Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)
MegaZone wrote:
>
> There is also, as you bring up, the multiple server case.
>
> Our nextgen RADIUS server handles these cases by:
> 1. Being backended by a distributed database. Records are kept in the DB
> and can be accessed by multiple servers, and/or synced to multiple databases
> for full redundancy.
Very interesting idea... Hopefully Livingston will put a little more
thought and effort into it than they did their RADIUS for NT DB
implementation. :)
> 2. If an auth-req comes in, AND the account is at it's limit, the server
> makes an SNMP query to determine if the current logins are really there.
> ie, the NAS hasn't crashed, the stop record didn't get lost/delayed, etc.
> If they are still active, the new login is denied. If not, the old record
> is closed and marked so you know it was closed by the server, and the new
> login is permitted.
Ascend has allowed variable length timeouts since the beginning.
Is Livingston going to every catch up? The above model could introduce
some pretty high latency and force servers to go well over their
hard coded ComOS 3 second limit. Especially in situations like you
outlined as being popular where someone is allowed multiple logins
and the RADIUS server is checking on five or more people on five
or more NASes in five or more pops.
--
Dale E. Reed Jr. (daler@iea.com)
_________________________________________________________________
IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs
Internet Solutions for Today | http://www.iea-software.com
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
References: