How to kick a logged user

Kevin Bonner keb at
Wed Feb 8 17:36:29 CET 2006

On Monday 06 February 2006 16:25, Dennis Skinner wrote:
> Guy Fraser wrote:
> > there. I looked into it briefly for Cisco 5248 and determined
> > that by setting the interface administratively down would boot
> > the user, then setting it back to up would allow it to accept
> > access again. The tricky part was matching the user to the
> > interface so you would kick the right user.
> We have Ciscos here.  You don't need to set the int to down.  Just clear
> the tty.  You can use bash and expect to write a script.  You will need
> to find which tty to clear first (also doable via bash/expect/grep/awk).
> If you use tacacs, you can give a special user rights to only do very
> specific commands which should limit the liability of having the
> password in the script.

For cisco devices, we use the PoD server and radclient to send disconnect 
packets.  Example config and radclient call are below.

Kevin Bonner

== example cisco config ==
aaa pod server auth-type any server-key YOUR_KEY
ip radius source-interface Loopback0
access-list 101 remark Packet of Disconnect
access-list 101 permit udp host AAA.BBB.CCC.DDD any eq 1700
access-list 101 deny   udp any any eq 1700 log
access-list 101 <other rules>
access-list 101 permit ip any any
interface Loopback0
 ip address EEE.FFF.GGG.HHH
 ip access-group 101 in
== end cisco config ==

== radclient call ==
echo "User-Name=test at realm.tld" | /usr/bin/radclient EEE.FFF.GGG.HHH:1700 
disconnect YOUR_KEY
== end radclient call ==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list