On Monday 06 February 2006 16:25, Dennis Skinner wrote:
Guy Fraser wrote:
there. I looked into it briefly for Cisco 5248 and determined that by setting the interface administratively down would boot the user, then setting it back to up would allow it to accept access again. The tricky part was matching the user to the interface so you would kick the right user.
We have Ciscos here. You don't need to set the int to down. Just clear the tty. You can use bash and expect to write a script. You will need to find which tty to clear first (also doable via bash/expect/grep/awk).
If you use tacacs, you can give a special user rights to only do very specific commands which should limit the liability of having the password in the script.
For cisco devices, we use the PoD server and radclient to send disconnect packets. Example config and radclient call are below. Kevin Bonner == example cisco config == aaa pod server auth-type any server-key YOUR_KEY ! ip radius source-interface Loopback0 ! access-list 101 remark Packet of Disconnect access-list 101 permit udp host AAA.BBB.CCC.DDD any eq 1700 access-list 101 deny udp any any eq 1700 log access-list 101 <other rules> access-list 101 permit ip any any ! interface Loopback0 ip address EEE.FFF.GGG.HHH 255.255.255.255 ip access-group 101 in ! == end cisco config == == radclient call == echo "User-Name=test@realm.tld" | /usr/bin/radclient EEE.FFF.GGG.HHH:1700 disconnect YOUR_KEY == end radclient call ==