> Of course we cannot prevent a user from logging out. But I think about a
> possibile situation that : I connect to the server and then fake a logout
> message to the RADIUS server. Then what happens ? I can still be on-line
> and the the program handling user billing, using the accounting logs generated
> by RADIUS , thinks I am off-line. So, chances are the users can get cheaper
> service. Also, I think that's why TACACS and ERPC treat logout as antoher
> auth request.
Well...that's why there is a radius secret. Unless you leave
/etc/raddeb/clients world readable, and someone can pretend to be one of
the client IP addresses, they'll have a hard time "faking a logout".
> Am I worried too much ?
Probably.
------------------------------------------------------------------
Jon Lewis | Mime attachments are OK
jlewis@inorganic5.fdt.net | But please ask before sending
http://inorganic5.fdt.net | unsolicited huge files.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______