fail to send close messages to the radius server

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Thu Jan 14 08:25:26 PST 2016

On Wed, 2016-01-13 at 04:16 +0800, Yick Xie wrote:
> Hi Nikos,
> > That's because the address is assigned after authentication (e.g., 
> > the
> > address may be assigned by radius itself).
> I just thought the ocserv would send update messages to the radius
> server immediately after authentication. Whatever it's not a big
> trouble.

 I've done that in the master branch.

> Sorry I haven't realized that before, because I misunderstood the
> ocserv is supposed to maintain sorts of cookie-IP related entries.
> Anyway it still makes sense to use IP ban cmd to deal with it, yet
> that cmd seems not available now in occtl.

It is available in the latest 0.10.x releases and in 0.11.x.

> At last, I want to share another idea. I glanced the freeradius wiki
> and found the default SQL-schema includes ConnectInfo_start and
> ConnectInfo_stop attributes, the former of which in my opinion can be
> utilized to record the User-agent via "Connect-Info". Sometimes the
> admin cannot check the log punctually and totally got no clues of
> what's the client's application or platform, considering AnyConnect
> covers so many OS and versions even as well as BlackBerry. Then UA
> attribute must be helpful to collect more info about whether a 
> problem
> come from one specific APP/version or our server, meanwhile such
> extension will be harmless to the freeradius infrastructure. What do
> you think about it ? Perhaps I missed something about the protocol?

Please open an issue/feature request in and
place all that information there. It looks indeed useful.


More information about the openconnect-devel mailing list