Simultaneous-use check but don't reject
Fajar A. Nugraha
list at fajar.net
Wed Dec 21 04:33:21 CET 2011
On Wed, Dec 21, 2011 at 5:29 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh <avkosykh at gmail.com> wrote:
>> I tried to do this in my config
>> but radius answer is reject whatever and pppoe didn't up
You know what, since you say it's pppoe, I can share a setup on my
environment that might be adaptable for you.
- IP address is (normally) allocated by nas, dynamically, using public
- AAA using freeradius
- we want disabled users to still be able to login, but they'd be
placed on a special network where they'd only be able to access an
info page (or, in your terms, "error page")
- setup a private IP pool on the NAS (e.g. 10.x.x.x)
- put disabled users in a special group (e.g. "disabled-users")
- setup sqlippool for that IP address pool (e.g. "disabled-users-pool")
- setup a special DNS server (any authoritative DNS server supporting
wildcard will do) that will resolve all DNS record to a special web
- setup routing on the NAS so that the private IP pool can access the
DNS server and the web server, but it can't access public IP address
- add radgroupcheck entry for that group which points to the pool
(e.g. Pool-Name := "disabled-users-pool")
- add radgroupreply entry which will tell users to use the special DNS
server (e.g MS-Primary-DNS-Server := "10.0.0.10")
That way, when a user in "disabled-users" group logs in, he'd get a
private IP address, and whatever address he typed in browser will
bring him to the info page.
You might be able to adapt it to your needs by adding Pool-Name and
MS-Primary-DNS-Server attribute dynamically using unlang, based on an
sql query which checks whether a user is already logged in or not.
Somewhat complicated, but should work.
If you're still having trouble understanding the example, better ask
an expert to help you.
More information about the Freeradius-Users