fail to send close messages to the radius server

[Nikos Mavrogiannopoulos]

On Wed, Jan 6, 2016 at 10:10 AM, Yick Xie <yick.xie at gmail.com> wrote:
> Hi Nikos,

> #B. BTW a tricky way I try to implement to avoid acct-stop-time
> problems, is to modify the count query in freeradius to count distinct
> frameipaddress, because a device typically will launch a new session
> using the same local IP even with stall sessions before. However there
> are two defects: #1. the ocserv doesn't seem to send frameipaddress to
> the radius server in the initial connection.

That's because the address is assigned after authentication (e.g., the
address may be assigned by radius itself).

> #2. A device might have
> more than one IP especially when it can connect with different ocserv
> instances in one server, such as ocserv1(office)(192.168.1.0/24),
> ocserv2(R&D)(10.10.0.0/24). My idea to deal with #2 defect is to
> assign them with one IP pool with ip-lease option. Is there going to
> be some unexpected risks?

Not sure I understand the scenario or defect that you are describing.

> #C. Is it possible to invalidate cookies when the admin disconnects
> manually certain IP/ID via occtl? Because when I checked the problem
> with specified clients, they mobile devices may still try to connect
> the server using cookies automatically. Then I have to block that IP
> for a moment from iptables.

Not really, you cannot clear cookies, although that's something I'd
like to add. However,
there is a ban IP command in occtl.  It bans the IP for the configured
in ocserv time.

regards,
Nikos