Radius users state

tnt at kalik.net tnt at kalik.net
Tue Sep 16 10:53:06 CEST 2008


>1. For determining session expiry, i can see the Reply-Message for
>session timeout from rlm_expiration module. But for determining locked
>users, i think rlm_unix doesnt pass RLM_MODULE_USERLOCK as part of
>Reply-Message.
>

No. But have a look at "man unlang" and module return codes. You can
use unlang to set Reply-Message in such cases.

>2. For determining if user named xyz  has typed wrong passwd and his
>privilage level,  , i will keep /etc/raddb/users entry as
>
>xyz Auth-Type := Reject , User-password =~ "*"
>            Reply-Message = "Invalid passwd for xyz(level 2)."
>

I am not quite sure what you mean. Does your user have multiple entries
where privilege level is determined by password? Like:

xyz   User-Password 1
        Priv-Level 1

xyz   User-Password 2
        Priv-Level 2

You will not be able to determine which (level) password he wanted to use
if he misses. You can remove password attribute from check line and
level from the reply entry.

>
>I can parse Reply-Message to determine the privilage. Is this the
>right way to determine the user privilage?
>
>3. For determining if the user is  a valid radius user, i will keep
>this entry at the end in the /etc/raddb/users :
>
>DEFAULT Auth-Type := Reject
>            Reply-Message = "Invalid user"
>

That's fine.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list