Thanks for the replies,
As it stands, I can query how many active connections a User has
(simul_count_query) from the radacct table of my local MySQL radius DB, so now I am trying to figure out how to *set* and *enforce* the Simultaneous-Use attribute. You set the Simultaneous-Use attribute, and the server does the enforcement. https://wiki.freeradius.org/guide/SQL%20HOWTO Look for "Simultaneous-Use"
All that doc says to do is have SQL in the Session section. It doesn't say where to define the Simultaneous-Use attribute.
Where I am caught up is the LDAP x SQL interfacing regarding the
Simultaneous-Use attribute.
How and where does FreeRadius look for this attribute? You set it when the user is logging in. e.g. when the server receives an Access-Request packet. You can set it just like any other attribute.
I have defined the Simultaneous-Use attribute in my Users file like so: DEFAULT LDAP-Group == "Squad" Auth-Type := Accept, Simultaneous-Use := 1
Does this have to be in LDAP for the Group/User and FreeRadius queries for it That can work.
or can I define within my FreeRadius configs somewhere? That can work, too. It all depends what you want.
If I can define it in the FreeRadius configs, such as the Users file, that is fine.
Most examples say to enforce it on
a per-user basis by using the Users file, but what about SQL on a large scale? It can be set in SQL, too. Are you using SQL for other authorization? If not, don't set it there. Set it in LDAP, or set it in another place.
I am not using SQL for Authorization, just Accounting and Session. With the Simultaneous-Use attribute set in my User file, shouldn't FreeRadius check the auth from my User against the list of rules? Flagging positive for LDAP Group == "Squad" and then setting the Simultaneous-Use := 1. That is not working. How would I check to see if Simultaneous-Use was set properly? On Fri, Sep 7, 2018 at 4:06 AM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 6, 2018, at 9:41 PM, Jon Battista <jonbattista@gmail.com> wrote:
I am currently attempting to set up FreeRadius 3.x to limit simultaneous connection based on a User's LDAP Group. For example, people in the Employee LDAP Group get 2 connections.
After extensive research, I have surmised the best way to do so is to use a SQL DB for Accounting, which I currently have all set up. Unless LDAP can be used for Accounting?
No.
As it stands, I can query how many active connections a User has (simul_count_query) from the radacct table of my local MySQL radius DB, so now I am trying to figure out how to *set* and *enforce* the Simultaneous-Use attribute.
You set the Simultaneous-Use attribute, and the server does the enforcement.
https://wiki.freeradius.org/guide/SQL%20HOWTO
Look for "Simultaneous-Use"
Where I am caught up is the LDAP x SQL interfacing regarding the Simultaneous-Use attribute.
How and where does FreeRadius look for this attribute?
You set it when the user is logging in. e.g. when the server receives an Access-Request packet.
You can set it just like any other attribute.
Does this have to be in LDAP for the Group/User and FreeRadius queries for it
That can work.
or can I define within my FreeRadius configs somewhere?
That can work, too. It all depends what you want.
Most examples say to enforce it on a per-user basis by using the Users file, but what about SQL on a large scale?
It can be set in SQL, too.
Are you using SQL for other authorization? If not, don't set it there. Set it in LDAP, or set it in another place.
I've been scouring over the documentation with no luck. Again, LDAP is enabled and working. SQL Accounting is enabled and logging activity. Something I did notice was that radacct is NOT getting the groupname column when I run: *simul_count_query*
The groupname column in radacct isn't used.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Jon