Matthias Nagel wrote:
Now, I would like to write some kind of RADIUS policy to prevent this behaviour.
(a) store information in a database (b) use "unlang" to query the database
This policy is supposed to do the following during the post-authentication phase:
1) If there is no active session on the NAS port, just return Access-Accept
You may need to create a new table which stores active sessions. INSERT data into it on authentication / accounting start. DELETE data on accounting stop.
2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept.
Store the Tunnel-Private-Group-ID of a session on INSERT. Query it on the next session authentication.
3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject.
Query the DB. If it doesn't match, reject.
Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if "unlang" or some other configuration directive can perform such a check.
"unlang" is just a way to write policies. It does NOT store data. SQL databases store data. The two together can solve this problem. Alan DeKok.