[isf-wifidog] immediate user disconnect feature

[Benoit Grégoire]

On 21 April 2008, Wichert Akkerman wrote:
> I'm looking at implementing an immediate disconnect feature in the
> gateway. The basic flow I'm using is:
>
> - auth server sends a disconnect command to the gateway, specifying
>   enough information to find the client and authenticate the request
> - gateway removes client from the client list
> - gateway sends counters to auth server
> - gateway sends logout to auth server

That's exactly what will happen (but not in that order) if the auth server 
replies with a DENY to a counter update.

Note that it is always assumed that the auth server cannot reach the gateway 
directly, that is a fundamental feature of wifidog and it's protocol.

> The last try could share code with the wdctl reset feature and the
> manual logout option. It could even replace logout feature as it
> currently exists.
>
> My current code uses /wifidog/disconnect as entry point for the callback
> and require the auth server to send both the mac and token. This means
> that the token has to be secure to prevent abuse. Specifically: if you
> know someones ip address and mac address you must not be able to
> calculate the token. I have no idea if that is true for the standard
> auth server.

It is, and that feature already exists.  See 
http://dev.wifidog.org/wiki/doc/developer/WiFiDogProtocol_V1, bottom of the 
page.

-- 
Benoit Grégoire
Technologies Coeus inc.