How to kick a logged user
Kevin Bonner
keb at pa.net
Wed Feb 8 17:36:29 CET 2006
On Monday 06 February 2006 16:25, Dennis Skinner wrote:
> Guy Fraser wrote:
> > there. I looked into it briefly for Cisco 5248 and determined
> > that by setting the interface administratively down would boot
> > the user, then setting it back to up would allow it to accept
> > access again. The tricky part was matching the user to the
> > interface so you would kick the right user.
>
> We have Ciscos here. You don't need to set the int to down. Just clear
> the tty. You can use bash and expect to write a script. You will need
> to find which tty to clear first (also doable via bash/expect/grep/awk).
>
> If you use tacacs, you can give a special user rights to only do very
> specific commands which should limit the liability of having the
> password in the script.
For cisco devices, we use the PoD server and radclient to send disconnect
packets. Example config and radclient call are below.
Kevin Bonner
== example cisco config ==
aaa pod server auth-type any server-key YOUR_KEY
!
ip radius source-interface Loopback0
!
access-list 101 remark Packet of Disconnect
access-list 101 permit udp host AAA.BBB.CCC.DDD any eq 1700
access-list 101 deny udp any any eq 1700 log
access-list 101 <other rules>
access-list 101 permit ip any any
!
interface Loopback0
ip address EEE.FFF.GGG.HHH 255.255.255.255
ip access-group 101 in
!
== end cisco config ==
== radclient call ==
echo "User-Name=test at realm.tld" | /usr/bin/radclient EEE.FFF.GGG.HHH:1700
disconnect YOUR_KEY
== end radclient call ==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060208/627368b7/attachment.pgp>
More information about the Freeradius-Users
mailing list