FreeRadius Daily Accounting Large Values PoD Usage Graphs Archive Database Encryption
Valid XHTML 1.0 Strict


Get your projects done with Netexpertise and its partners
English Francais
Netexpertise.eu
 

FreeRadius

Packet Of Disconnect

Netexpertise ( contact ). Last updated September 26th 2006.

Introduction

Our goal here is to reset automatically a customer for whom Radius settings have changed. This is useful after putting him on restriction or cutting him off in case of extensive usage. We are surprised to find very little information about "Packet Of Disconnect" when we type Radius in a search engine. We wrote a script in Expect language that would log in to the router and reset the connection based on the username.
Even though it does the job, we don't think the method is appropriate. We get the feeling we are emulating a robot that does something that should be done manually. It's hard to deal with errors because you're supposed to know what to expect. Anyway, here's our solution: "Packet Of Disconnect".


Packet Of Disconnect

We shouldn't have to detail too much. All information is right here on Freeradius wiki. We just thought it wasn't obvious to find it even once on the wiki.
A few comments on this:

  • You don't have to send all fields to reset a connection. The username is sufficient but I find it more secure to add the session id.

  • You need to let your Network Access Server (NAS) listen to port 1700. Check out the next section to activate it on Cisco.


Configuring the NAS

The NAS needs to listen to requests on UDP port 1700. It can be changed of course but this is the standard. Again, this example is specific to Cisco, check your documentation if you have other kind of devices on your network. You need to run the aaa pod command to enable packet of disconnect port

aaa pod server clients your-server auth-type any server-key your-shared-secret

Replace your-server with the IP of the server that will host the reset script.
We have set 'auth-type' to 'any' as I am only sending username and session id parameters. All of them are not needed securitywise. You can get more information about this on Cisco documentation.


Script

The documentation on the Freeradius wiki should be sufficient but we wanted to mention a quick way to retrieve the NAS and session id. A simple line of SQL should do if you have configured a database such as Mysql or Postgresql to store accounting data (I highly recommend it, it's so much easier to search for data!)

SELECT Username, AcctSessionId, NASIPAddress
FROM radacct
WHERE username='username'
AND acctstoptime = 0
ORDER BY acctstarttime DESC limit 1;

If no record is returned, the user is not connected and doesn't need to be reset then.

Netexpertise.eu (c)