freeradius+openvpn disconnect user from radius

Alexandre Chapellon a.chapellon at horoa.net
Thu Jan 5 17:34:38 CET 2012 

First We should know if openvpn is able to create a vpn session for a 
certain amount of time and then disconnect the user once time expired... 
I am not sure openvpn has such a feature... If it doesn't that mean that 
openvpn code would also need to be hacked.

This thread is slightly becomming off-topic, maybe people interessted in 
it should continue discussion elsewhere or via direct mail exchanges?

Le 05/01/2012 14:45, Azfar Hashmi a écrit :
> Thanks for clarification. So nobody able to change the code and create
> any patch so far? and can we be able to di it via vendor specific
> attributes trick?
>
> On 1/5/2012 6:30 PM, Alexandre Chapellon wrote:
>>  From the ./UserAuth.cpp file in the radiusplugin code:
>>
>> /**The method send an authentication packet to the radius server and
>>   * calls the method parseResponsePacket(). The following attributes
>> are in the packet:
>>   * - User_Name,
>>   * - User_Password
>>   * - NAS_PortCalling_Station_Id,
>>   * - NAS_Identifier,
>>   * - NAS_IP_Address,
>>   * - NAS_Port_Type
>>   * - Service_Type.
>>   * @param context The context of the background process.
>>   * @return An integer, 0 if the authentication succeded, else 1.*/
>>
>> Nothing about processing timeout...
>>
>> Le 05/01/2012 14:00, Azfar Hashmi a écrit :
>>> pptp and l2tp working fine, if I see radiusplgin source code then these
>>> things are defined there ie.g session-timeout and idle-timeout but since
>>> I am not good in programing i have no idea why they are there, anyone
>>> confirm why they are in code if not supported? I am on v2.1a b1
>>>
>>> 1/5/2012 11:17 AM, Azfar Hashmi wrote:I am gonna try it now. On 1/4/2012
>>> 5:49 PM, Alexandre Chapellon a
>>>
>>> wrote:
>>>>> pptp does it very well (at least poptop does). Never tried with L2TP
>>>>> itself but I know ppp sessions inside L2TP tunnels works as
>>>>> expected... but that inly pppd works ok with session-timeout.
>>>>>
>>>>> Regards.
>>>>>
>>>>> Le 04/01/2012 12:19, Azfar Hashmi a écrit :
>>>>>> One more related question. I have to test this with pptp and lt2p
>>>>>> also,
>>>>>> do they support it?
>>>>>>
>>>>>> On 1/4/2012 4:14 PM, Azfar Hashmi wrote:
>>>>>>> Hi Alexandre,
>>>>>>>
>>>>>>> Thanks for sharing your experience.
>>>>>>>
>>>>>>> On 1/4/2012 4:02 PM, Alexandre Chapellon wrote:
>>>>>>>> I tried to setup exactly the same things a while ago using the
>>>>>>>> radiusplugin for openvpn.
>>>>>>>> It just don't work! Looking at the code of the radiusplugin I could
>>>>>>>> not find anything that handle Sessiontimeout attribute (I didn't
>>>>>>>> tried
>>>>>>>> with Acc-Session-Timeout but didn't see anything either).
>>>>>>>> Even if You try to ack the plugin (which look quite simple), I'm
>>>>>>>> not
>>>>>>>> sure openvpn have anymecanism that would allow it to termitate a
>>>>>>>> connection after a specified duration (except monitoring connecting
>>>>>>>> duration with the telent interface.... a real pain).
>>>>>>>> I asked on the mailing list of radiusplugin which is even lower
>>>>>>>> traffic and gave up. Maybe asking about openvpn being able to
>>>>>>>> disconnect based on time  could be a question for start a thread in
>>>>>>>> openvpn general ML.
>>>>>>>>
>>>>>>>> regards.
>>>>>>>>
>>>>>>>> P.S: I'd be glad to hear about if you succeed in doing that! ;)
>>>>>>>>
>>>>>>>> Le 04/01/2012 10:41, Azfar Hashmi a écrit :
>>>>>>>>> I did but the list has very low activity. Only few posts in
>>>>>>>>> numerous
>>>>>>>>> days there.
>>>>>>>>>
>>>>>>>>> On 1/4/2012 1:32 PM, Fajar A. Nugraha wrote:
>>>>>>>>>> On Wed, Jan 4, 2012 at 3:18 PM, Azfar
>>>>>>>>>> Hashmi<azfar.hashmi at cloudways.com>     wrote:
>>>>>>>>>>> Anyone confirm me that openvpn support
>>>>>>>>>>> session-timout/acct-session-timeout, i want radius to tell my
>>>>>>>>>>> NAS to
>>>>>>>>>>> disconnect users if they reached their expiration. Currently its
>>>>>>>>>>> not
>>>>>>>>>>> working.
>>>>>>>>>> Did you ask in openvpn list? It should be a more suitable
>>>>>>>>>> place for
>>>>>>>>>> this question, and AFAIK the answer is no.
>>>>>>>>>>
>>>>>>>>> -
>>>>>>>>> List info/subscribe/unsubscribe? See
>>>>>>>>> http://www.freeradius.org/list/users.html
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See
>>>>>>> http://www.freeradius.org/list/users.html
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See
>>>>>> http://www.freeradius.org/list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

More information about the Freeradius-Users mailing list