Re: [RadiusNT] Loging Limit.

Dale E. Reed Jr. ( (no email) )
Thu, 17 Dec 1998 16:19:47 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Matthew Bailey: "Re: [RadiusNT] Loging Limit."
Next message: C.Bataa: "[RadiusNT] Livingston choicenet filtering"
Maybe in reply to: Carlos Diaz: "[RadiusNT] Loging Limit."

Matthew Bailey wrote:
>
> Dale, I am not sure you answer his question correctly. I JUST ran into
> this same problem this afternoon and I don't see how adding a port limit
> is going fix things.
>
> If it will can you give a little more detail on this..

This is a fairly common problem, and has lots of posts in the mailing
list archive.

> > In the configuration for the Account Type defaults (RadATConfigs
> > table) add the Port-Limit=1 attribute. This is a known issue because
> > newer ISDN equipment does simulataneous dialout and both channels
> > connect before RadiusNT knows about the other.

There are two things to look at here. 1) concurrency control of a
second
authentication request after the first session has started and RadiusNT
has received the Accounting Start record for that session. 2) Bonding
of multiple channels. The Port-Limit RADIUS attribute ONLY affects a
session that has or is about to bond two or more channels togeter (ie,
only #2).

There are two ways to deal with these. The first case is where the
sessions are not releated (ie, not bonding or MPP). The concurrency
control of RadiusNT handles this really well and will reject the second
login. Its important to realize that the rejection is happening at
the RadiusNT/RADIUS server step NOT the NAS. Having a Port-Limit=1
attribute has no affect on different sessions with the same username.

The second case is where an MPP session initiates two or more channels
simultaneously. As I noted earlier, this is becoming more common with
ISDN equipment, since ISDN is very fast at connecting (unlike modems
that
can take 30+ seconds). If the ISDN equipment dials two seperate
channels
simultaneously to bond, RadiusNT may receive both authentication
requests
BEFORE either of the accounting requests. Therefore, the concurrency
control of RadiusNT is vulnerable to this type of abuse. However, most
terminal servers support the Port-Limit attribute, which enforces a max
number of bonded channels at the NAS level, not at the RadiusNT level.
Therefore, even though RadiusNT authenticated both requests, the second
connection is dropped by the NAS, since it knows the user can not bond
more than one channel (Port-Limit = 1).

Therefore, to have the most effectiveness with concurrency control,
you should use both the concurreny control of RadiusNT and the
Port-Limit attribute.

To add the Port-Limit for Emerald, just add the Port-Limit Attribute
to each service type with a value of 1. For RadiusNT, you need to
add an entry for each account type in the RadATConfigs table with the
Port-Limit as the RadAttributeID and 1 as the value.

Remeber, if you set someone up with their own set of RADIUS attributes
(like a static IP) you need to include this attribute for them as well.

-- Dale E. Reed Jr. (daler@iea-software.com)_________________________________________________________________ IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs Internet Solutions for Today | http://www.iea-software.com

For more information about this list, including removal, pleasesee this URL: http://www.iea-software.com/maillist.html

Previous message: Matthew Bailey: "Re: [RadiusNT] Loging Limit."
Next message: C.Bataa: "[RadiusNT] Livingston choicenet filtering"
Maybe in reply to: Carlos Diaz: "[RadiusNT] Loging Limit."