Not sure what "max access-period" would be? If it relates to single session then use Session-Timeout to fix max length. If it relates to total time allowed then use sqlcounter (which will set Session-Timeout dinamically). If you are setting a Session-Timeout that will be the same for lagre number of users use groups and set it (once) in radgroupcheck. You don't have access to nasname (from clients.conf) and it is not logged in radacct anyway. What you are describing would work if you add NAS-Identifier to the schema. If you don't want to alter sql schema you will have to add NAS-Identifier check into radcheck at first logon. Every other time script will run without doing anything - not very efficient but ... Ivan Kalik Kalik Informatika ISP Dana 11/4/2008, "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> piše:
Hi,
I will have to consider the NAS-Identifier replacing NAS-IP-Address. This is not for our use, this is at a customer site. I'm leary about using a field for something other than its intention (Or adding a field that is unexpected) due to the possibility of them installing a package later on that has certainly expectations of the data being a certain way).
I later realized that SOMETHING would need to be set in the radcheck , but was hoping for it to be a bit "self contained". I see things like the Simultaneous use, and the ability to check max access-period, and was hoping I could somehow tell the system to SELECT the nasname (if that field existed) from radacct, and compare against the current nasname from the record. If there was no current, go ahead. If there was a current, if it matched go ahead. Maybe even something with the COUNT of unique nasname, and if it was 0 , its ok. If its 1, better match the current one.
NAS-Identifier is not stored in radacct by default. But you can add it to or replace NAS-IP-Address with it in radacct table and accounting queries.
radacct is used for - accounting. You need to put NAS-Identifier check in radcheck to stop users from connecting from other APs. You can a script at logon to insert it or run outside script at certain intervals that will set it up for you. Anyway you need to:
- check radacct if user has logged on before - if not insert NAS-Identifier check into radcheck table with the value of the current request
If you add NAS-Identifier field into radacct table you don't need to add anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before - if he had check that value of NAS-Identifier in the request matches the one in radacct table
I was trying to avoid as much outside stuff as possible. I guess I could perl it if it means that much to me. I was just hopinf after seeing some of the "sqlcounter" stuff, if there was some way to accomplish it that way.
Thanks, Tuc
Ivan Kalik Kalik Informatika ISP
Dana 10/4/2008, "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> piše:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over the radacct file and don't see anywhere that NAS-Identifier would be stored. Or are you saying that I need to still use the %{NAS-Identifier} in some sort of check-name?
Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html