Restrict to initial NAS used to logon

Ivan Kalik tnt at kalik.net
Sat Apr 12 10:14:06 CEST 2008


Not sure what "max access-period" would be? If it relates to single
session then use Session-Timeout to fix max length. If it relates to
total time allowed then use sqlcounter (which will set Session-Timeout
dinamically). If you are setting a Session-Timeout that will be the same
for lagre number of users use groups and set it (once) in radgroupcheck.

You don't have access to nasname (from clients.conf) and it is not
logged in radacct anyway. What you are describing would work if you add
NAS-Identifier to the schema. If you don't want to alter sql schema you
will have to add NAS-Identifier check into radcheck at first logon.
Every other time script will run without doing anything - not very
efficient but ...

Ivan Kalik
Kalik Informatika ISP


Dana 11/4/2008, "Tuc at T-B-O-H.NET" <ml at t-b-o-h.net> piše:

>Hi,
>
>	I will have to consider the NAS-Identifier replacing NAS-IP-Address.
>This is not for our use, this is at a customer site. I'm leary about using
>a field for something other than its intention (Or adding a field that is
>unexpected) due to the possibility of them installing a package later on
>that has certainly expectations of the data being a certain way).
>
>	I later realized that SOMETHING would need to be set in the
>radcheck , but was hoping for it to be a bit "self contained". I
>see things like the Simultaneous use, and the ability to check max
>access-period, and was hoping I could somehow tell the system
>to SELECT the nasname (if that field existed) from radacct, and
>compare against the current nasname from the record. If there was
>no current, go ahead. If there was a current, if it matched go
>ahead. Maybe even something with the COUNT of unique nasname,
>and if it was 0 , its ok. If its 1, better match the current one.
>>
>> NAS-Identifier is not stored in radacct by default. But you can add it to
>> or replace NAS-IP-Address with it in radacct table and accounting
>> queries.
>>
>> radacct is used for - accounting. You need to put NAS-Identifier check in
>> radcheck to stop users from connecting from other APs. You can a script
>> at logon to insert it or run outside script at certain intervals that
>> will set it up for you. Anyway you need to:
>>
>> - check radacct if user has logged on before
>> - if not insert NAS-Identifier check into radcheck table with the value
>> of the current request
>>
>> If you add NAS-Identifier field into radacct table you don't need to add
>> anything into radcheck. Just run a script at logon that will:
>>
>> - check radacct to see if user had logged on before
>> - if he had check that value of NAS-Identifier in the request matches the
>> one in radacct table
>>
>	I was trying to avoid as much outside stuff as possible. I guess I
>could perl it if it means that much to me. I was just hopinf after seeing
>some of the "sqlcounter" stuff, if there was some way to accomplish it
>that way.
>
>		Thanks, Tuc
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>>
>> Dana 10/4/2008, "Tuc at T-B-O-H.NET" <ml at t-b-o-h.net> piše:
>>
>> >> > 	Is anyone doing anything like this already?
>> >>
>> >>   They usually use equipment that sends a NAS identifier.
>> >>
>> >Hi,
>> >
>> >	Sorry for a second followup, but I just looked over
>> >the radacct file and don't see anywhere that NAS-Identifier would
>> >be stored. Or are you saying that I need to still use the
>> >%{NAS-Identifier} in some sort of check-name?
>> >
>> >		Thanks, Tuc
>> >-
>> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
>
>




More information about the Freeradius-Users mailing list