Return Access-Accept/-Reject depending on other active sessions during post-authentication

[Alan DeKok]

Matthias Nagel wrote:
> Now, I would like to write some kind of RADIUS policy to prevent this behaviour.

  (a) store information in a database
  (b) use "unlang" to query the database

> This policy is supposed to do the following during the post-authentication phase:
> 
> 1) If there is no active session on the NAS port, just return Access-Accept

  You may need to create a new table which stores active sessions.
INSERT data into it on authentication / accounting start.  DELETE data
on accounting stop.

> 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept.

  Store the Tunnel-Private-Group-ID of a session on INSERT.  Query it on
the next session authentication.

> 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject.

  Query the DB.  If it doesn't match, reject.

> Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if "unlang" or some other configuration directive can perform such a check.

  "unlang" is just a way to write policies.  It does NOT store data.
SQL databases store data.

  The two together can solve this problem.

  Alan DeKok.