Reccomended switches for dynamic vlans

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sat Jul 14 00:30:29 CEST 2007 

Peter Nixon wrote:
> On Sat 14 Jul 2007, Arran Cudbard-Bell wrote:
>   
>> Peter Nixon wrote:
>>     
>>> On Fri 13 Jul 2007, Arran Cudbard-Bell wrote:
>>>       
>>>> Alan DeKok wrote:
>>>>         
>>>>> Arran Cudbard-Bell wrote:
>>>>>           
>>>>>> Seriously, i've actually gone to the trouble of ringing their support
>>>>>> line and submitting bug reports, and absolutely nothing has happened
>>>>>> ?! It's getting to the funny rotten egg smelling stuff in the aircon
>>>>>> ducts, and petrol bombs stage :\
>>>>>>             
>>>>>   I'll talk to them. :)
>>>>>
>>>>>   Part of the problem is that if no RADIUS server supports it, there's
>>>>> less of a need for them to support it.
>>>>>           
>>>> *poke* *poke*, the codes in radclient *poke* *poke*
>>>>
>>>> Actually isn't it just a matter of sending a standard RADIUS packet
>>>> with a POD packet type to a specified UDP port on the NAS ...
>>>>         
>>> Yep. You will generally need to know the the disconnect key, but you
>>> will notice that I added a field titled "XAscendSessionSvrKey" to
>>> radacct a while back.. A couple of lines of perl and it all just
>>> works...
>>>       
>> Is that just the SessionId on most NASes ?
>>     
>
> No
>
>   
>> Erg i'm going to have to read RFC 3576 :(
>>     
>
> I suggest you start with my summary here:
> http://wiki.freeradius.org/Disconnect_Messages
>
> Cheers
>   
Ok
X-Ascend-Session-Svr-Key isn't included in the standard list of 
identification attributes in  RFC 3576...
And seeing as it's a VSA for Ascend boxes, I don't see why it would be 
used in any other kit ?

RFC just states that a packet with Code 40 should be sent, including a 
list of identification attributes, and an optional Service-Type attr 
with value Authorize Only, if only requesting termination of a session 
and not CoA, to avoid ambiguous meanings of attributes, and ease 
translation to Diameter.
On NAK NAS is also supposed to send an Error-Cause attr, describing the 
reason for the NAK.

The fact that the Request Authenticator matches, should be enough to 
ensure the Disconnect Message came from an authorised local RADIUS 
server, and the RFC describes a reverse proxying method to use for use 
when proxying...

Just need HP kit to support POD and CoA now ...

More information about the Freeradius-Users mailing list