On Wed, Jan 6, 2016 at 10:10 AM, Yick Xie <yick.xie at gmail.com> wrote: > Hi Nikos, > #B. BTW a tricky way I try to implement to avoid acct-stop-time > problems, is to modify the count query in freeradius to count distinct > frameipaddress, because a device typically will launch a new session > using the same local IP even with stall sessions before. However there > are two defects: #1. the ocserv doesn't seem to send frameipaddress to > the radius server in the initial connection. That's because the address is assigned after authentication (e.g., the address may be assigned by radius itself). > #2. A device might have > more than one IP especially when it can connect with different ocserv > instances in one server, such as ocserv1(office)(192.168.1.0/24), > ocserv2(R&D)(10.10.0.0/24). My idea to deal with #2 defect is to > assign them with one IP pool with ip-lease option. Is there going to > be some unexpected risks? Not sure I understand the scenario or defect that you are describing. > #C. Is it possible to invalidate cookies when the admin disconnects > manually certain IP/ID via occtl? Because when I checked the problem > with specified clients, they mobile devices may still try to connect > the server using cookies automatically. Then I have to block that IP > for a moment from iptables. Not really, you cannot clear cookies, although that's something I'd like to add. However, there is a ban IP command in occtl. It bans the IP for the configured in ocserv time. regards, Nikos
