checking authorization in the duration of connection

John Dennis jdennis at redhat.com
Wed Apr 29 16:04:30 CEST 2009


Eric wrote:
> Hi,
> My radius server use ldap server for authorize and authentication.I 
> set an attribute in ldap server that is the check-name in sqlcounter 
> to limit users Input traffic. I want when user traffic reaches to this 
> amount the user become stop but radius checks ldap attributes only at 
> the first of connection not in the middle. How can I set radius server 
> check users traffic with the amount of this attribute in ldap server 
> in the duration of connection?
The radius server steps out of the way once authentication and 
authorization is complete, nor does it have the ability to disconnect a 
user from a NAS. You need to have the NAS disconnect the user itself 
when a threshold is reached. This is accomplished by returning a vendor 
specific attribute  specifying the limit for the session which the NAS 
then maintains. Once the limit on the NAS is reached the NAS terminates 
the session. You'll have to check your NAS documentation for a traffic 
limiting parameter. In the other common case of disconnect after a time 
duration it's handled by computing the session length during 
authorization and returning attribute 194 with the maximum number of 
seconds for the connection.  This attribute is understood by comon NAS 
devices and is known variously as Ascend-Maximum-Time, 
Cisco-Maximum-Time or Lucent-Maximum-Time. You'll need to apply the same 
logic for data volume.


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




More information about the Freeradius-Users mailing list