Sep 26 2006
Disconnect Radius Users with the Packet of Disconnect
Our goal here is to reset automatically a customer for whom Radius settings have changed. This is useful after putting him on restriction or cutting him off in case of extensive usage. We are surprised to find very little information about “Packet Of Disconnect” when we type Radius in a search engine. We wrote a script in Expect language that would log in to the router and reset the connection based on the username.
Even though it does the job, we don’t think the method is appropriate. We get the feeling we are emulating a robot that does something that should be done manually. It’s hard to deal with errors because you’re supposed to know what to expect. Anyway, here’s a much better solution: the Radius “Packet Of Disconnect” we are going to use with a Freeradius user database.
Packet Of Disconnect
We shouldn’t have to detail too much.
All information is on the Freeradius wiki. We just thought it wasn’t obvious to find it even once on the wiki.
A few comments on this:
- You don’t have to send all fields to reset a connection. The username is sufficient but I find it more secure to add the session id.
- You need to let your Network Access Server (NAS) listen to port 1700. Check out the next section to activate it on Cisco.
Configuring the Router / NAS
The NAS needs to listen to requests on UDP port 1700. It can be changed of course but this is the standard. Again, this example is specific to Cisco, check your documentation if you have other kind of devices on your network. You need to run the aaa pod command to enable packet of disconnect port
aaa pod server clients your-server auth-type any server-key your-shared-secretReplace your-server with the IP of the server that will host the reset script.
We have set ‘auth-type’ to ‘any’ as I am only sending username and session id parameters. All of them are not needed securitywise. You can get more information about this on the Cisco command reference.
Disconnection Script
The documentation on the Freeradius wiki should be sufficient but we wanted to mention a quick way to retrieve the NAS and session id. A simple line of SQL should do if you have configured a database such as Mysql or Postgresql to store accounting data (I highly recommend it, it’s so much easier to search for data!)
SELECT Username, AcctSessionId, NASIPAddress
FROM radacct
WHERE username='username'
AND acctstoptime = 0
ORDER BY acctstarttime DESC limit 1;
If no record is returned, the user is not connected and doesn’t need to be reset then.
Having all the information needed, you can simply reset the Radius connection like this:
$ echo "Acct-Session-Id=D91XXXXXXXXX097" > packet.txt
$ echo "User-Name=username" >> packet.txt
$ echo "NAS-IP-Address=nasIPaddress" >> packet.txt
$ cat packet.txt | radclient -x nasIPaddrress:1700 disconnect ''secret''
Hello
We are using Cisco as a NAS and freeradius 3.0.3 and mysql.
We are facing a challenge in terms of disconnecting the session when it reaches to assigned download and upload data limit.
Can you help us with the cisco attribute to pass the same to NAS and how to disconnect the session as we are not able to find any such attributes for data limit,
Check your Cisco documentation but I know there wasn’t any at the time, or the other way around, Freeradius did not implement that option.
If that’s still true, you can run a script that checks users upload and download and disconnects them if they’re over quota.
It is more flexible since you can set your limits for the week, month, last 30 days or whatever you wish
If you stick to the first option (in case it’s possible), you’ll have to reenable accounts at some stage, and run a script as well…