block users on-the-fly

Guilherme Franco guilhermefranco at gmail.com
Mon Oct 16 18:01:27 CEST 2006


Thanks Jan, I'll consider this as well.

Kinda impossible to do it from the hardware based NAS, so I'm writing
a script for this.

Thanks.

On 10/16/06, Jan Mulders <lastchancehotel at gmail.com> wrote:
> I've been through exactly the same hell authenticating a bunch of VPN users.
>
> The fundamental problem is that FreeRADIUS is event-driven: ie, it can
> only do anything when someone sends a RADIUS request to it. This
> means, for our purposes, that freeradius needs to be *asked* if a user
> can continue to be connected.
>
> I did this by making VPN users be re-authenticated every 30 minutes by
> the VPN NAS - if the nas recieves an Access-Accept packet, then all is
> well, it continues to provide service (I also bundle on some
> max-upload and max-download attributes, so the user's speed can be
> changed on their gigabyte total, but this is an aside) - however, if
> it recieves and access-deny, the user is booted from the nas.
>
> What you need to do is get your NAS box to re-authenticate the users
> every n minutes (or hours or whatever you prefer). Depending on how
> you're authenticating in the first place, this could be done in any
> number of ways... However, unless your current solution is either
> software-based or has the functions in it already, it's probably going
> to be expensive to implement.
>
> If your NAS has a 'status list' function and a 'kick user' function
> (eg, telnet administration interface), you could write a script that
> connects to the status list, compares the usernames with the MySQL
> database, and then connects via telnet to the admin interface to issue
> a 'kill $user' command. I've seen this done before, and in some cases
> it can be less resource-intensive than the increased amount of RADIUS
> auth packets. However it's only really any good for 1 or 2 NAS'es - if
> you want your system to scale to 30-40 nases then you'll probably want
> to keep it simple to manage and debug, and get radius to handle
> periodic reauthentication.
>
> Hope this helps,
>
> Jan
>
> On 16/10/06, Guilherme Franco <guilhermefranco at gmail.com> wrote:
> > Hi,
> >
> > Does anyone already have a program to block freeradius on-the-fly?
> >
> > ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO,
> > the user would no longer authenticate the next time he/ she logs in.
> > OK, this works, but, if the user is already loged in, even if I set
> > PAID = NO, the user would not be rejected (for obvious reasons). This
> > is important because the grand number of Router mode ADSL users, that
> > never logs out. I'm building a program to verify every x minutes the
> > database and if PAID = NO, return a flag to freeradius and then reject
> > the user.
> >
> > Is there any other means to do that?
> >
> > Thanks.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


-- 
Guilherme de Oliveira Franco
Damovo - Brasil



More information about the Freeradius-Users mailing list