[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <jonathan dot de dot graeve at imelda dot be>
 To:  "'Manuel Kasper'" <mk at neon1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] RE: Captive Portal/Radius Prepaid
 Date:  Thu, 9 Jun 2005 18:38:49 +0200 
There is indeed a function in Radius

How RADIUS-Initiated Disconnect Works 
For the disconnect feature, the router is the disconnect server and the
RADIUS server is the disconnect client. 

Disconnect Messages 
To centrally control the disconnection of remote access users, RADIUS
clients must be able to receive and process unsolicited disconnect requests
from RADIUS servers. The RADIUS disconnect feature uses the existing format
of RADIUS disconnect request and response messages. 

The code field used in disconnect messages has three codes: 

Disconnect-Request (40) 
Disconnect-ACK (41) 
Disconnect-NAK (42) 
Message Exchange 
The RADIUS server (the disconnect client) and the RADIUS client(the
disconnect server) exchange messages using UDP. The Disconnect-Request sent
from the disconnect client is a RADIUS-formatted packet with the
Disconnect-Request and one or more attributes. 

The disconnect response is either a Disconnect-ACK or a Disconnect-NAK:

If AAA is successful in disconnecting the user, the response is a RADIUS
formatted packet with a Disconnect-ACK. 
If AAA is unsuccessful in disconnecting the user, the request is malformed,
or the request is missing attributes, the response is a RADIUS-formatted
packet with a Disconnect-NAK. 
Qualifications for Disconnect 
To disconnect a user, the Disconnect-Request must contain an attribute with
a session ID. The Disconnect-Request can contain an Acct-Session-Id (44)
attribute and/or a Multi-Session-Id (50) attribute for the session ID. If
both the Acct-Session-Id and Multi-Session-Id attributes are present in the
request, the router uses both attributes. If the User-Name (1) attribute is
also present in the request, the username and session ID are used to perform
the disconnection. AAA services handle the actual request.

Security/Authentication 
The RADIUS server (the disconnect client) must calculate the Authenticator
as specified for an Account-Request in RFC 2866. The RADIUS client verifies
the request using Authenticator calculation as specified for an
Accounting-Request in RFC 2866. A secret, as specified in RFC 2865, must be
configured and used in the calculation of the Authenticator. The disconnect
response Authenticator is calculated as specified for an Account-Response in
RFC 2866.


-----Oorspronkelijk bericht-----
Van: Manuel Kasper [mailto:mk at neon1 dot net] 
Verzonden: donderdag 9 juni 2005 18:32
Aan: Jonathan De Graeve
CC: m0n0wall at lists dot m0n0 dot ch
Onderwerp: Re: [m0n0wall] RE: Captive Portal/Radius Prepaid

On 09.06.05 18:25 +0200, Jonathan De Graeve wrote:

> I have the same problem here. I know theres a Radius logout feature
> (some sort of disconnect) wich tells the nas to disconnect a
> certain user.

Is there? That wouldn't work for m0n0wall anyway as there's no
program running that listens to RADIUS packets all the time.

> I will be implementing this feature in M0n0wall as soon I have time
> (our if somebody could help me doing it)

I've already done that (optional feature where the captive portal
reauthenticates all connected users once every minute and disconnects
those for whom the RADIUS server returns an Access-Reject).
Accounting can also be handled with RADIUS interim updates (code 3)
if desired. This was paid work for a Swiss company; I think they
agree to this code being released in public versions, but I'll have
to ask again to make sure.

- Manuel

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch