Simultaneous-use check but don't reject

Fajar A. Nugraha list at
Wed Dec 21 04:33:21 CET 2011

On Wed, Dec 21, 2011 at 5:29 AM, Fajar A. Nugraha <list at> wrote:
> On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh <avkosykh at> wrote:

>> I tried to do this in my config

>> but radius answer is reject whatever and pppoe didn't up

You know what, since you say it's pppoe, I can share a setup on my
environment that might be adaptable for you.

The situation:
- pppoe
- IP address is (normally) allocated by nas, dynamically, using public
IP address
- AAA using freeradius

The problem:
- we want disabled users to still be able to login, but they'd be
placed on a special network where they'd only be able to access an
info page (or, in your terms, "error page")

The solution:
- setup a private IP pool on the NAS (e.g. 10.x.x.x)
- put disabled users in a special group (e.g. "disabled-users")
- setup sqlippool for that IP address pool (e.g. "disabled-users-pool")
- setup a special DNS server (any authoritative DNS server supporting
wildcard will do) that will resolve all DNS record to a special web
- setup routing on the NAS so that the private IP pool can access the
DNS server and the web server, but it can't access public IP address
- add radgroupcheck entry for that group which points to the pool
(e.g. Pool-Name := "disabled-users-pool")
- add radgroupreply entry which will tell users to use the special DNS
server (e.g MS-Primary-DNS-Server := "")

That way, when a user in "disabled-users" group logs in, he'd get a
private IP address, and whatever address he typed in browser will
bring him to the info page.

You might be able to adapt it to your needs by adding Pool-Name and
MS-Primary-DNS-Server attribute dynamically using unlang, based on an
sql query which checks whether a user is already logged in or not.
Somewhat complicated, but should work.

If you're still having trouble understanding the example, better ask
an expert to help you.


More information about the Freeradius-Users mailing list