Good morning!! I would like to authorize connection to the users to one time period stored in Ldap base. Example: The user Steeve can be connecting between 8h and 12h. So at the time of the request for connection, freeradius will have to check if the time of connection is between this time period. If its true freeradius send accept but if it is wrong he send reject. Does freedius manage that? Because I be not found information in connection with that. Thanks Ludovic Cailleau --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
On Tue, 16 May 2006, ludovic cailleau wrote:
Good morning!!
I would like to authorize connection to the users to one time period stored in Ldap base.
Example: The user Steeve can be connecting between 8h and 12h. So at the time of the request for connection, freeradius will have to check if the time of connection is between this time period. If its true freeradius send accept but if it is wrong he send reject.
Does freedius manage that? Because I be not found information in connection with that.
Thanks
See the Login-Time attribute (radiusLoginTime ldap attribute) Also read doc/README for an explanation of Login-Time
Ludovic Cailleau
--------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Cliquez ici.
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
Hi ! YUP !! It does ! radiusLoginTime is the attribute in LDAP that u r looking for. Simply set it to Al0800-1200 and you'll have ur time period. Depending on your NAS the user will be kicked off at 12 AM. Regards, Edvin _____ From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or g] On Behalf Of ludovic cailleau Sent: Dienstag, 16. Mai 2006 15:18 To: freeradius freeradius-users Subject: How to use time period Good morning!! I would like to authorize connection to the users to one time period stored in Ldap base. Example: The user Steeve can be connecting between 8h and 12h. So at the time of the request for connection, freeradius will have to check if the time of connection is between this time period. If its true freeradius send accept but if it is wrong he send reject. Does freedius manage that? Because I be not found information in connection with that. Thanks Ludovic Cailleau _____ Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici <http://us.rd.yahoo.com/mail/mail_taglines/yahoofr/*http:/fr.yahoo.com/set> .
Hi Ok, but my NAS does not manage radiusLoginTime. Is there another solution for that? Example: to recover the hour system and to compare it with the Ldap attributes (new check-items)? Regards Seferovic Edvin <edvin.seferovic@kolp.at> a écrit : v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } Hi ! YUP !! It does ! radiusLoginTime is the attribute in LDAP that u r looking for. Simply set it to Al0800-1200 and youll have ur time period. Depending on your NAS the user will be kicked off at 12 AM. Regards, Edvin Ludovic Cailleau --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
It is not about your NAS.. FreeRADIUS manages this. Every Access-Request has a timestamp. If the Access-Request comes at 7.50 AM, FreeRadius will compare the time with the "Login-Time" attribute ( if set ) and then reject the request. If the access-request comes at 8.50 AM.. the user will be able to log in. FreeRadius will also send ( AFAIK ) the Session-Time attribute as reply. This attribute contains the allowed duration for the session. If your NAS supports this attribute, the user will be authorized and then - kicked off of the system at 12.00 AM. I hope this was clear enough. Please read the NAS documentation first.. the mailing list members must not be familiar with your NAS ! Regards, Edvin _____ From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or g] On Behalf Of ludovic cailleau Sent: Dienstag, 16. Mai 2006 17:15 To: edvin.seferovic@kolp.at; FreeRadius users mailing list Subject: RE: How to use time period Hi Ok, but my NAS does not manage radiusLoginTime. Is there another solution for that? Example: to recover the hour system and to compare it with the Ldap attributes (new check-items)? Regards Seferovic Edvin <edvin.seferovic@kolp.at> a écrit : Hi ! YUP !! It does ! radiusLoginTime is the attribute in LDAP that u r looking for. Simply set it to Al0800-1200 and you'll have ur time period. Depending on your NAS the user will be kicked off at 12 AM. Regards, Edvin Ludovic Cailleau _____ Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici <http://us.rd.yahoo.com/mail/mail_taglines/yahoofr/*http:/fr.yahoo.com/set> .
Hi, I need to separate the users in the machines that they have access to, i read about the huntgroups file, but is not working, it seems that the radius is not checking the huntgroup file to give the access. I have a freeradius on a Redhat machine, running with the MySQL database for the users and groups information. I have the information on the radcheck, the radgroupcheck, and the radgroup repply tables, all the connections and the authentication works ok, the problem is that the users have access to all of the machines, even the ones that they shouldn´t. This is what i have in my radgroup reply table.. GroupName Attribute op Value test Cisco-AVPair = shell:cmd* test Cisco-AVPair = shell:priv-lvl=15 test Service-Type = Shell-User test Huntgroup-Name = name the hunt group is like this. #name huntgroup name NAS-IP-Address == 10.0.2.244 name NAS-IP-Address == 10.0.2.246 name NAS-IP-Address == 10.0.2.248 Group = test It suppose that the user with that huntgroup name in their attribute should only be able to connect to those IP addresess.. or that´s what i expect.. ;) Thank you.. in advance.. Carlos
participants (4)
-
Carlos Mauricio Reyes Sanmiguel -
Kostas Kalevras -
ludovic cailleau -
Seferovic Edvin