RE: User Restrictions

Robert F. O'Connor ( (no email) )
Mon, 31 Aug 1998 00:11:48 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: radiusnt-digest-request@iea-software.com: "[RadiusNT Digest]"
Next message: Danny Sinang: "Cisco Idle-TimeOut / Session-TimeOut"

> From: radiusnt-request@iea-software.com
> [mailto:radiusnt-request@iea-software.com]On Behalf Of Dale E. Reed Jr.
>
> Robert F. O'Connor wrote:
> >
> > As is the default now, if a user wants to stupidly have three
> versions of
> > the same attribute with different values, nothing is stopping him.
>
> But, he can see that in the SAME list. Having the same value in the
> RadConfigs and RadATConfigs would not be evident if they were both
> combined. What we will be adding to Emerald is the ability to pull the
> default attributes from the RadATConfigs when you are editing the
> specifics. Therefore one click would get you all the basics and you
> can add the rest you want (or change/remove one of the defaults).
> A better UI would solve the problem w/out making radical changes to
> RadiusNT.
>
> > Similarly, you could (by default) just let the user make the mistake and
> > figure out what's wrong. You could then add the explicit alternatives to
> > that of 1: Custom attributes override defaults; and 2) Defaults always
> > prevail.
>
> But WE have to listen to them complain when THEY make the mistake. Being
> pro-active and trying to NOT let the customer hang themselves is
> a better approach than "yep, you hung yourself and its your fault".
>
> We are looking into the option of combing the two. For now, you could
> easily update the RadGetConfigs stored procedure to do whatever you
> want. Many people have done this and it works fine. The main reason
> why we have been moving to stored procs is that that you can do whatever
> you want to RadiusNT.
>
>
> For example (and this is off the top of my head):
>
> CREATE PROCEDURE RadGetConfigs @AccountID int AS
>
> Select ra.RadAttributeID, Name, Data, Value, Type, rc.RadVendorID,
> rc.RadVendorType, rc.RadCheck
> From RadConfigs rc, RadAttributes ra
> Where ra.RadAttributeID=rc.RadAttributeID
> AND ra.RadVendorID = rc.RadVendorID
> AND ra.RadVendorType = ra.RadVendorType
> AND rc.AccountID=@AccountID
>
> UNION
>
> Select ra.RadAttributeID, Name, Data, Value, Type, rc.RadVendorID,
> rc.RadVendorType, rc.RadCheck
> From RadATConfigs rc, RadAttributes ra, SubAccounts sa
> Where ra.RadAttributeID=rc.RadAttributeID
> AND ra.RadVendorID = rc.RadVendorID
> AND ra.RadVendorType = ra.RadVendorType
> AND sa.AccountID = @AccountID
> AND sa.AccountType = rc.AccountType
>
> Order By RadAttributeID
> GO
>

Very interesting--I will check this out.

>
> > Actually a default of "custom overrides" would allow those who already
> > duplicate default RadATConfigs to turn on a "RadATConfigs
> applies to all"
> > option without breaking anything, and might be a little more
> forgiving to
> > the bonehead user who doesn't get it. And come to think of it,
> would allow
> > exceptions to policies to be easier to implement (e.g., for user
> > "bigdownload", Session-Timeout=8 instead of 6, but everything else the
> > same).
>
> But in some cases you might have a filter in the default and another
> filter in the specific and want BOTH filters to be sent. Therefore,
> it can't be a global setting, it has to be a local or per-attribute
> setting. The "RadATConfigs applies to all" won't ever be an option,
> since it doesn't make much sense. :(

I see the point--but (cheerfully ignoring the customer-support issues since
I don't have to deal with them :) the end-user could always choose a
configuration that represented the larger number of their users and stick
the rest in to a different account-type.

However, I see that command line settings (or system registry) wouldn't
work, you'd need to make "cumulative | exclusive(default)" a per-AccountType
option as well as "accumulate-all-records(default) |
accumulate-but-RadConfigs-wins | accumulate-but-RadATConfigs-wins" switch if
you wanted to implement it at all, which is admittedly getting a little more
messy than I first contemplated. I will definitely explore the
stored-procedure option for now.
>
> --
> Dale E. Reed Jr. (daler@iea-software.com)
> _________________________________________________________________
> IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs
> Internet Solutions for Today | http://www.iea-software.com
>

-Robert F. O'Connor
System Administrator, Metro.Net
sysadmin@metro.net

Previous message: radiusnt-digest-request@iea-software.com: "[RadiusNT Digest]"
Next message: Danny Sinang: "Cisco Idle-TimeOut / Session-TimeOut"