Thanks Jan, I'll consider this as well. Kinda impossible to do it from the hardware based NAS, so I'm writing a script for this. Thanks. On 10/16/06, Jan Mulders <lastchancehotel@gmail.com> wrote:
I've been through exactly the same hell authenticating a bunch of VPN users.
The fundamental problem is that FreeRADIUS is event-driven: ie, it can only do anything when someone sends a RADIUS request to it. This means, for our purposes, that freeradius needs to be *asked* if a user can continue to be connected.
I did this by making VPN users be re-authenticated every 30 minutes by the VPN NAS - if the nas recieves an Access-Accept packet, then all is well, it continues to provide service (I also bundle on some max-upload and max-download attributes, so the user's speed can be changed on their gigabyte total, but this is an aside) - however, if it recieves and access-deny, the user is booted from the nas.
What you need to do is get your NAS box to re-authenticate the users every n minutes (or hours or whatever you prefer). Depending on how you're authenticating in the first place, this could be done in any number of ways... However, unless your current solution is either software-based or has the functions in it already, it's probably going to be expensive to implement.
If your NAS has a 'status list' function and a 'kick user' function (eg, telnet administration interface), you could write a script that connects to the status list, compares the usernames with the MySQL database, and then connects via telnet to the admin interface to issue a 'kill $user' command. I've seen this done before, and in some cases it can be less resource-intensive than the increased amount of RADIUS auth packets. However it's only really any good for 1 or 2 NAS'es - if you want your system to scale to 30-40 nases then you'll probably want to keep it simple to manage and debug, and get radius to handle periodic reauthentication.
Hope this helps,
Jan
On 16/10/06, Guilherme Franco <guilhermefranco@gmail.com> wrote:
Hi,
Does anyone already have a program to block freeradius on-the-fly?
ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user.
Is there any other means to do that?
Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Guilherme de Oliveira Franco Damovo - Brasil