X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/726ce371316da1c37f061d09f985b01858ba61e0..75ba8921cf932ef11ccac40e5f7bf9627f9697e0:/Docs/manual.html?ds=sidebyside

diff --git a/Docs/manual.html b/Docs/manual.html
index 08d9408..65d7f4c 100644
--- a/Docs/manual.html
+++ b/Docs/manual.html
@@ -52,9 +52,11 @@ H3 {
     <LI><A HREF="#Interception">Interception</A></LI>
     <LI><A HREF="#Authentication">Authentication</A></LI>
     <LI><A HREF="#Plugins">Plugins</A></LI>
-    <LI><A HREF="#Walled Garden">Walled Garden</A></LI>
+    <LI><A HREF="#WalledGarden">Walled Garden</A></LI>
+    <LI><A HREF="#Filtering">Filtering</A></LI>
     <LI><A HREF="#Clustering">Clustering</A></LI>
     <LI><A HREF="#Routing">Routing</A></LI>
+    <LI><A HREF="#AvoidingFragmentation">Avoiding Fragmentation</A></LI>
     <LI><A HREF="#Performance">Performance</A></LI>
 </OL>
 
@@ -183,6 +185,13 @@ the same as the LAC, or authentication will fail.  Only actually be
 used if the LAC requests authentication.
 </LI>
 
+<LI><B>ppp_restart_time</B> (int)<BR>
+<B>ppp_max_configure</B> (int)<BR>
+<B>ppp_max_failure</B> (int)<BR>
+PPP counter and timer values, as described in &sect;4.1 of
+<a href="ftp://ftp.rfc-editor.org/in-notes/rfc1661.txt">RFC1661</a>.
+</LI>
+
 <LI><B>primary_dns</B> (ip address)
 <LI><B>secondary_dns</B> (ip address)<BR>
 Whenever a PPP connection is established, DNS servers will be sent to the
@@ -190,39 +199,52 @@ user, both a primary and a secondary.  If either is set to 0.0.0.0, then that
 one will not be sent.
 </LI>
 
-<LI><B>save_state</B> (boolean)<BR>
-When l2tpns receives a STGTERM it will write out its current
-ip_address_pool, session and tunnel tables to disk prior to exiting to
-be re-loaded at startup.  The validity of this data is obviously quite
-short and the intent is to allow an sessions to be retained over a
-software upgrade.
-</LI>
-
 <LI><B>primary_radius</B> (ip address)
 <LI><B>secondary_radius</B> (ip address)<BR>
-Sets the radius servers used for both authentication and accounting. 
-If the primary server does not respond, then the secondary radius
-server will be tried.
+Sets the RADIUS servers used for both authentication and accounting. 
+If the primary server does not respond, then the secondary RADIUS
+server will be tried.<br>
+<strong>Note:</strong> in addition to the source IP address and
+identifier, the RADIUS server <strong>must</strong> include the source
+port when detecting duplicates to supress (in order to cope with a
+large number of sessions comming on-line simultaneously l2tpns uses a
+set of udp sockets, each with a seperate identifier).
 </LI>
 
 <LI><B>primary_radius_port</B> (short)
 <LI><B>secondary_radius_port</B> (short)<BR>
-Sets the authentication ports for the primary and secondary radius
+Sets the authentication ports for the primary and secondary RADIUS
 servers.  The accounting port is one more than the authentication
-port.  If no radius ports are given, the authentication port defaults
+port.  If no RADIUS ports are given, the authentication port defaults
 to 1645, and the accounting port to 1646.
 </LI>
 
 <LI><B>radius_accounting</B> (boolean)<BR>
-If set to true, then radius accounting packets will be sent.  This
+If set to true, then RADIUS accounting packets will be sent.  This
 means that a Start record will be sent when the session is
 successfully authenticated, and a Stop record will be sent when the
 session is closed.
 </LI>
 
 <LI><B>radius_secret</B> (string)<BR>
-This secret will be used in all radius queries.  If this is not set then
-radius queries will fail.
+This secret will be used in all RADIUS queries.  If this is not set then
+RADIUS queries will fail.
+</LI>
+
+<LI><B>radius_authtypes</B> (string)</BR>
+A comma separated list of supported RADIUS authentication methods
+(<B>pap</B> or <B>chap</B>), in order of preference (default <B>pap</B>).
+</LI>
+
+<LI><B>radius_dae_port</B> (short)<BR>
+Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization)
+requests (default: <B>3799</B>).
+</LI>
+
+<LI><B>allow_duplicate_users</B> (boolean)</BR>
+Allow multiple logins with the same username.  If false (the default),
+any prior session with the same username will be dropped when a new
+session is established.
 </LI>
 
 <LI><B>bind_address</B> (ip address)<BR>
@@ -276,10 +298,6 @@ second.  Even if this is disabled, you can see this information by running
 the <EM>uptime</EM> command on the CLI.
 </LI>
 
-<LI><B>cleanup_interval</B> (int)<BR>
-Interval between regular cleanups (in seconds).
-</LI>
-
 <LI><B>multi_read_count</B> (int)<BR>
 Number of packets to read off each of the UDP and TUN fds when
 returned as readable by select (default:  10).  Avoids incurring the
@@ -301,6 +319,13 @@ Keep all pages mapped by the l2tpns process in memory.
 Maximum number of host unreachable ICMP packets to send per second.
 </LI>
 
+<LI><B>packet_limit</B> (int><BR>
+Maximum number of packets of downstream traffic to be handled each
+tenth of a second per session.  If zero, no limit is applied (default: 
+0).  Intended as a DoS prevention mechanism and not a general
+throttling control (packets are dropped, not queued).
+</LI>
+
 <LI><B>cluster_address</B> (ip address)<BR>
 Multicast cluster address (default:  239.192.13.13).  See the section
 on <A HREF="#Clustering">Clustering</A> for more information.
@@ -319,6 +344,11 @@ Cluster heartbeat timeout in tenths of a second.  A new master will be
 elected when this interval has been passed without seeing a heartbeat
 from the master.
 </LI>
+
+<LI><B>cluster_master_min_adv</B> (int)<BR>
+Determines the minumum number of up to date slaves required before the
+master will drop routes (default: 1).
+</LI>
 </UL>
 
 <P>BGP routing configuration is entered by the command:
@@ -338,6 +368,42 @@ Where <I>peer</I> specifies the BGP neighbour as either a hostname or
 IP address, <I>as</I> is the remote AS number and <I>keepalive</I>,
 <I>hold</I> are the timer values in seconds.
 
+<P>Named access-lists are configured using one of the commands:
+<DL>
+  <DD><B>ip access-list standard</B> <I>name</I>
+  <DD><B>ip access-list extended</B> <I>name</I>
+</DL>
+
+<P>Subsequent lines prefixed with <B>permit</B> or <B>deny</B>
+define the body of the access-list.  Standard access-list syntax:
+<DL>
+  <DD>{<B>permit</B>|<B>deny</B>}
+    {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
+    [{<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>}]
+</DL>
+
+Extended access-lists:
+
+<DIV STYLE="margin-left: 4em; text-indent: -2em">
+  <P>{<B>permit</B>|<B>deny</B>} <B>ip</B>
+    {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
+    {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>} [<B>fragments</B>]
+  <P>{<B>permit</B>|<B>deny</B>} <B>udp</B>
+    {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
+	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
+    {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>}
+	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
+	[<B>fragments</B>]
+  <P>{<B>permit</B>|<B>deny</B>} <B>tcp</B>
+    {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
+	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
+    {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>}
+	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
+	[{<B>established</B>|{<B>match-any</B>|<B>match-all</B>}
+	    {<B>+</B>|<B>-</B>}{<B>fin</B>|<B>syn</B>|<B>rst</B>|<B>psh</B>|<B>ack</B>|<B>urg</B>}
+	    ...|<B>fragments</B>]
+</DIV>
+
 <H3 ID="users">users</H3>
 
 Usernames and passwords for the command-line interface are stored in
@@ -500,19 +566,19 @@ IP Address      Used  Session User
 </LI>
 
 <LI><B>show radius</B><BR>
-Show a summary of the in-use radius sessions.  This list should not be very
-long, as radius sessions should be cleaned up as soon as they are used.  The
+Show a summary of the in-use RADIUS sessions.  This list should not be very
+long, as RADIUS sessions should be cleaned up as soon as they are used.  The
 columns listed are:
 <TABLE>
-	<TR><TD><B>Radius</B></TD><TD>The ID of the radius request.  This is
-	sent in the packet to the radius server for identification.</TD></TR>
+	<TR><TD><B>Radius</B></TD><TD>The ID of the RADIUS request.  This is
+	sent in the packet to the RADIUS server for identification.</TD></TR>
 	<TR><TD><B>State</B></TD><TD>The state of the request - WAIT, CHAP,
 	AUTH, IPCP, START, STOP, NULL.</TD></TR>
-	<TR><TD><B>Session</B></TD><TD>The session ID that this radius
+	<TR><TD><B>Session</B></TD><TD>The session ID that this RADIUS
 	request is associated with</TD></TR>
 	<TR><TD><B>Retry</B></TD><TD>If a response does not appear to the
 	request, it will retry at this time.  This is a unix timestamp.</TD></TR>
-	<TR><TD><B>Try</B></TD><TD>Retry count.  The radius request is
+	<TR><TD><B>Try</B></TD><TD>Retry count.  The RADIUS request is
 	discarded after 3 retries.</TD></TR>
 </TABLE>
 <P>
@@ -553,7 +619,7 @@ current session for that username will be forwarded to the given
 host/port.  Specify <EM>no snoop username</EM> to disable interception
 for the session.<P>
 
-If you want interception to be permanent, you will have to modify the radius
+If you want interception to be permanent, you will have to modify the RADIUS
 response for the user.  See <A HREF="#Interception">Interception</A>.
 <P>
 </LI>
@@ -564,7 +630,7 @@ session.  Specify <EM>no throttle username</EM> to disable throttling
 for the current session.<P>
 
 If you want throttling to be permanent, you will have to modify the
-radius response for the user.  See <A HREF="#THrottling">Throttling</A>.
+RADIUS response for the user.  See <A HREF="#Throttling">Throttling</A>.
 <P>
 </LI>
 
@@ -642,16 +708,15 @@ killall -HUP l2tpns
 </PRE>
 
 The signals understood are:
-<UL>
-<LI>SIGHUP - Reload the config from disk and re-open log file<P></LI>
-<LI>SIGTERM / SIGINT - Shut down for a restart.  This will dump the current
-state to disk (if <EM>save_state</EM> is set to true).  Upon restart, the
-process will read this saved state to resume active sessions.<P>
-<LI>SIGQUIT - Shut down cleanly.  This will send a disconnect message for
-every active session and tunnel before shutting down.  This is a good idea
-when upgrading the code, as no sessions will be left with the remote end
-thinking they are open.</LI>
-</UL>
+<DL>
+<DT>SIGHUP</DT><DD>Reload the config from disk and re-open log file.</DD>
+<DT>SIGTERM, SIGINT</DT><DD>Stop process.  Tunnels and sessions are not
+terminated.  This signal should be used to stop l2tpns on a
+<A HREF="#Clustering">cluster node</A> where there are other machines to
+continue handling traffic.</DD>
+<DT>SIGQUIT</DT><DD>Shut down tunnels and sessions, exit process when
+complete.</DD>
+</DL>
 
 <H2 ID="Throttling">Throttling</H2>
 
@@ -660,7 +725,7 @@ desire.  You must first enable the global setting <EM>throttle_speed</EM>
 before this will be activated.<P>
 
 If you wish a session to be throttled permanently, you should set the
-Vendor-Specific radius value <B>Cisco-Avpair="throttle=yes"</B>, which
+Vendor-Specific RADIUS value <B>Cisco-Avpair="throttle=yes"</B>, which
 will be handled by the <EM>autothrottle</EM> module.<P>
 
 Otherwise, you can enable and disable throttling an active session using
@@ -684,7 +749,7 @@ and <EM>no snoop username</EM> CLI commands.  These will enable interception
 immediately.<P>
 
 If you wish the user to be intercepted whenever they reconnect, you will
-need to modify the radius response to include the Vendor-Specific value
+need to modify the RADIUS response to include the Vendor-Specific value
 <B>Cisco-Avpair="intercept=yes"</B>.  For this feature to be enabled,
 you need to have the <EM>autosnoop</EM> module loaded.<P>
 
@@ -694,11 +759,11 @@ Whenever a session connects, it is not fully set up until authentication is
 completed.  The remote end must send a PPP CHAP or PPP PAP authentication
 request to l2tpns.<P>
 
-This request is sent to the radius server, which will hopefully respond with
+This request is sent to the RADIUS server, which will hopefully respond with
 Auth-Accept or Auth-Reject.<P>
 
 If Auth-Accept is received, the session is set up and an IP address is
-assigned.  The radius server can include a Framed-IP-Address field in the
+assigned.  The RADIUS server can include a Framed-IP-Address field in the
 reply, and that address will be assigned to the client.  It can also include
 specific DNS servers, and a Framed-Route if that is required.<P>
 
@@ -708,7 +773,7 @@ walled garden module is loaded, in which case the user still receives the
 PPP AUTHACK, but their session is flagged as being a garden'd user, and they
 should not receive any service.<P>
 
-The radius reply can also contain a Vendor-Specific attribute called
+The RADIUS reply can also contain a Vendor-Specific attribute called
 Cisco-Avpair.  This field is a freeform text field that most Cisco
 devices understand to contain configuration instructions for the session.  In
 the case of l2tpns it is expected to be of the form
@@ -758,39 +823,39 @@ supplied structure:
 <TABLE CELLSPACING=1 CELLPADDING=3>
 	<TR BGCOLOR=LIGHTGREEN><TH><B>Event</B></TH><TH><B>Description</B></TH><TH><B>Parameters</B></TH></TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>pre_auth</B></TD>
-		<TD>This is called after a radius response has been
+		<TD>This is called after a RADIUS response has been
 		received, but before it has been processed by the
 		code.  This will allow you to modify the response in
 		some way.
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-			<LI>username</LI>
-			<LI>password</LI>
-			<LI>protocol (0xC023 for PAP, 0xC223 for CHAP)</LI>
-			<LI>continue_auth - Set to 0 to stop processing authentication modules</LI>
-		</UL>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+			<DT>username
+			<DT>password
+			<DT>protocol<DD>0xC023 for PAP, 0xC223 for CHAP
+			<DT>continue_auth<DD>Set to 0 to stop processing authentication modules
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>post_auth</B></TD>
-		<TD>This is called after a radius response has been
+		<TD>This is called after a RADIUS response has been
 		received, and the basic checks have been performed.  This
 		is what the garden module uses to force authentication
 		to be accepted.
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-			<LI>username</LI>
-			<LI>auth_allowed - This is already set to true or
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+			<DT>username
+			<DT>auth_allowed<DD>This is already set to true or
 			false depending on whether authentication has been
 			allowed so far.  You can set this to 1 or 0 to force
-			allow or disallow authentication</LI>
-			<LI>protocol (0xC023 for PAP, 0xC223 for CHAP)</LI>
-		</UL>
+			allow or disallow authentication
+			<DT>protocol<DD>0xC023 for PAP, 0xC223 for CHAP
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>packet_rx</B></TD>
@@ -799,12 +864,12 @@ supplied structure:
 		seriously slow down the system.</FONT>
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-			<LI>buf - The raw packet data</LI>
-			<LI>len - The length of buf</LI>
-		</UL>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+			<DT>buf<DD>The raw packet data
+			<DT>len<DD>The length of buf
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>packet_tx</B></TD>
@@ -813,12 +878,12 @@ supplied structure:
 		seriously slow down the system.</FONT>
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-			<LI>buf - The raw packet data</LI>
-			<LI>len - The length of buf</LI>
-		</UL>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+			<DT>buf<DD>The raw packet data
+			<DT>len<DD>The length of buf
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>timer</B></TD>
@@ -827,9 +892,9 @@ supplied structure:
 		you do is reentrant.
 		</TD>
 		<TD>
-		<UL>
-			<LI>time_now - The current unix timestamp</LI>
-		</UL>
+		<DL>
+			<DT>time_now<DD>The current unix timestamp
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>new_session</B></TD>
@@ -837,10 +902,10 @@ supplied structure:
 		session is now ready to handle traffic.
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-		</UL>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>kill_session</B></TD>
@@ -848,25 +913,37 @@ supplied structure:
 		This may be called multiple times for the same session.
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-		</UL>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>radius_response</B></TD>
-		<TD>This is called whenever a radius response includes a
+		<TD>This is called whenever a RADIUS response includes a
 		Cisco-Avpair value.  The value is split up into
 		<EM>key=value</EM> pairs, and each is processed through all
 		modules.
 		</TD>
 		<TD>
-		<UL>
-			<LI>t - Tunnel ID</LI>
-			<LI>s - Session ID</LI>
-			<LI>key</LI>
-			<LI>value</LI>
-		</UL>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+			<DT>key
+			<DT>value
+		</DL>
+		</TD>
+	</TR>
+	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>radius_reset</B></TD>
+		<TD>This is called whenever a RADIUS CoA request is
+		received to reset any options to default values before
+		the new values are applied.
+		</TD>
+		<TD>
+		<DL>
+			<DT>t<DD>Tunnel
+			<DT>s<DD>Session
+		</DL>
 		</TD>
 	</TR>
 	<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>control</B></TD>
@@ -875,21 +952,13 @@ supplied structure:
 		required.
 		</TD>
 		<TD>
-		<UL>
-			<LI>buf - The raw packet data</LI>
-			<LI>l - The raw packet data length</LI>
-			<LI>source_ip - Where the request came from</LI>
-			<LI>source_port - Where the request came from</LI>
-			<LI>response - Allocate a buffer and put your response in here</LI>
-			<LI>response_length - Length of response</LI>
-			<LI>send_response - true or false whether a response
-			should be sent.  If you set this to true, you must
-			allocate a response buffer.</LI>
-			<LI>type - Type of request (see nsctl.c)</LI>
-			<LI>id - ID of request</LI>
-			<LI>data - I'm really not sure</LI>
-			<LI>data_length - Length of data</LI>
-		</UL>
+		<DL>
+			<DT>iam_master<DD>Cluster master status
+			<DT>argc<DD>The number of arguments
+			<DT>argv<DD>Arguments
+			<DT>response<DD>Return value: NSCTL_RES_OK or NSCTL_RES_ERR
+			<DT>additional<DD>Extended response text
+		</DL>
 		</TD>
 	</TR>
 </TABLE>
@@ -901,7 +970,7 @@ Walled Garden is implemented so that you can provide perhaps limited service
 to sessions that incorrectly authenticate.<P>
 
 Whenever a session provides incorrect authentication, and the
-radius server responds with Auth-Reject, the walled garden module
+RADIUS server responds with Auth-Reject, the walled garden module
 (if loaded) will force authentication to succeed, but set the flag
 <EM>garden</EM> in the session structure, and adds an iptables rule to
 the <B>garden_users</B> chain to force all packets for the session's IP
@@ -926,6 +995,14 @@ command:
 iptables -t nat -L garden -nvx
 </PRE>
 
+<H2 ID="Filtering">Filtering</H2>
+
+Sessions may be filtered by specifying <B>Filter-Id</B> attributes in
+the RADIUS reply.  <I>filter</I>.<B>in</B> specifies that the named
+access-list <I>filter</I> should be applied to traffic from the
+customer, <I>filter</I>.<B>out</B> specifies a list for traffic to the
+customer.
+
 <H2 ID="Clustering">Clustering</H2>
 
 An l2tpns cluster consists of of one* or more servers configured with
@@ -973,6 +1050,22 @@ ibgp" for IBGP.  If this is not supported by your IOS revision, you
 can use "maximum-paths" (which works for EBGP) and set
 <B>as_number</B> to a private value such as 64512.<P>
 
+<H2 ID="AvoidingFragmentation">Avoiding Fragmentation</H2>
+
+Fragmentation of encapsulated return packets to the LAC may be avoided
+for TCP sessions by adding a firewall rule to clamps the MSS on
+outgoing SYN packets.
+
+The following is appropriate for interfaces with a typical MTU of
+1500:
+
+<pre>
+iptables -A FORWARD -i tun+ -o eth0 	\
+    -p tcp --tcp-flags SYN,RST SYN	\
+    -m tcpmss --mss 1413:1600		\
+    -j TCPMSS --set-mss 1412
+</pre>
+
 <H2 ID="Performance">Performance</H2>
 
 Performance is great.<P>

Radius	The ID of the radius request. This is - sent in the packet to the radius server for identification.
Radius	The ID of the RADIUS request. This is + sent in the packet to the RADIUS server for identification.
State	The state of the request - WAIT, CHAP, AUTH, IPCP, START, STOP, NULL.
Session	The session ID that this radius +
Session	The session ID that this RADIUS request is associated with
Retry	If a response does not appear to the request, it will retry at this time. This is a unix timestamp.
Try	Retry count. The radius request is +
Try	Retry count. The RADIUS request is discarded after 3 retries.
Event	Description	Parameters
pre_auth	This is called after a radius response has been +	This is called after a RADIUS response has been received, but before it has been processed by the code. This will allow you to modify the response in some way.	- - t - Tunnel ID - s - Session ID - username - password - protocol (0xC023 for PAP, 0xC223 for CHAP) - continue_auth - Set to 0 to stop processing authentication modules - + + t Tunnel + s Session + username + password + protocol 0xC023 for PAP, 0xC223 for CHAP + continue_auth Set to 0 to stop processing authentication modules +
post_auth	This is called after a radius response has been +	This is called after a RADIUS response has been received, and the basic checks have been performed. This is what the garden module uses to force authentication to be accepted.	- - t - Tunnel ID - s - Session ID - username - auth_allowed - This is already set to true or + + t Tunnel + s Session + username + auth_allowed This is already set to true or false depending on whether authentication has been allowed so far. You can set this to 1 or 0 to force - allow or disallow authentication - protocol (0xC023 for PAP, 0xC223 for CHAP) - + allow or disallow authentication + protocol 0xC023 for PAP, 0xC223 for CHAP +
packet_rx	- - t - Tunnel ID - s - Session ID - buf - The raw packet data - len - The length of buf - + + t Tunnel + s Session + buf The raw packet data + len The length of buf +
packet_tx	- - t - Tunnel ID - s - Session ID - buf - The raw packet data - len - The length of buf - + + t Tunnel + s Session + buf The raw packet data + len The length of buf +
timer	- - time_now - The current unix timestamp - + + time_now The current unix timestamp +
new_session	- - t - Tunnel ID - s - Session ID - + + t Tunnel + s Session +
kill_session	- - t - Tunnel ID - s - Session ID - + + t Tunnel + s Session +
radius_response	This is called whenever a radius response includes a +	This is called whenever a RADIUS response includes a Cisco-Avpair value. The value is split up into key=value pairs, and each is processed through all modules.	- - t - Tunnel ID - s - Session ID - key - value - + + t Tunnel + s Session + key + value + +
radius_reset	This is called whenever a RADIUS CoA request is + received to reset any options to default values before + the new values are applied. +	+ + t Tunnel + s Session +
control	- - buf - The raw packet data - l - The raw packet data length - source_ip - Where the request came from - source_port - Where the request came from - response - Allocate a buffer and put your response in here - response_length - Length of response - send_response - true or false whether a response - should be sent. If you set this to true, you must - allocate a response buffer. - type - Type of request (see nsctl.c) - id - ID of request - data - I'm really not sure - data_length - Length of data - + + iam_master Cluster master status + argc The number of arguments + argv Arguments + response Return value: NSCTL_RES_OK or NSCTL_RES_ERR + additional Extended response text +