Reccomended switches for dynamic vlans

Peter Nixon listuser at peternixon.net
Sat Jul 14 13:29:03 CEST 2007


On Sat 14 Jul 2007, Arran Cudbard-Bell wrote:
> Peter Nixon wrote:
> > On Sat 14 Jul 2007, Arran Cudbard-Bell wrote:
> >> Peter Nixon wrote:
> >>> On Fri 13 Jul 2007, Arran Cudbard-Bell wrote:
> >>>> Alan DeKok wrote:
> >>>>> Arran Cudbard-Bell wrote:
> >>>>>> Seriously, i've actually gone to the trouble of ringing their
> >>>>>> support line and submitting bug reports, and absolutely nothing has
> >>>>>> happened ?! It's getting to the funny rotten egg smelling stuff in
> >>>>>> the aircon ducts, and petrol bombs stage :\
> >>>>>
> >>>>>   I'll talk to them. :)
> >>>>>
> >>>>>   Part of the problem is that if no RADIUS server supports it,
> >>>>> there's less of a need for them to support it.
> >>>>
> >>>> *poke* *poke*, the codes in radclient *poke* *poke*
> >>>>
> >>>> Actually isn't it just a matter of sending a standard RADIUS packet
> >>>> with a POD packet type to a specified UDP port on the NAS ...
> >>>
> >>> Yep. You will generally need to know the the disconnect key, but you
> >>> will notice that I added a field titled "XAscendSessionSvrKey" to
> >>> radacct a while back.. A couple of lines of perl and it all just
> >>> works...
> >>
> >> Is that just the SessionId on most NASes ?
> >
> > No
> >
> >> Erg i'm going to have to read RFC 3576 :(
> >
> > I suggest you start with my summary here:
> > http://wiki.freeradius.org/Disconnect_Messages
> >
> > Cheers
>
> Ok
> X-Ascend-Session-Svr-Key isn't included in the standard list of
> identification attributes in  RFC 3576...
> And seeing as it's a VSA for Ascend boxes, I don't see why it would be
> used in any other kit ?

Cisco's use it.

Maybe we should call the DB colum disconnect-key or something similar...

> RFC just states that a packet with Code 40 should be sent, including a
> list of identification attributes, and an optional Service-Type attr
> with value Authorize Only, if only requesting termination of a session
> and not CoA, to avoid ambiguous meanings of attributes, and ease
> translation to Diameter.
> On NAK NAS is also supposed to send an Error-Cause attr, describing the
> reason for the NAK.
>
> The fact that the Request Authenticator matches, should be enough to
> ensure the Disconnect Message came from an authorised local RADIUS
> server, and the RFC describes a reverse proxying method to use for use
> when proxying...
>
> Just need HP kit to support POD and CoA now ...

:-)


-- 

Peter Nixon
http://peternixon.net/



More information about the Freeradius-Users mailing list