Internet.com ISP-Planet

 


Sections

 • Best of the Lists
 • Business
 • CLEC-Planet
 • Equipment
 • Executive
   Perspectives
 • Fixed Wireless
 • Investor
 • Marketing
 • Market Research
 • News
 • Notable Quotes
 • Politics
 • Profiles
 • Resources
 • Technology
 • Value-Added
   Services
 • Webhosting
Also ...
 • About Us
 • Authors
 • Letters
  • Site Map
 • Technology Jobs


 
ISP Glossary
Find an ISP Term
 
Search ISP-Planet


Search internet.com
 
internet.com

Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

internet.commerce
Be a Commerce Partner
ISP Technology

 

Best of the ISP-Lists

Remote Access

The Limits of RADIUS

Members of the ISP-Tech list find that a simple discussion about denying concurrency evolves into a complex evaluation of the benefits and quirks of the various RADIUS products.

[June 6, 2002]
Email a colleague

On the ISP-Tech list in May, DC queried,

"I need to restrict all users to just one session. I'm using Livingston RADIUS 2.1. Does anyone know how to deny simultaneous sessions?"

DD noted that it's likely to require some extra work with Livingston:

"Livingston RADIUS doesn't support this, except through the port limit statement for ISDN connections. It doesn't work for modem connections. We use MaxStat to accomplish this, and it works very well. It also gives you an easy way to monitor who is online. It can automatically export this data to a web page, which makes it easy for your techs to check out customer connections without having access to your PortMasters."

AC suggested that, for a number of other products, it shouldn't be a problem:

"Cistron, Free RADIUS, IC-RADIUS, Radiator, and Steel-Belted RADIUS servers all support that functionality. To the best of my knowledge, Lucent RADIUS does not support the simultaneous-use parameter, though it has been some time since I used their products."

Others offered some specific ideas on how to control users:

[TY offered] "We use a program called TSMON to watch all our systems for multiple users. It even has a nice exempt file that it reads in so that you can allow certain users the ability to connect more than once, i.e. ISDN, offsite support staff, etc. If two people connect to the same account, it waits about 2-3 minutes and kicks either the first connect, the second connect, or both, and e-mails the offending user as to why they were kicked. It can also be used to watch line campers, though this feature does take a bit of tuning."

[TM advised] "Try this: port-limit=1."

[DW added] "In our default profile we have: Ascend:Ascend-Maximum-Channels=1. Unless you're using an Ascend NAS, you may need to alter that slightly."

—End

Related articles:
  [March 6, 2002] CERT Warns of Two RADIUS Flaws
  [Feb. 8, 2002] The Diameter of Security is Twice the RADIUS
  [April 11, 2001] Defying Double Dippers: Funk Concurrency Server

 

 

Feedback

Advertising inquiry? Click here!

ISP-Planet's RSS feed

#