The other option is to make an utility that scans the radius devices,
xtacacs or other terminal servers, make a list of who's on, check for
concurrent logins, boot the abusers off, log the attempt and then check
for how many attempts in a period this happened, if over the
limit--disable the account.
The problem with Livingston or Merit radius is they can only check one
portmaster, not the whole chain. Proividing they ever get port limit=1 to
work.... =)
Using harsh language will only make the abuser laugh...ditto for talking
nicely...pmmon only works with radius device---what about non radius
devices?
Posting silly messages is good only for relieving tension..=) That doesn't
pay the bills. Or preven the loss of utilities.
The only real solution is to use existing utilities to code a program to
check all of the terminal servers...Truthfully if one where able to hack a
function into the radius source code I suspect that for larger providers
the function would cause latency errors forcing the radius device to use
the secondary authentication...
We're a system with over 4000 customers. 7pm at night and the
authentication server as well as the mail server float between 50% to 90%
cpu utilization. With that much load we didn't want the process to run
whenever radiusd was called. Since the program relies on system utilitites
we set it up so it can only be called once. If its still running when its
called again the newly called process exits. We ran into this problem when
during busy hours the program would not finish because of the number of
users online. Radius whether Livingston or Merit will have the same
problem. I strongly doubt we'll ever see a radius code that prevents
multiple logins.
Ok...having said that here's the sales pitch....
I've designed and implemented such a program. To date it has trapped over
a 1000 abusers-- I think the exact is 2673 which at 20$/account translates
to $53,460 worth of services protected. Its 500$ and it has already paid
for itself several times over. You need expect and perl on your system for
this program to work. NT users... I make no promises as to
compatibility... There's a reason why unix/linux are the number 1
operating systems for isps...Expect and Perl do exist for nt but they
don't work like their unix based counterparts. Nothing is the same for
nt..=(
Rob
On Fri, 30 May 1997, Doug Ingraham wrote:
> On Thu, 29 May 1997, Luther Keal wrote:
>
> > We currently have several alternatives:
> >
> > 1: Use harsh language when our customers do this
> > 2: Ask them nicely not to do it
> > 3: Ask Livingston nicely to implement it in RADIUS
> > 4: Use pmmon utility
> > 5: Post silly messages like this one and live with it
>
> You forgot one other option. Bill them for two accounts. This works
> really well as a deterrent.
>
> Doug Ingraham Question your beliefs. Remember that just because you
> Rapid City, SD believe something to be true doesn't make it so. Practice
> USA tolerance in all things and the world can be a better place.
>