Simultaneous-use check but don't reject
Fajar A. Nugraha
list at fajar.net
Tue Dec 20 23:29:47 CET 2011
On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh <avkosykh at gmail.com> wrote:
> I tried to do this in my config
>
> session {
> # radutmp
>
> #
> # See "Simultaneous Use Checking Queries" in sql.conf
> sql
> if (Post-Auth-Type == reject) {
> ok
> block_auth_error # my own policy
> }
>
> }
>
> but radius answer is reject whatever and pppoe didn't up
You need to learn some concepts first.
What radius can do:
- it tells the NAS whether to accept or reject a user
- if the user is accepted, it can tell the NAS how to treat that user.
e.g. what VLAN he should be on, what speed he can have, etc. However
it's up to the NAS whether to actually apply the info sent by radius.
What radius can NOT do:
- be a captive portal
- be a magic box that solves all your problems
>From your description, it looks like you should NOT use the default
simultaneous-use code. Rather, you should:
(1) make sure your NAS supports vlan assignment based on radius reply
(2) setup different vlans based on whether a user is currently logged
in elsewhere or not
(3) setup a captive portal on a vlan
(4) configure freeradius to tell the NAS to allocate that vlan when a
user tries to login more than once
I can tell you how to do (4) (or you can just read
raddb/sql/mysql/dialup.conf), but before you do that you need to have
a NAS that supports (1), and you must be able to do (2) and (3). If
you don't know how to do that, get an expert to help you.
--
Fajar
More information about the Freeradius-Users
mailing list