help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Couple of initial questions

From: Sergey Poznyakoff
Subject: Re: [Help-gnu-radius] Couple of initial questions
Date: Wed, 04 Jun 2003 11:44:33 +0300 
Hello,

A couple of additions to the Gerald's reply.

> This going to be a free service or are we just doing the work for your
> company?

That's not relevant, Gerald. I guess most of the list subscribers run
their radius servers for their respective companies, not out of pure
altruism. They are all equally welcome.

> A) Is there any such concept of a timed account to Radius?  We want our 
> accounts to be valid for 2 hours of network time, and expire 24 hours after 
> the initial login.

Usually it is done via one of the extension mechanisms. The idea is to
write an extension that is invoked on each logout to calculate the
overall active time and on each login to determine the session timeout
value. Of course, provided that your RAS honors Session-Timeout attribute.

> > B) Is there any logging to see how long an account has been logged in 
> > totally
> > (between all the sessions)?
>
> Again here you are only limited by what your RAS equipment can log.

Yes. Provided that the RAS sends enough information in accounting
requests, the following holds true:

If radiusd is configured with SQL accounting, it is trivial to obtain
such summary information by running `SELECT sum(acct_session_time)...'
query.

If it is configured to run the usual unix/detailed accoutning, you'll
have to write some scripts to extract this information from the
accounting files.

> > C) If using sql auth, does the service have to be restarted when new users 
> > are
> > added, or removed from the sql database?
> 
> No. Each authentication is a query into the database which acts upon
> whatever information is current in the DB at the time of the query. Even
> changes to the config files of gnu-radius can be read without stopping the
> radius server entirely. (Does anything _require_ a full restart, Sergey?)

No, nothing. Except if you find some kind of a bug that makes it
necessary :^)

> > D) Is there any such concept of an account that exists, but logins are 
> > denied

There exists a special authentication type `Reject', that does it.

> > (and can we specify a reason)?

Yes, you can do it by sending back the text in Reply-Message
attribute. However, it is up to RAS to display or ignore it.

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]