disconnect gracefully.
>>>
>>>I look in my radius and they are still there, so the next time they try
>>>to log on they get invalid user and or pass.
>>>
>>>
>>>
>>>Until I actually delete them from VOP Radius they cannot log back on.
>>>
>>>
>>>
>>>This really makes it hard to sustain a nationwide presence or to
>>>recommend to our customers leaving the area to stay with us on our
>>>outside dial-ups.
>>>
>>>
>>>
>>>There has to be a cure somewhere, somehow. LOL
>>>
>>>
>>>
>>>
>>>
>>>High Speed Internet at it's Best
>>>
>>>
>>>
>>>Gene DuCharme
>>>
>>>Owner
>>>
>>>Inland North West Internet
>>>
>>>401 S. Park St.
>>>
>>>
>>
>>
>
<http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=401+S.+Park+St.&csz=Chewelah
>
>>%2C+Wa.&country=us>
>>
>>>_Chewelah, Wa.
>>>
>>>
>>
>>
>
<http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=401+S.+Park+St.&csz=Chewelah
>
>>%2C+Wa.&country=us>_
>>
>>
>>>_99109
>>>
>>
>>
>
<http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=401+S.+Park+St.&csz=Chewelah
>
>>%2C+Wa.&country=us>_
>>
>>
>>>[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>>
>>>http://www.inwi.net <http://www.inwi.net/>
>>>
>>>tel:
>>>
>>>fax:
>>>
>>>mobile:
>>>
>>>509-935-8923
>>>
>>>509-935-8923
>>>
>>>509-936-0633
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>Signature powered by Plaxo <http://www.plaxo.com/signature>
>>>
>>>Want a signature like this? <http://www.plaxo.com/signature>
>>>
>>>Add me to your address book...
>>><https://www.plaxo.com/add_me?u=12885176260&v0=541057&k0=1122043454>
>>>
>>>-----Original Message-----
>>>
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] Behalf Of Gary Carr
>>>
>>>Sent: Friday, May 21, 2004 6:57 AM
>>>
>>>To: [EMAIL PROTECTED]
>>>
>>>Subject: [VOPRadius] "Ghost users causing simultaneous login limit
>>>exceeded" (wholesale ports)
>>>
>>>
>>>
>>>>GlobalPops position on all the watchdog/stop packet info is that they
>>>
>>>are UDP and there can be losses with no notification.
>>>
>>>
>>>
>>>
>>>
>>>That is true but I see watchdog packets as another way to limit abuse,
>>>not a 100% sure method.
>>>
>>>
>>>
>>>
>>>
>>>>Their ultimate ghosting and over use protection is from the logon caller
>>>
>>>ID. But not the caller ID that consumers get, the one internal to
>>>Telecom >Companies. It can't be blocked.
>>>
>>>
>>>
>>>Hmm, where does that internal caller ID come from that, and does it get
>>>passed to the NAS and onto the radius. That sounds very close to the
>>>port method that Aleron uses.
>>>
>>>
>>>
>>>
>>>
>>>>If there are logons from the same number simultaniously, that is a ghost
>>>
>>>and the old one is "killed". If they are from different numbers that is
>>>"abuse" and it >is allowed to a limit... with abusers duplicate (trust)
>>>privledges removed once they are a demonstrated abuser. (So many
>>>occurances, for instance.)
>>>
>>>
>>>
>>>>GP doesn't believe in Watchdog packets or for that matter Stop packets
>>>
>>>as "the truth". Logons from the same or different numbers are proof
>>>positive.
>>>
>>>
>>>
>>>
>>>
>>>Does GP have a per user cap on the amount of hours? Is so what happens
>>>if a user disconnects and doesn't reconnet until the next day or later.
>>>In that case the caller-id method would fail to remove the user in a
>>>timely manner.
>>>
>>>
>>>
>>>
>>>
>>>That's pretty interesting. Will they give any more details about that.
>>>We were considering adding GlobalPOPs until this thread started. Still
>>>may if they have a way to pass the disconnected user information to our
>>>radius servers.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>Gary
>>>
>>>
>>>
>>>* * * C O N F I D E N T I A L I T Y S T A T E M E N T * * * This E-MAIL
>>>message and any accompanying documents contain confidential information
>>>intended for a specific individual and purpose. The information
>>>contained within is private and protected by law. If you are not the
>>>intended recipient, you are hereby notified that any disclosure,
>>>copying, distribution, or the taking of any action in reliance on the
>>>contents of this message is strictly prohibited. If you have received
>>>this communication in error, please notify us by return e-mail or by
>>>telephone at 419-661-1233 so that we can prevent a reoccurrence. Thank
>>>you in advance for your strict compliance and assistance.
>>>
>>
>>
>>**
>>To leave this list, send an email to [EMAIL PROTECTED]
>>and put the word "LEAVE" in the BODY of the email.
>>
>>
>>**
>>To leave this list, send an email to [EMAIL PROTECTED]
>>and put the word "LEAVE" in the BODY of the email.
>>
>
>
> **
> To leave this list, send an email to [EMAIL PROTECTED]
> and put the word "LEAVE" in the BODY of the email.
>
>
> **
> To leave this list, send an email to [EMAIL PROTECTED]
> and put the word "LEAVE" in the BODY of the email.
>
**
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
**
To leave this list, send an email to [EMAIL PROTECTED]
and put the word "LEAVE" in the BODY of the email.
