{"id":50,"date":"2006-09-26T00:00:00","date_gmt":"2006-09-26T00:00:00","guid":{"rendered":"http:\/\/netexpertise\/en\/?p=50"},"modified":"2021-10-20T23:00:45","modified_gmt":"2021-10-20T21:00:45","slug":"packet-of-disconnect","status":"publish","type":"post","link":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html","title":{"rendered":"Disconnect Radius Users with the Packet of Disconnect"},"content":{"rendered":"\n<p>Our goal here is to reset automatically a customer for whom Radius settings have changed. This is useful after putting him on restriction or cutting him off in case of extensive usage. We are surprised to find very little information about &#8220;Packet Of Disconnect&#8221; when we type Radius in a search engine. We wrote a script in Expect language that would log in to the router and reset the connection based on the username.<br>Even though it does the job, we don&#8217;t think the method is appropriate. We get the feeling we are emulating a robot that does something that should be done manually. It&#8217;s hard to deal with errors because you&#8217;re supposed to know what to expect. Anyway, here&#8217;s a much better solution: the Radius &#8220;Packet Of Disconnect&#8221; we are going to use with a <a href=\"\/en\/category\/networking\/freeradius\">Freeradius<\/a> user database.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><br>Packet Of Disconnect<\/h3>\n\n\n\n<p>We shouldn&#8217;t have to detail too much. <\/p>\n\n\n\n<p>All information is on the <a href=\"http:\/\/wiki.freeradius.org\/index.php\/Packet_of_Disconnect\" target=\"_blank\" rel=\"noreferrer noopener\">Freeradius wiki<\/a>. We just thought it wasn&#8217;t obvious to find it even once on the wiki.<br>A few comments on this:<\/p>\n\n\n\n<ul><li> <span style=\"font-size: inherit;\">You don&#8217;t have to send all fields to reset a connection. The username is sufficient but I find it more secure to add the session id.<\/span> <\/li><li> <span style=\"font-size: inherit;\">You need to let your Network Access Server (NAS) listen to port 1700. Check out the next section to activate it on Cisco. <\/span><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><br>Configuring the Router \/ NAS<\/h3>\n\n\n\n<p>The NAS needs to listen to requests on UDP port 1700. It can be changed of course but this is the standard. Again, this example is specific to Cisco, check your documentation if you have other kind of devices on your network. You need to run the <i>aaa pod<\/i> command to enable packet of disconnect port<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"vim\" class=\"language-vim\">aaa pod server clients <i>your-server<\/i> auth-type any server-key <i>your-shared-secret<\/i><\/code><\/pre>\n\n\n\n<p>Replace <i>your-server<\/i> with the IP of the server that will host the reset script.<br>We have set &#8216;auth-type&#8217; to &#8216;any&#8217; as I am only sending username and session id parameters. All of them are not needed securitywise. You can get more information about this on the <a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/security\/a1\/sec-a1-cr-book\/sec-cr-a2.html#wp4280613990\" target=\"_blank\" rel=\"noreferrer noopener\">Cisco command reference<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><br>Disconnection Script<\/h3>\n\n\n\n<p>The documentation on the <a href=\"https:\/\/wiki.freeradius.org\/protocol\/disconnect-messages\" target=\"_blank\" rel=\"noreferrer noopener\">Freeradius wiki<\/a> should be sufficient but we wanted to mention a quick way to retrieve the NAS and session id. A simple line of SQL should do if you have configured a database such as <a href=\"\/en\/category\/database\/mysql\">Mysql<\/a> or <a href=\"\/en\/category\/database\/postgresql-database\">Postgresql<\/a> to store accounting data (I highly recommend it, it&#8217;s so much easier to search for data!)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"sql\" class=\"language-sql\">SELECT Username, AcctSessionId, NASIPAddress\nFROM radacct\nWHERE username='username'\nAND acctstoptime = 0\nORDER BY acctstarttime DESC limit 1;<\/code><\/pre>\n\n\n\n<p><br>If no record is returned, the user is not connected and doesn&#8217;t need to be reset then.<br>Having all the information needed, you can simply reset the Radius connection like this:<br><br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ echo \"Acct-Session-Id=D91XXXXXXXXX097\" > packet.txt\n$ echo \"User-Name=username\" >> packet.txt\n$ echo \"NAS-IP-Address=nasIPaddress\" >> packet.txt\n\n$ cat packet.txt | radclient -x nasIPaddrress:1700 disconnect ''secret''<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Our goal here is to reset automatically a customer for whom Radius settings have changed. This is useful after putting him on restriction or cutting him off in case of extensive usage. We are surprised to find very little information about &#8220;Packet Of Disconnect&#8221; when we type Radius in a search engine. We wrote a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[3],"tags":[388,384,386,10],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Netexpertise - Disconnect Radius Users with the Packet of Disconnect<\/title>\n<meta name=\"description\" content=\"Disconnect users authenticated on Freeradius from a router or a NAS with the Radius &quot;Packet of disconnect&quot;\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Netexpertise - Disconnect Radius Users with the Packet of Disconnect\" \/>\n<meta property=\"og:description\" content=\"Disconnect users authenticated on Freeradius from a router or a NAS with the Radius &quot;Packet of disconnect&quot;\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html\" \/>\n<meta property=\"og:site_name\" content=\"Netexpertise\" \/>\n<meta property=\"article:published_time\" content=\"2006-09-26T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-20T21:00:45+00:00\" \/>\n<meta name=\"author\" content=\"dave\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netexpertise\" \/>\n<meta name=\"twitter:site\" content=\"@netexpertise\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html\",\"url\":\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html\",\"name\":\"Netexpertise - Disconnect Radius Users with the Packet of Disconnect\",\"isPartOf\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#website\"},\"datePublished\":\"2006-09-26T00:00:00+00:00\",\"dateModified\":\"2021-10-20T21:00:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\"},\"description\":\"Disconnect users authenticated on Freeradius from a router or a NAS with the Radius \\\"Packet of disconnect\\\"\",\"breadcrumb\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.netexpertise.eu\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Disconnect Radius Users with the Packet of Disconnect\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#website\",\"url\":\"https:\/\/www.netexpertise.eu\/en\/\",\"name\":\"Netexpertise\",\"description\":\"Systems \/ Networks \/ DevOps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.netexpertise.eu\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\",\"name\":\"dave\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"caption\":\"dave\"},\"sameAs\":[\"http:\/\/www.netexpertise.eu\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Netexpertise - Disconnect Radius Users with the Packet of Disconnect","description":"Disconnect users authenticated on Freeradius from a router or a NAS with the Radius \"Packet of disconnect\"","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html","og_locale":"en_US","og_type":"article","og_title":"Netexpertise - Disconnect Radius Users with the Packet of Disconnect","og_description":"Disconnect users authenticated on Freeradius from a router or a NAS with the Radius \"Packet of disconnect\"","og_url":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html","og_site_name":"Netexpertise","article_published_time":"2006-09-26T00:00:00+00:00","article_modified_time":"2021-10-20T21:00:45+00:00","author":"dave","twitter_card":"summary_large_image","twitter_creator":"@netexpertise","twitter_site":"@netexpertise","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html","url":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html","name":"Netexpertise - Disconnect Radius Users with the Packet of Disconnect","isPartOf":{"@id":"https:\/\/www.netexpertise.eu\/en\/#website"},"datePublished":"2006-09-26T00:00:00+00:00","dateModified":"2021-10-20T21:00:45+00:00","author":{"@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa"},"description":"Disconnect users authenticated on Freeradius from a router or a NAS with the Radius \"Packet of disconnect\"","breadcrumb":{"@id":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.netexpertise.eu\/en\/networking\/freeradius\/packet-of-disconnect.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.netexpertise.eu\/en"},{"@type":"ListItem","position":2,"name":"Disconnect Radius Users with the Packet of Disconnect"}]},{"@type":"WebSite","@id":"https:\/\/www.netexpertise.eu\/en\/#website","url":"https:\/\/www.netexpertise.eu\/en\/","name":"Netexpertise","description":"Systems \/ Networks \/ DevOps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.netexpertise.eu\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa","name":"dave","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/","url":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","contentUrl":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","caption":"dave"},"sameAs":["http:\/\/www.netexpertise.eu"]}]}},"_links":{"self":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/50"}],"collection":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/comments?post=50"}],"version-history":[{"count":0,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/50\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/media?parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/categories?post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/tags?post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}