block users on-the-fly

Jan Mulders lastchancehotel at
Mon Oct 16 16:27:13 CEST 2006

I've been through exactly the same hell authenticating a bunch of VPN users.

The fundamental problem is that FreeRADIUS is event-driven: ie, it can
only do anything when someone sends a RADIUS request to it. This
means, for our purposes, that freeradius needs to be *asked* if a user
can continue to be connected.

I did this by making VPN users be re-authenticated every 30 minutes by
the VPN NAS - if the nas recieves an Access-Accept packet, then all is
well, it continues to provide service (I also bundle on some
max-upload and max-download attributes, so the user's speed can be
changed on their gigabyte total, but this is an aside) - however, if
it recieves and access-deny, the user is booted from the nas.

What you need to do is get your NAS box to re-authenticate the users
every n minutes (or hours or whatever you prefer). Depending on how
you're authenticating in the first place, this could be done in any
number of ways... However, unless your current solution is either
software-based or has the functions in it already, it's probably going
to be expensive to implement.

If your NAS has a 'status list' function and a 'kick user' function
(eg, telnet administration interface), you could write a script that
connects to the status list, compares the usernames with the MySQL
database, and then connects via telnet to the admin interface to issue
a 'kill $user' command. I've seen this done before, and in some cases
it can be less resource-intensive than the increased amount of RADIUS
auth packets. However it's only really any good for 1 or 2 NAS'es - if
you want your system to scale to 30-40 nases then you'll probably want
to keep it simple to manage and debug, and get radius to handle
periodic reauthentication.

Hope this helps,


On 16/10/06, Guilherme Franco <guilhermefranco at> wrote:
> Hi,
> Does anyone already have a program to block freeradius on-the-fly?
> ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO,
> the user would no longer authenticate the next time he/ she logs in.
> OK, this works, but, if the user is already loged in, even if I set
> PAID = NO, the user would not be rejected (for obvious reasons). This
> is important because the grand number of Router mode ADSL users, that
> never logs out. I'm building a program to verify every x minutes the
> database and if PAID = NO, return a flag to freeradius and then reject
> the user.
> Is there any other means to do that?
> Thanks.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list