Restrict to initial NAS used to logon

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Sat Apr 12 01:12:15 CEST 2008 

Hi,

	I will have to consider the NAS-Identifier replacing NAS-IP-Address.
This is not for our use, this is at a customer site. I'm leary about using
a field for something other than its intention (Or adding a field that is
unexpected) due to the possibility of them installing a package later on
that has certainly expectations of the data being a certain way). 

	I later realized that SOMETHING would need to be set in the
radcheck , but was hoping for it to be a bit "self contained". I
see things like the Simultaneous use, and the ability to check max
access-period, and was hoping I could somehow tell the system
to SELECT the nasname (if that field existed) from radacct, and
compare against the current nasname from the record. If there was
no current, go ahead. If there was a current, if it matched go
ahead. Maybe even something with the COUNT of unique nasname,
and if it was 0 , its ok. If its 1, better match the current one.
> 
> NAS-Identifier is not stored in radacct by default. But you can add it to
> or replace NAS-IP-Address with it in radacct table and accounting
> queries.
> 
> radacct is used for - accounting. You need to put NAS-Identifier check in
> radcheck to stop users from connecting from other APs. You can a script
> at logon to insert it or run outside script at certain intervals that
> will set it up for you. Anyway you need to:
> 
> - check radacct if user has logged on before
> - if not insert NAS-Identifier check into radcheck table with the value
> of the current request
> 
> If you add NAS-Identifier field into radacct table you don't need to add
> anything into radcheck. Just run a script at logon that will:
> 
> - check radacct to see if user had logged on before
> - if he had check that value of NAS-Identifier in the request matches the
> one in radacct table
>
	I was trying to avoid as much outside stuff as possible. I guess I
could perl it if it means that much to me. I was just hopinf after seeing
some of the "sqlcounter" stuff, if there was some way to accomplish it 
that way.

		Thanks, Tuc 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> 
> Dana 10/4/2008, "Tuc at T-B-O-H.NET" <ml at t-b-o-h.net> pi¹e:
> 
> >> > 	Is anyone doing anything like this already?
> >>
> >>   They usually use equipment that sends a NAS identifier.
> >>
> >Hi,
> >
> >	Sorry for a second followup, but I just looked over
> >the radacct file and don't see anywhere that NAS-Identifier would
> >be stored. Or are you saying that I need to still use the
> >%{NAS-Identifier} in some sort of check-name?
> >
> >		Thanks, Tuc
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
>

More information about the Freeradius-Users mailing list