fail to send close messages to the radius server

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Mon Jan 11 04:01:26 PST 2016

On Wed, Jan 6, 2016 at 10:10 AM, Yick Xie <yick.xie at> wrote:
> Hi Nikos,

> #B. BTW a tricky way I try to implement to avoid acct-stop-time
> problems, is to modify the count query in freeradius to count distinct
> frameipaddress, because a device typically will launch a new session
> using the same local IP even with stall sessions before. However there
> are two defects: #1. the ocserv doesn't seem to send frameipaddress to
> the radius server in the initial connection.

That's because the address is assigned after authentication (e.g., the
address may be assigned by radius itself).

> #2. A device might have
> more than one IP especially when it can connect with different ocserv
> instances in one server, such as ocserv1(office)(,
> ocserv2(R&D)( My idea to deal with #2 defect is to
> assign them with one IP pool with ip-lease option. Is there going to
> be some unexpected risks?

Not sure I understand the scenario or defect that you are describing.

> #C. Is it possible to invalidate cookies when the admin disconnects
> manually certain IP/ID via occtl? Because when I checked the problem
> with specified clients, they mobile devices may still try to connect
> the server using cookies automatically. Then I have to block that IP
> for a moment from iptables.

Not really, you cannot clear cookies, although that's something I'd
like to add. However,
there is a ban IP command in occtl.  It bans the IP for the configured
in ocserv time.


More information about the openconnect-devel mailing list