Mailing List Archive

You're opening a huge can of worms here. Customers are going to end up
redailing and racking up huge phone bills. ISDN redials awfully fast,
and that nickel per call can add up amazingly quick.

I'd recommend putting a relay inline at the remote end and opening the
pairs when you don't want them calling ;)

Dave [Hawk-Systems] wrote:
> Cisco 800 and 1000 series connecting to AS5300 access server.
>
> Would like to limit some ISDN clients to "business hours" only, or "off peak"
> hours.
>
> With RADIUS we can determine the time of the login request and validate against
> the hours that client is allowed to be connected and auth or not auth based on
> that.
>
> Can we send an AVpair down to the router to instructed it (or the NAS) to
> disconnect the ISDN call(s) at the appointed time... Say use is allowed to log
> in from 6am to 6pm... instructed a dialup request at 5pm to disconnect in 1
> hour.
>
> Would prefer to initiate from the RADIUS server, and avoid having to kick
> accounts via SNMP or mannual login to the NAS (messy).
>
> thanks
>
> Dave
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
nicholas harteau
nrh@ikami.com

lets close the "can of worms"...just remember "time based ddr" when
searching CCO for this:
http://www.cisco.com/warp/public/793/access_dial/10.html

joshd.

----- Original Message -----
From: "nicholas harteau" <nrh@ikami.com>
To: "Dave [Hawk-Systems]" <dave@hawk-systems.com>
Cc: <cisco-nsp@puck.nether.net>
Sent: Wednesday, October 09, 2002 3:04 PM
Subject: Re: [nsp] Time limiting ISDN connections


>
> You're opening a huge can of worms here. Customers are going to end up
> redailing and racking up huge phone bills. ISDN redials awfully fast,
> and that nickel per call can add up amazingly quick.
>
> I'd recommend putting a relay inline at the remote end and opening the
> pairs when you don't want them calling ;)
>
> Dave [Hawk-Systems] wrote:
> > Cisco 800 and 1000 series connecting to AS5300 access server.
> >
> > Would like to limit some ISDN clients to "business hours" only, or "off
peak"
> > hours.
> >
> > With RADIUS we can determine the time of the login request and validate
against
> > the hours that client is allowed to be connected and auth or not auth
based on
> > that.
> >
> > Can we send an AVpair down to the router to instructed it (or the NAS)
to
> > disconnect the ISDN call(s) at the appointed time... Say use is allowed
to log
> > in from 6am to 6pm... instructed a dialup request at 5pm to disconnect
in 1
> > hour.
> >
> > Would prefer to initiate from the RADIUS server, and avoid having to
kick
> > accounts via SNMP or mannual login to the NAS (messy).
> >
> > thanks
> >
> > Dave
> >
> > _______________________________________________
> > cisco-nsp mailing list real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> nicholas harteau
> nrh@ikami.com
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Dial on demand is great, but if you're denying auth on the receiving
end, you're still running too high a risk if you ask me. Simple
configuration mistakes and desyncronized clocks become very expensive
mistakes.

Though it seems all this has been mitigated in this particular case, so
hurrah!

Josh Duffek wrote:
> lets close the "can of worms"...just remember "time based ddr" when
> searching CCO for this:
> http://www.cisco.com/warp/public/793/access_dial/10.html
>
> joshd.
>
> ----- Original Message -----
> From: "nicholas harteau" <nrh@ikami.com>
> To: "Dave [Hawk-Systems]" <dave@hawk-systems.com>
> Cc: <cisco-nsp@puck.nether.net>
> Sent: Wednesday, October 09, 2002 3:04 PM
> Subject: Re: [nsp] Time limiting ISDN connections
>
>
> >
> > You're opening a huge can of worms here. Customers are going to end up
> > redailing and racking up huge phone bills. ISDN redials awfully fast,
> > and that nickel per call can add up amazingly quick.
> >
> > I'd recommend putting a relay inline at the remote end and opening the
> > pairs when you don't want them calling ;)
> >
> > Dave [Hawk-Systems] wrote:
> > > Cisco 800 and 1000 series connecting to AS5300 access server.
> > >
> > > Would like to limit some ISDN clients to "business hours" only, or "off
> peak"
> > > hours.
> > >
> > > With RADIUS we can determine the time of the login request and validate
> against
> > > the hours that client is allowed to be connected and auth or not auth
> based on
> > > that.
> > >
> > > Can we send an AVpair down to the router to instructed it (or the NAS)
> to
> > > disconnect the ISDN call(s) at the appointed time... Say use is allowed
> to log
> > > in from 6am to 6pm... instructed a dialup request at 5pm to disconnect
> in 1
> > > hour.
> > >
> > > Would prefer to initiate from the RADIUS server, and avoid having to
> kick
> > > accounts via SNMP or mannual login to the NAS (messy).
> > >
> > > thanks
> > >
> > > Dave
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list real_name)s@puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > --
> > nicholas harteau
> > nrh@ikami.com
> >
> > _______________________________________________
> > cisco-nsp mailing list real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

--
nicholas harteau
nrh@ikami.com

Dave [Hawk-Systems] wrote:
>
> Would like to limit some ISDN clients to "business hours" only, or "off peak"
> hours.
>
> With RADIUS we can determine the time of the login request and validate against
> the hours that client is allowed to be connected and auth or not auth based on
> that.
>
> Can we send an AVpair down to the router to instructed it (or the NAS) to

Some RADIUS servers support the Login-Time check item, e.g. Cistron:

Login-Time defines the time span a user may login to the system. The
format of a so-called time string is like the format used by UUCP.

[dd]

Radiusd calculates the number of seconds left in the time span, and
sets the Session-Timeout to that number of seconds. So if someones
Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout
is set to 1800 seconds so that she is kicked off at 18:00.

Hope this helps.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN

We had just gotten that far on the Cisco NAS list... though they didn't come up
with that resource.

Here is a question though. The Cisco 800 series apparently doesn't have a
battery backup for the system clock. when you power the router, the clock resets
to 1900 Sun Feb 28, 1993

If this happens during a weekday (power outage, user playing with switches) this
could result in denied service for a significant period of time.

My guess would be a solution that would set an additional auth time for the
period that the clock reads on bootup, to allow the router to connect and update
its clock via sntp.

access-list 100 permit ip any any time-range BusHours
access-list 100 permit ip any any time-range RebootHours
access-list 100 deny ip any any
!
time-range BusHours
periodic weekdays 6:00 to 18:00
!
time-range RebootHours
absolute start 19:00 28 February 1993 end 20:00 28 February 1993
!

Thanks

Dave

>-----Original Message-----
>From: cisco-nsp-admin@puck.nether.net
>[mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Josh Duffek
>Sent: Thursday, October 10, 2002 4:16 PM
>To: nicholas harteau; Dave [Hawk-Systems]
>Cc: cisco-nsp@puck.nether.net
>Subject: Re: [nsp] Time limiting ISDN connections
>
>
>lets close the "can of worms"...just remember "time based ddr" when
>searching CCO for this:
>http://www.cisco.com/warp/public/793/access_dial/10.html
>
>joshd.
>
>----- Original Message -----
>From: "nicholas harteau" <nrh@ikami.com>
>To: "Dave [Hawk-Systems]" <dave@hawk-systems.com>
>Cc: <cisco-nsp@puck.nether.net>
>Sent: Wednesday, October 09, 2002 3:04 PM
>Subject: Re: [nsp] Time limiting ISDN connections
>
>
>>
>> You're opening a huge can of worms here. Customers are going to end up
>> redailing and racking up huge phone bills. ISDN redials awfully fast,
>> and that nickel per call can add up amazingly quick.
>>
>> I'd recommend putting a relay inline at the remote end and opening the
>> pairs when you don't want them calling ;)
>>
>> Dave [Hawk-Systems] wrote:
>> > Cisco 800 and 1000 series connecting to AS5300 access server.
>> >
>> > Would like to limit some ISDN clients to "business hours" only, or "off
>peak"
>> > hours.
>> >
>> > With RADIUS we can determine the time of the login request and validate
>against
>> > the hours that client is allowed to be connected and auth or not auth
>based on
>> > that.
>> >
>> > Can we send an AVpair down to the router to instructed it (or the NAS)
>to
>> > disconnect the ISDN call(s) at the appointed time... Say use is allowed
>to log
>> > in from 6am to 6pm... instructed a dialup request at 5pm to disconnect
>in 1
>> > hour.
>> >
>> > Would prefer to initiate from the RADIUS server, and avoid having to
>kick
>> > accounts via SNMP or mannual login to the NAS (messy).
>> >
>> > thanks
>> >
>> > Dave
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list real_name)s@puck.nether.net
>> > http://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> --
>> nicholas harteau
>> nrh@ikami.com
>>
>> _______________________________________________
>> cisco-nsp mailing list real_name)s@puck.nether.net
>> http://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>_______________________________________________
>cisco-nsp mailing list real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>