If we are using radius to authenticate our clients and we need to get the radius server to poll the router and disconnect a client how can we do this?

Or do we have to wait until the client reauthenticates and then refuse authentication?

Regards
Andrew

As far as I know you have to wait for the client to reauthenticate then refuse them.

I wonder if there is a way to assign the reauthentication time on a per user basis? If the user has 5mins of time left then you just reauth in 5 mins, if they only have 30 seconds of time left then they reauth in 30 seconds.

I think the default auth time is 60 seconds.

However the reason I asked my original question is that in New Zealand internet users are charged on a Mb basis and not a time basis (we must be the only country in the world) It comes from the top level gateways fleecing providers with high bandwith rates. Something that is not going to change in a hurry.

With the hotspots if you reauth every 60 seconds a user could go way over their limit within that 60 seconds. If we reduce the auth time to evey 10 seconds then we are just generating a huge amount of auth queries for nothing.

There must be a way to trigger a call to the star-os box that kicks the user back to the login screen.

Regards
Andrew

This is a function of your accounting server. Radius Authentication has no concept of accumulating time nor traffic.

The process would be that your financial accounting deternines that the user has consumed their quota and it updates the authenticarion server to disallow further logins and then it sends a message to the AP to disconnect a client. We can make the last part happen but the process has to begin with your accounting server.

Could a script poll the user's bandwidth stastics and then tarpit them if they go over their limit?

Does this sort of "script adjusting Star-OS" ability exist? If it did/does, then a lot of additional things could happen like having an IDS system automatically enter firewall rules for a single infected user at varios points of the network depending on how close to the user a StarOS (server / router / cpe) is located.

Travis

Lonnie

Great stuff. I beleive that the accounting side allready exists and all that is really required is a way to poll the AP side and tell it to dissconnect XYZ user so they then kicked back to the authentication page.

I think the existing system was some kind of expect script that conneced via telnet and issues a dissconnect command for the relevent user but im not totally sure on that one.

Certinly would be handy to be able to kick users either manually or by sending a formatted packet with the relevent commands/codes.

The one thing i have to however confirm is that the traffic/data count is being sent to the accounting server.

Regards
Andrew

Certinly would be handy to be able to dick users either manually...

"Say what?!" LMAO

Hmm.. Now was that a typo or a freaudian slip :twisted:

It certainly could be useful to be able to kick users off manually - if you become aware that they are breaking your AUP for example.

Remove their entry from your radius server, change the acl on the AP to disabled, file/activate changes, change the acl back to radius, file/activate changes. Not exactly elegant but it works.

Steve,

Hehe.. A little long winded and would that not also kick the other users?However if that was an automated task i my just work.

Regards
Andrew

Remove their entry from your radius server, change the acl on the AP to disabled, file/activate changes, change the acl back to radius, file/activate changes. Not exactly elegant but it works.

This will work, but everyone will have to log in again.

Another way to do it is to assign static IP's with radius, then null-route the IP address when you want to turn the user off. You can null-route the user at any convenient router, it does not have to be the AP... you can do it at the router facing the Internet. That way the user is not on the Internet, but can still get to the "make a payment" web page.

By the way, this thread was discussed about a month or so ago... You can get your answers faster if you do a search before you post... :wink:

We will have a hotspot disconnect in starutil, with the same sort of syntax that we have for PPPoE users. Expect it soon. That means your accounting server simply has to script a command line to the AP and the user is gone.

Well, we're not using hotspot, just Radius ACL so it works for us. No login required, just reauth's to the radius server.