Re: How to define time limited access?

Dale E. Reed Jr. (daler@iea.com)
Mon, 12 Aug 1996 14:40:19 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: root: "merit radius and /etc/passwd lookup"
Previous message: Danny Calamaro: "Slow Transfer Speeds"
Maybe in reply to: Geraldo Ramalho: "How to define time limited access?"
Next in thread: Larry Vaden: "Re: USR Total Control MP/16 or Livingston problem?"

Raymond Richmond wrote:
>
> I must agree, using the plainest configuration of RADIUS, we do the time
> based control from separate user management software. The management
> system imports time logs every 10 minutes and updates each users info on
> an SQL server. When user X uses his allotted time period Y (configurable
> on a per user basis) the system stops exporting the radius entry until the
> next billing cycle of when user requests it reactivated.

RadiusNT allows you to do this with Portmasters using the new Session-Limit
feature. It simply takes the lowest of the confgiured port session-limit
or the users time left. This gets around the time limit bug on the PM,
and offers very flexible control. We call it time banking. You can
also setup time limits per time periods in the same fashion (user x
can only be on for y mins in any z time period).

> This works because our users file is created from the server every
> 10 minutes. If the user is still within allotted time the server builds
> the radius entry and exports it, as long as it is exported they log in.

We bypass this issue since RadiusNT authenticates directly from
the ODBC database. Its just simple rules, and everything is always
up to date and there is nothing to syncronize or update. Really
makes things a lot simpler.

> The worst "miss" we have had was a user stayed logged in for about
> 6 hours solid and went over time.

But if you had included the session-limit attribute, the PM would have
kicked him off and it wouldn't have happened. :)

> Trying to hack RADIUS to add these "features" is simply asking for
> a bulky, sluggish and unwieldy system. As it stands RADIUS is efficient,

I disagree. I would consider your method of re-building the users
file bulky and possible problem causing. What if you try to authenticate
during the write of the file?

> straightforward to use and offers a VERY wide range of configuration
> options IF you plan your system ahead of time rather than adding on more
> and more.

RADIUS is simply an authentication protocol. Most people bring the
authentication server (which doesn't have to be a Radius server,
just talks the RADIUS protocol) into the protocol and tries to
make it one big thing. Just because we are adding to someone
elses' Radius server, DOES NOT mean that we are adding to the
Radius protocol. You added functionality to your radius sever
by coming up with a non-in-the-server solution, but you STILL
added something. I prefer the in-the-server solution and fail
to see where you "plan"ed and didn't add.

-- 
Dale E. Reed Jr.  (daler@iea.com)
_____________________________________________________________________
 Internet Engineering Associates   |  RadiusNT, Emerald, and NT FAQs
  Internet Solutions for Today     |     http://www.iea.com/~daler

Next message: root: "merit radius and /etc/passwd lookup"
Previous message: Danny Calamaro: "Slow Transfer Speeds"
Maybe in reply to: Geraldo Ramalho: "How to define time limited access?"
Next in thread: Larry Vaden: "Re: USR Total Control MP/16 or Livingston problem?"