Access Control based on IP address for CAN-8 server

Technical information about CAN-8 software.

Access Control based on IP address for CAN-8 server

Unread postby Richard » Wed Jan 23, 2013 12:35 pm

To provide control over where licensed connections to CAN-8 servers
originate from, an access control system has been implemented. The
access controls allow the server administrator to allocate a specific
number of licenses to a range of IP addresses. In this way, the server
administrator may reserve a number of licenses for use in a classroom
thus preventing others from outside the classroom from using them.

To setup the access controls, the server administrator must create a
text file called ACCESS.CFG in the SVSYS\ID directory on the server.

The contents of this file are as follows. The first line defines the
number of licensed connections the server may support. This number
must match exactly with the number of licenses that have been purchased
from Sounds Virtual. If this number does not aggree, the server will
either allocate licenses that will not connect, or never connect licenses
that do exist. The form of this line is below:

license 40

In this case the server was licensed for 40 connections. There is one
space between the word "license" and the number.

The remaining lines all take the same form. There may be up to 200 such
lines in the file. The form is as follows:

<starting IP address><whitespace><ending IP address><whitespace><number>

The fields are as follows:

<whitespace> - One or more space characters
<starting IP address> - First IP address (inclusive) of the range
<ending IP address> - Last IP address (inclusive) of the range
<number> - Number of liceneses to allocate to the range

A typical line would look like this:

10.0.0.1 10.0.0.250 10

The above line allocates 10 possible connections to the range of addresses
starting at 10.0.0.1 and up to and including 10.0.0.250.

The access control list works on a "pool" basis. The starting pool is
the number of licenses specified in the "license nn" line. Each allocation
line reserves licenses from this pool. When all the allocation lines
have been read, any remaining licenses may be used from any location.

Going back to our simple example file:

license 40
10.0.0.1 10.0.0.250 10

In this case, the server is capable of 40 licensed connections. Ten of
those addresses are reserved for the range of IP address 10.0.0.1 to
10.0.0.250. You will note that there are a possible 250 IP addresses
that may use up to 10 connections. This does not mean that only 10
users may sign on from those addresses, but that a MINIMUM of 10 users
may ALWAYS sign on from those addresses. If users attempt to sign on
from a reserved range that has exceeded its allocation of addresses,
then remaining licenses are allocated from the unreserved pool (in this
case 40 - 10 = 30 licenses). Thus users are not prevented from signing
on in the reserved range, only that a minimum are guaranteed to sign on.

Lets consider a more realistic and complex example:

license 35
10.0.0.1 10.0.0.250 10
10.0.1.0 10.0.1.250 10
172.16.32.1 172.16.32.250 10

In this case, three ranges are reserved, each having ten licenses
allocated to them. So this means that a minimum of 10 users may sign
on to the server from each of the ranges. The remaing number of licenses
from the total is five. These five may be used from any IP address
including addresses within the range of allocated addresses.


GENERAL NOTES
The addresses must be specified with the lower numbered address first
and the higher number second. If the order is reversed, the line will
be ignored.

Ranges may overlap with each other. In the case of the overlap, the
first matching range has its allocated licenses assigned first, and
then the next matching range in order as they appear in the file. When
all overlapped ranges have their allocation exceeded, the remaining free
pool will be used.

Errors in the file are reported in the SERVER.LOG that is created when the
server is started.

The file is only read once during server startup, so in order to have
changes to the ACCESS.CFG file take effect, the NTSERVE program must be
stopped and then re-started.
Richard
 
Posts: 16
Joined: Mon Jan 21, 2013 2:03 pm
Location: Toronto

Return to Technical Notes

Who is online

Users browsing this forum: No registered users

cron