Temporary accounts
Hi all! Can I set up users accounts in v3.x which expire after some specified time after login? (If yes, how?)
On Nov 15, 2016, at 4:20 PM, Zsolt <dqeswn@gmail.com> wrote:
Can I set up users accounts in v3.x which expire after some specified time after login? (If yes, how?)
FreeRADIUS does not have the concept of accounts, and it does not automatically manage accounts for you. I would suggest creating a custom SQL table with account information and expiration time. Then, use that table from FreeRADIUS to check account name, password, and expiration time. Alan DeKok.
Alan DeKok wrote:
On Nov 15, 2016, at 4:20 PM, Zsolt <dqeswn@gmail.com> wrote:
Can I set up users accounts in v3.x which expire after some specified time after login? (If yes, how?)
FreeRADIUS does not have the concept of accounts, and it does not automatically manage accounts for you.
I would suggest creating a custom SQL table [..]
Another option if you have an LDAP server which supports RFC 2589 is to create LDAP entries with auxiliary object class 'dynamicObject'. Compliant servers will remove these entries after TTL expiry. I've tested this with Active Directory and OpenLDAP (with slapo-dds). https://tools.ietf.org/html/rfc2589 Ciao, Michael.
2016-11-15 22:25 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
I would suggest creating a custom SQL table with account information and expiration time. Then, use that table from FreeRADIUS to check account name, password, and expiration time.
Does the radius-protocol/FreeRADIUS provide TTL functionality? (Meaning can authenticated people be automatically blocked after some specified time?) Or do I need to set/implement that elsewhere?
On Nov 16, 2016, at 9:24 AM, Zsolt <dqeswn@gmail.com> wrote:
Does the radius-protocol/FreeRADIUS provide TTL functionality? (Meaning can authenticated people be automatically blocked after some specified time?)
No.
Or do I need to set/implement that elsewhere?
You need to implement custom rules yourself. When I said that FreeRADIUS doesn't implement account management, I meant that it doesn't implement account management. This includes automatic adding of users, deleting of users, expiration, etc. You MUST decide what to do, and then implement it yourself. Alan DeKok.
2016-11-16 15:41 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
You need to implement custom rules yourself.
When I said that FreeRADIUS doesn't implement account management, I meant that it doesn't implement account management. This includes automatic adding of users, deleting of users, expiration, etc.
You MUST decide what to do, and then implement it yourself.
I see. Though, thinking about it, even if I do, I think it wouldn't work for what I want. If I understand RADIUS correctly (?), the server only responds to requests by the clients (eg:my wifi router) and doesn't act by itself (eg: by sending a revoke access message or such). So if I implement custom rules to expire user accounts then that won't come into play until the client tries to authenticate it again, so if someone is connected the person would stay connected indefinitely(untill log-off or a break in the connection).
On Nov 16, 2016, at 12:06 PM, Zsolt <dqeswn@gmail.com> wrote:
2016-11-16 15:41 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
You need to implement custom rules yourself.
When I said that FreeRADIUS doesn't implement account management, I meant that it doesn't implement account management. This includes automatic adding of users, deleting of users, expiration, etc.
You MUST decide what to do, and then implement it yourself.
I see. Though, thinking about it, even if I do, I think it wouldn't work for what I want. If I understand RADIUS correctly (?), the server only responds to requests by the clients (eg:my wifi router) and doesn't act by itself (eg: by sending a revoke access message or such). So if I implement custom rules to expire user accounts then that won't come into play until the client tries to authenticate it again, so if someone is connected the person would stay connected indefinitely(untill log-off or a break in the connection).
You can trigger that asynchronously using CoA/DM packets. Or you can setup polling by including a Session-Timeout value. -Arran
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Michael Ströder -
Zsolt