Real Time Ascend Maling List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Radius: stop users from dialin two times (fwd)
For a RADIUS server, we use the Shiva Access Manager. So long as the NAS
fully supports all RADIUS attributes, we are able to limit users to a
single login as well as restrict login to specific times of day for
specific users and so on. We use the MAX TNT and two other products
(legacy LANA boxes by Diigi and Bay Networks 5399 terminal servers). The
only NAS that supports RADIUS sufficiently to apply security limitations
properly is the TNT. The others support RADIUS in varying degrees both of
which is not acceptable.
Mitch
-------------
Original Text
From: "MegaZone" <megazone@megazone.org>, on 3/30/99 6:36 PM:
To: SMTP@DC2@OCC["Ascend Users" <ascend-users@bungi.com>]
Once upon a time Oliver J. Albrecht shaped the electrons to say...
>that, a radius-based solution (tracking of active accounts) across
multiple
>units might be a possible solution. I just wonder how well this works in
Not 'might be' - it is. Some servers have done this for a long while.
Cistron is the only free server that does it truly effectively, but most
commercial servers do it as well.
>practice and how the radius daemon keeps track of active accounts. Surely
>it can't be the radacct records, which are (YMMV) bound to get lost from
>time to time.
That is only part of it. It will use RADIUS Accounting to maintain a state
table.
However, if a login request comes in for a user who is:
1. Already in the state table.
and
2. Has reached their allotted limit in number of ports.
Then the server will use another protocol - SNMP is preferred when possible,
as with PortMasters, Ciscos, and 3Com HiPer ARCs. With MAXen they tend to
have to use finger as the desired info isn't available via SNMP. The
server
checks to make sure the sessions are indeed still active.
If they are then the new login is denied. If one or more of the sessions
is actually gone then is presumes a lost or delayed STOP packet, updates
the state table, and allows the new login.
The trouble here is with multiple servers - a free server like Cistron
doesn't
provide for a way to sync multiple servers. A commercial server like
Lucent
RADIUS ABM does however.
>With all due respect to the standard and Ascends pollution of the
>radius attributes/dictionary, the "bogus crap" works just fine.
Yes it works. But WHY? Why NOT use the standard? This is a headache for
anyone with a mixed environment, and for RADIUS server vendors who can
do one thing for everyone - EXCEPT Ascend.
That or Ascend users get the shaft when they can't use features in the
server. Some servers have time of day limits and will automatically
generate things liek Port-Limit, Session-Timeout, etc, based on current
data, configuration profiles, etc. And many times Ascend users just get
left out in the cold - it works with compliant systems only.
-MZ
--
-=*X I'm going down... under that is! <URL:http://www.aussie-isp.net/>
X*=-
<URL:mailto:megazone@megazone.org> Gweep, Discordian, Author, Engineer,
me..
Join ISP/C Internet Service Providers' Consortium
<URL:http://www.ispc.org/>
"A little nonsense now and then, is relished by the wisest men"
781-788-0130
<URL:http://www.megazone.org/> <URL:http://www.gweep.net/> Hail
Discordia!
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>