Disconnect-Request packet

classic Classic list List threaded Threaded
12 messages Options
| Threaded
Open this post in threaded view
|

Disconnect-Request packet

N White
Ok. I am trying to figure out how to disconnect a user, or to tell the
radius server to send a disconnect packet to the NAS for a specific
user. This is the command I am using:

echo "User-Name = nickwhite" | radclient 192.168.1.1 disconnect mysecret -x

This is the debug output from the radius server:

ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139,
length=31
Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED

I also came across this:
http://www.freeradius.org/faq/#4.3

But why then is there a command as part of radclient to disconnect, and
what does that response exactly mean. Is there any way to accomplish
this?(disconnecting a user via radclient?)

Thanks

--
---------------------------
| Nick White              |
| [hidden email]     |
---------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Alan DeKok
N White <[hidden email]> wrote:
> Ok. I am trying to figure out how to disconnect a user, or to tell the
> radius server to send a disconnect packet to the NAS for a specific
> user. This is the command I am using:
>
> echo "User-Name = nickwhite" | radclient 192.168.1.1 disconnect mysecret -x

  Is 192.168.1.1 the IP address of the NAS?

> ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139,
> length=31
> Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED

  FreeRADIUS doesn't listen for disconnect packets.  And, you're
sending the disconnect packet to the authentication port.  There's a
special port for disconnects, but I forget what it is.

> But why then is there a command as part of radclient to disconnect, and
> what does that response exactly mean. Is there any way to accomplish
> this?(disconnecting a user via radclient?)

  Send the disconnect packet to the NAS.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

N White
Alan DeKok wrote:

>N White <[hidden email]> wrote:
>  
>
>>Ok. I am trying to figure out how to disconnect a user, or to tell the
>>radius server to send a disconnect packet to the NAS for a specific
>>user. This is the command I am using:
>>
>>echo "User-Name = nickwhite" | radclient 192.168.1.1 disconnect mysecret -x
>>    
>>
>
>  Is 192.168.1.1 the IP address of the NAS?
>
>  
>
>>ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139,
>>length=31
>>Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED
>>    
>>
>
>  FreeRADIUS doesn't listen for disconnect packets.  And, you're
>sending the disconnect packet to the authentication port.  There's a
>special port for disconnects, but I forget what it is.
>
>  
>
>>But why then is there a command as part of radclient to disconnect, and
>>what does that response exactly mean. Is there any way to accomplish
>>this?(disconnecting a user via radclient?)
>>    
>>
>
>  Send the disconnect packet to the NAS.
>
>  Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told
the RADIUS server to send a disconnect to the NAS that the client(user)
is connected to. I've tried sending the disconnect to the
NAS(Portmaster). Any particular port?

Thanks.

--
---------------------------
| Nick White              |
| Network Administrator   |
| Tele-NET Internet       |
| http://www.tele-net.net |
| [hidden email]     |
---------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

N White
N White wrote:

> Alan DeKok wrote:
>
>> N White <[hidden email]> wrote:
>>  
>>
>>> Ok. I am trying to figure out how to disconnect a user, or to tell
>>> the radius server to send a disconnect packet to the NAS for a
>>> specific user. This is the command I am using:
>>>
>>> echo "User-Name = nickwhite" | radclient 192.168.1.1 disconnect
>>> mysecret -x
>>>  
>>
>>
>>  Is 192.168.1.1 the IP address of the NAS?
>>
>>  
>>
>>> ad_recv: Disconnect-Request packet from host 192.168.1.2:47874,
>>> id=139, length=31
>>> Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED
>>>  
>>
>>
>>  FreeRADIUS doesn't listen for disconnect packets.  And, you're
>> sending the disconnect packet to the authentication port.  There's a
>> special port for disconnects, but I forget what it is.
>>
>>  
>>
>>> But why then is there a command as part of radclient to disconnect,
>>> and what does that response exactly mean. Is there any way to
>>> accomplish this?(disconnecting a user via radclient?)
>>>  
>>
>>
>>  Send the disconnect packet to the NAS.
>>
>>  Alan DeKok.
>>
>> - List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>  
>>
> Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told
> the RADIUS server to send a disconnect to the NAS that the
> client(user) is connected to. I've tried sending the disconnect to the
> NAS(Portmaster). Any particular port?
>
> Thanks.
>
My apology. 192.168.1.1 is the IP of the RADIUS server, NOT the NAS.
Sorry about that.

--
---------------------------
| Nick White              |
| Network Administrator   |
| Tele-NET Internet       |
| http://www.tele-net.net |
| [hidden email]     |
---------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Michael Mitchell
In reply to this post by N White

>>
> Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told
> the RADIUS server to send a disconnect to the NAS that the client(user)
> is connected to. I've tried sending the disconnect to the
> NAS(Portmaster). Any particular port?
>

Not sure about Portmaster, but the general default port for disconnect
is 1700 I think.

cheers,
Mike.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Alan DeKok
In reply to this post by N White
N White <[hidden email]> wrote:
> Yes 192.168.1.1 is the NAS.

  Then it's running FreeRADIUS.  The error message you quoted above:

> >>ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139,
> >>length=31
> >>Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED

  Can ONLY be produced from FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

N White
Alan DeKok wrote:

>N White <[hidden email]> wrote:
>  
>
>>Yes 192.168.1.1 is the NAS.
>>    
>>
>
>  Then it's running FreeRADIUS.  The error message you quoted above:
>
>  
>
>>>>ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139,
>>>>length=31
>>>>Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED
>>>>        
>>>>
>
>  Can ONLY be produced from FreeRADIUS.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
That's correct. Read my second reply. So other then writing custom
scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to
send a disconnect packet to the NAS that a particular user is logged in
to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))?

Thanks!

--
---------------------------
| Nick White              |
| Network Administrator   |
| Tele-NET Internet       |
| http://www.tele-net.net |
| [hidden email]     |
---------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Alan DeKok
N White <[hidden email]> wrote:
> That's correct. Read my second reply. So other then writing custom
> scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to
> send a disconnect packet to the NAS that a particular user is logged in
> to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))?

  No.

  And I *still* don't understand your situation.  You claim 192.18.1.1
is the NAS, and you also claim it's FreeRADIUS.  That makes no sense.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Paul "TBBle" Hampson
In reply to this post by N White
On Thu, Jul 28, 2005 at 06:20:35PM -0700, N White wrote:
> That's correct. Read my second reply. So other then writing custom
> scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to
> send a disconnect packet to the NAS that a particular user is logged in
> to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))?

Nope, you have to write custom scripts. FreeRADIUS has nothing to do
with (and wants nothing to do with) the disconnect packets.

Usually, you would have a script that checks for whatever condition
you're basing the disconnect on, and calls radclient (or telnet, or
whatever the interface your NAS/downstream provides for this) to do
the disconnect. (I've also seen SNMP and SOAP, and I really don't think
FreeRADIUS is the right tool to automate a phone call to the NOC. ^_^)

While you _could_ integrate disconnect into FreeRADIUS using a mechanism
similar to checkrad, it'd be pretty daft, since the authentication
checks the wrong details (this is an administrative request, not a user
request) and sends the wrong way (this is an unsolicited packet to a
NAS, not to a RADIUS proxy). This last point seems trivial until you try
to proxy backwards through a chain you have only the last hop of, and
the last hop doesn't neccessarily know what the previous hop was.  (I
vaugely remember someone discussing a static reverse-NAS route config
file at some point. Luckily, no one tried to turn that into code)

Bash and perl are both simpler and easier shells for this than
FreeRADIUS. ^_^

--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Alan DeKok
[hidden email] (Paul Hampson) wrote:
> This last point seems trivial until you try to proxy backwards
> through a chain you have only the last hop of, and the last hop
> doesn't neccessarily know what the previous hop was.

  Exaclty.  Coupled with the problem that the server is *supposed* to
validate the disconnect request by running it through the *proxying*
code, to see if it came FROM the site an Access-Request would have
been proxied TO.

  Yuck.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

N White
Alan DeKok wrote:

>[hidden email] (Paul Hampson) wrote:
>  
>
>>This last point seems trivial until you try to proxy backwards
>>through a chain you have only the last hop of, and the last hop
>>doesn't neccessarily know what the previous hop was.
>>    
>>
>
>  Exaclty.  Coupled with the problem that the server is *supposed* to
>validate the disconnect request by running it through the *proxying*
>code, to see if it came FROM the site an Access-Request would have
>been proxied TO.
>
>  Yuck.
>
>  Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>
I understand this now, and why it would be... as you put it "yuck". Ha
Ha! Well thanks for answering my question and explaining it to me. Looks
like some custom scripting for me then. :-) My only problem now is going
to be figuring out how to send disconnect packets to different types of
server. Thanks for your help!

--
---------------------------
| Nick White              |
| Network Administrator   |
| Tele-NET Internet       |
| http://www.tele-net.net |
| [hidden email]     |
---------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Disconnect-Request packet

Kevin Bonner
On Friday 29 July 2005 13:43, N White wrote:
> I understand this now, and why it would be... as you put it "yuck". Ha
> Ha! Well thanks for answering my question and explaining it to me. Looks
> like some custom scripting for me then. :-) My only problem now is going
> to be figuring out how to send disconnect packets to different types of
> server. Thanks for your help!

Cisco call this a Packet of Disconnect (Death? =) and Ascend Max-TNT's have
their own radius server running on the NAS to handle disconnect packets
(though I've found the TNT to have several annoying bugs).  Those are two
devices I've used to send disconnect packets to.

Kevin Bonner

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

attachment0 (196 bytes) Download Attachment