Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)
From: MegaZone <megazone@livingston.com>
Date: Sun, 10 Aug 1997 11:25:25 -0700 (PDT)
Organization: WPI Discordian Society, Undocumented Cabal of the Accursed Saint Shiranto Joe
Sender: owner-ascend-users@max.bungi.com

Once upon a time Dan Merillat shaped the electrons to say...
>Don't worry about multiple logins at the AUTH level... but, when the
>second "start" packet comes in at the Accounting level, SNMP (or RADIUS)
>nuke the _FIRST_ login.

This works for one case.

But what about those who wish to sell 4 login business accounts?  You can't
just go nuke things.  We get a lot of requests for that kind of thing - 
allowing 'X' numnber of logins, no more.

There is also, as you bring up, the multiple server case.

Our nextgen RADIUS server handles these cases by:
1. Being backended by a distributed database.  Records are kept in the DB
and can be accessed by multiple servers, and/or synced to multiple databases
for full redundancy.
2. If an auth-req comes in, AND the account is at it's limit, the server
makes an SNMP query to determine if the current logins are really there.
ie, the NAS hasn't crashed, the stop record didn't get lost/delayed, etc.
If they are still active, the new login is denied.  If not, the old record
is closed and marked so you know it was closed by the server, and the new
login is permitted.

>Result? log of a mess of people all multiply dialed in.  You might even
>tweak accounting to notice the max reboot based on something (I think some
>packets go to acct on reboot, dunno though)

Livingston's do send a 'happy birthday' packet as I like to call it when
they reboot.

>I dunno... I think doing it via the accounting works fairly well, for this
>_SPECIFIC_ resource management.  resource management is needed for other
>things as well, so a good protocol is needed for that.

It is being hit from different sides.  There are SNMP client and server
MIBs for auth and accounting being worked on.  

But there is nothing standard for something like filter distribution.
Livingston has ChoiceNet, but that's the only product of its kind I know
of.  And it is only Livingston products.

-MZ
--
Livingston Enterprises - Chair, Department of Interstitial Affairs
Phone: 800-458-9966 510-737-2100 FAX: 510-737-2110 megazone@livingston.com
For support requests: support@livingston.com  <http://www.livingston.com/> 
Snail mail: 4464 Willow Road, Pleasanton, CA 94588

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)

From: "Dale E. Reed Jr." <daler@iea.com>

Prev by Date: Re: (ASCEND) Pipeline 75: single address NAT in version 5.0B?
Next by Date: Re: (ASCEND) junk username in RADIUS stop packets
Prev by thread: Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)
Next by thread: Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)
Index(es):
- Main
- Thread