help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Couple of initial questions

From: Gerald
Subject: Re: [Help-gnu-radius] Couple of initial questions
Date: Tue, 3 Jun 2003 17:57:43 -0400 (EDT) 
On Tue, 3 Jun 2003, Jesse Keating wrote:

> Hello all.  I've been tasked with setting up a central management point for
> short term wireless access accounts in a coffee store, and I thought that
> Radius server might serve this purpose.  A couple of questions spring to mind
> though.

This going to be a free service or are we just doing the work for your
company?

> A) Is there any such concept of a timed account to Radius?  We want our
> accounts to be valid for 2 hours of network time, and expire 24 hours after
> the initial login.

That depends on if your RAS equipment, whatever it is, supports timeout
strings. (I use RAS to mean any equipment that talks to a Radius
server) When the user authenticates the radius server can tell it that
the account should only stay connected for 2 hrs. A common misconception
is that the radius server can go back later and tell the RAS to disconnect
the user. The RAS initiates conversations with the radius server the
radius server can then pass back whatever options the RAS supports.

You might want to check your wireless equipment to see what it supports
first. Some options may need to be added to a dictionary file for your
equipment if it isn't already supported. The maintainer always appreciates
new dictionary files though. :-)

> B) Is there any logging to see how long an account has been logged in totally
> (between all the sessions)?

Again here you are only limited by what your RAS equipment can log.

> C) If using sql auth, does the service have to be restarted when new users are
> added, or removed from the sql database?

No. Each authentication is a query into the database which acts upon
whatever information is current in the DB at the time of the query. Even
changes to the config files of gnu-radius can be read without stopping the
radius server entirely. (Does anything _require_ a full restart, Sergey?)

> D) Is there any such concept of an account that exists, but logins are denied

Yes. Change your sql query to say:
select user from table where active = 'Y';
If the user is supposed to be suspended flip active = 'N' or anything
other than 'Y' and the radius server will send back a deny.

> (and can we specify a reason)?

In your logs you can. I'm not familiar with trying to pass a message all
the way back to the client equipment. I'd say not likely due to the
nature of wireless networking.

> Jesse Keating RHCE MCSE

DeadRat and Micro$loth certified. :-) Good luck.

Gerald
reply via email to
[Prev in Thread] Current Thread [Next in Thread]