اين هم براي kill صفحه 29 راهنماي NTTac
Configuring NTTacPlus and the NAS for forced disconnection
There are two cases in which is useful to have a procedure that allows to terminate the session of one or more users.
The first case concerns the manual disconnection on behalf of the administrator, when he decides to kill a session from the NTTacPlus remote console, without having to telnet, for example, to the NAS and issue the disconnection command.
The second case concerns the automatic forced disconnection by NTTacPlus, when a user is going to exhaust his connection credits during a running session.
NTTacPlus, in fact, can assign to each user profile connection time credits or periodical time quotas (daily, weekly, etc.). The system administrator can decide the behavior of NTTacPlus to the users that, during a session in process, are going to exhaust their credits or quota (let the session goes on till the end or stop it when the credit reaches the zero).
Unfortunately neither RADIUS nor TACACS+ protocols provide commands or extensions to ask the NAS to terminate active sessions. So NTTacPlus exploits two methods for the disconnection: an implicit method through the RADIUS Session-Timeout attribute, and an explicit method by means of external utilities/scripts which allow to send to the NAS the suitable command to end the sessions.
The use of external applications or scripts is due to the fact that each NAS brand (and even each model or each software release for a specific model) provides different commands or ways to accomplish the task, because there is not a standard command for the disconnection.
Use of session-timeout
When you check the Session-Timeout option, as mentioned above, NTTacPlus computes during a user login the maximum length of the session for that user, sending to the NAS the result in the Session-Timeout attribute. After this time it’s up to the NAS to end the session. No command is explicitly sent by NTTacPlus.
The value transmitted in the Session Timeout attribute will be computed as the minimum value among the following ones: (see the chapter Account Management if you need further information about individual parameters):
• Maximum length of a single session (MaxConnectionTime)
• Residual time quota for the current period (QuotaLeft)
• Residual time credit for the account (TimeLeft)
Each of these parameters will be evaluated only if the account is configured to have a limitation on that parameter and only if the account is configured to be disconnected forcibly when this parameter is going to exhaust.
Otherwise, the Session-Timeout attribute won’t be sent to the NAS, and no implicit restrictions will be placed for the session.
NOTE: This method works correctly only with the RADIUS authentication and if the NAS supports the Session-Timeout attribute. Through this method it is not possible to kill manually a user session from the Edit/Kill command of the Remote Console.
