On Sep 6, 2018, at 9:41 PM, Jon Battista <jonbattista@gmail.com> wrote:
I am currently attempting to set up FreeRadius 3.x to limit simultaneous connection based on a User's LDAP Group. For example, people in the Employee LDAP Group get 2 connections.
After extensive research, I have surmised the best way to do so is to use a SQL DB for Accounting, which I currently have all set up. Unless LDAP can be used for Accounting?
No.
As it stands, I can query how many active connections a User has (simul_count_query) from the radacct table of my local MySQL radius DB, so now I am trying to figure out how to *set* and *enforce* the Simultaneous-Use attribute.
You set the Simultaneous-Use attribute, and the server does the enforcement. https://wiki.freeradius.org/guide/SQL%20HOWTO Look for "Simultaneous-Use"
Where I am caught up is the LDAP x SQL interfacing regarding the Simultaneous-Use attribute.
How and where does FreeRadius look for this attribute?
You set it when the user is logging in. e.g. when the server receives an Access-Request packet. You can set it just like any other attribute.
Does this have to be in LDAP for the Group/User and FreeRadius queries for it
That can work.
or can I define within my FreeRadius configs somewhere?
That can work, too. It all depends what you want.
Most examples say to enforce it on a per-user basis by using the Users file, but what about SQL on a large scale?
It can be set in SQL, too. Are you using SQL for other authorization? If not, don't set it there. Set it in LDAP, or set it in another place.
I've been scouring over the documentation with no luck. Again, LDAP is enabled and working. SQL Accounting is enabled and logging activity. Something I did notice was that radacct is NOT getting the groupname column when I run: *simul_count_query*
The groupname column in radacct isn't used. Alan DeKok.