Excluding non-NAS from simultaneous-use checks
I'm looking for a way to exclude some sources of RADIUS authentication requests from being subjected to the simultaneous-use checks. Basically we use RADIUS for more than just dialin, simultaneous-use is not applicable to these services. I found the following thread on the Cistron mailing list which would solve my problem if I were still running Cistron. http://lists.cistron.nl/pipermail/cistron-radius/2002-June/003861.html Setting the RAS type to none appears to have no effect for FreeRADIUS. Is there another way to accomplish this with FreeRADIUS?
Dan Siemon <dsiemon@cyg.net> wrote:
I'm looking for a way to exclude some sources of RADIUS authentication requests from being subjected to the simultaneous-use checks.
Don't set Simultaneous-Use.
Setting the RAS type to none appears to have no effect for FreeRADIUS.
Is there another way to accomplish this with FreeRADIUS?
Set it to "other". See "clients.conf" Alan DeKok.
Alan DeKok wrote:
Dan Siemon <dsiemon@cyg.net> wrote:
Setting the RAS type to none appears to have no effect for FreeRADIUS.
Is there another way to accomplish this with FreeRADIUS?
Set it to "other". See "clients.conf"
I should have mentioned I tried using 'other' and did not get the desired behavior.
Alan DeKok wrote:
Dan Siemon <dsiemon@cyg.net> wrote:
I should have mentioned I tried using 'other' and did not get the desired behavior.
Please explain, then, what he desired behavior is. Include examples.
I have a bunch of RASs and PPPoE concentrators. When authenticating against these clients I want the simultaneous-use enforced. The same FreeRADIUS server also authenticates other services such as NNTP. When auth requests come from these other RADIUS clients I don't want any simultaneous-use checking to happen at all. For example, a user "bob", with simultaneous-use=1 should be able to authenticate for PPPoE and then start his NNTP client without the first authentication blocking the NNTP login because of the simultaneous-use=1 check.
Dan Siemon <dsiemon@cyg.net> wrote:
For example, a user "bob", with simultaneous-use=1 should be able to authenticate for PPPoE and then start his NNTP client without the first authentication blocking the NNTP login because of the simultaneous-use=1 check.
To do that, you have to: a) configure Simulteneous-Use for the user ONLY when you want to enforce it b) not track logins in radutmp, from places where you don't want those logins to affect Simultaneous-Use Alan DeKok.
participants (2)
-
Alan DeKok -
Dan Siemon