How to kick a logged user
Hi, I´ve been searching a while about how to kick a logged user or force terminate it´s session. It seems that this has been asked before on the list, but I didn´t find an answer different from "radius can´t do that". The only answer that I´ve found is that it´s required an external script for this. Section 4.3 of the Freeradius FAQ mentions a radkill program, but the link included is dead. And also says "try using SNMP". I haven´t also been able to find information on how to use SNMP for this, so I ask the list: Can anyone post a link to download radkill? Or Can anyone explain me how to do this with SNMP? Or perhaps, Can anyone post a procedure to kick a logged user? Thanks for your replies, Edo
On Mon, 2006-06-02 at 11:47 -0500, Eduardo Bejar wrote:
Hi,
I´ve been searching a while about how to kick a logged user or force terminate it´s session. It seems that this has been asked before on the list, but I didn´t find an answer different from "radius can´t do that". The only answer that I´ve found is that it´s required an external script for this.
Section 4.3 of the Freeradius FAQ mentions a radkill program, but the link included is dead. And also says "try using SNMP". I haven´t also been able to find information on how to use SNMP for this, so I ask the list:
Can anyone post a link to download radkill?
Or
Can anyone explain me how to do this with SNMP?
Or perhaps,
Can anyone post a procedure to kick a logged user?
Thanks for your replies,
Edo
It depends entirely on your NAS. Radius is not designed to kick off users. Check the documentation for your NAS. The radkill script was designed to work with Livingston Portmasters and does not work with many other products, but may be a good place to start to build your own. We rarely needed to kick users off, and when we did we just logged into the NAS and booted them from there. I looked into it briefly for Cisco 5248 and determined that by setting the interface administratively down would boot the user, then setting it back to up would allow it to accept access again. The tricky part was matching the user to the interface so you would kick the right user.
Guy Fraser wrote:
there. I looked into it briefly for Cisco 5248 and determined that by setting the interface administratively down would boot the user, then setting it back to up would allow it to accept access again. The tricky part was matching the user to the interface so you would kick the right user.
We have Ciscos here. You don't need to set the int to down. Just clear the tty. You can use bash and expect to write a script. You will need to find which tty to clear first (also doable via bash/expect/grep/awk). If you use tacacs, you can give a special user rights to only do very specific commands which should limit the liability of having the password in the script. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Hi, Thanks for the answers. Well after testing a while and checking the dusty radkill script, I´d like to comment, for the mailing list archive, about what I tested/found: - For the record: Freeradius can´t kick a logged user. There's no configuration option on radiusd.conf or something to kick a connected user. - To kick a user you should access the NAS and reset the port where the user is connected to. - To create a script for this task, you can: 1.- Get the port where the user is logged with the radwho command. i.e.: radwho | grep 'username' | awk '{print $3 $6}' (this should give you a string with the port and the NAS where username is connected) 2.- Telnet to the NAS and reset the port. i.e.: you can use the PHPTelnet.php class (http://www.geckotribe.com/php-telnet/) Then you can do something like this: require_once "PHPTelnet.php"; $telnet = new PHPTelnet(); $result = $telnet->Connect('Nas_IP','Nas_root_user','Nas_root_pwd'); $command_to_send="reset ".$port; $telnet->DoCommand($command_to_send); $telnet->Disconnect(); or adjust it with the commands that your NAS uses. HTH someone in the future. Edo
On Monday 06 February 2006 16:25, Dennis Skinner wrote:
Guy Fraser wrote:
there. I looked into it briefly for Cisco 5248 and determined that by setting the interface administratively down would boot the user, then setting it back to up would allow it to accept access again. The tricky part was matching the user to the interface so you would kick the right user.
We have Ciscos here. You don't need to set the int to down. Just clear the tty. You can use bash and expect to write a script. You will need to find which tty to clear first (also doable via bash/expect/grep/awk).
If you use tacacs, you can give a special user rights to only do very specific commands which should limit the liability of having the password in the script.
For cisco devices, we use the PoD server and radclient to send disconnect packets. Example config and radclient call are below. Kevin Bonner == example cisco config == aaa pod server auth-type any server-key YOUR_KEY ! ip radius source-interface Loopback0 ! access-list 101 remark Packet of Disconnect access-list 101 permit udp host AAA.BBB.CCC.DDD any eq 1700 access-list 101 deny udp any any eq 1700 log access-list 101 <other rules> access-list 101 permit ip any any ! interface Loopback0 ip address EEE.FFF.GGG.HHH 255.255.255.255 ip access-group 101 in ! == end cisco config == == radclient call == echo "User-Name=test@realm.tld" | /usr/bin/radclient EEE.FFF.GGG.HHH:1700 disconnect YOUR_KEY == end radclient call ==
participants (4)
-
Dennis Skinner -
Eduardo Bejar -
Guy Fraser -
Kevin Bonner