On Feb 22, 2023, at 1:47 PM, Steven Walters <steven.walters1@gmail.com> wrote:
Our fixed line customers authenticate with username and password. Our fixed line customers can have a mobile VAS linked to fixed line. Customer can have single SIM or multiple SIM linked to fixed line username on LDAP.
In the case of mobile service, we receive the MSISDN in the radius access request. We then lookup the username which has the MSISDN linked on LDAP. If subscriber name has this MSISDN linked, the radius will respond with the username in the access-accept. If no match is found it will respond with access-reject.
OK. So "if not found in LDAP, reject". Luckily, the ldap module will return "notfound", which is a bit better indication than "!ok" or "!updated". ldap if (notfound) { reject }
When the radius receives the accounting start for this session it will have the username of the fixed line service returned in the access-accept and not the MSISDN which was original in the access request.
That makes sense.
So basically, in the case of the mobile VAS, the authentication finds the username on LDAP which has the MSISDN linked as a VAS and if no username has the MSISDN (for example customer cancelled the VAS but is still trying to use the SIM) it will send an access reject. No password checks are done for mobile service.
This mobile VAS was implemented before I joined so there might be better alternative to provide the same result.
The "notfound' return code is the best indication of "not found" . Alan DeKok.