Simultaneous-use check but don't reject

[Fajar A. Nugraha]

On Wed, Dec 21, 2011 at 5:29 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh <avkosykh at gmail.com> wrote:

>> I tried to do this in my config

>> but radius answer is reject whatever and pppoe didn't up

You know what, since you say it's pppoe, I can share a setup on my
environment that might be adaptable for you.

The situation:
- pppoe
- IP address is (normally) allocated by nas, dynamically, using public
IP address
- AAA using freeradius

The problem:
- we want disabled users to still be able to login, but they'd be
placed on a special network where they'd only be able to access an
info page (or, in your terms, "error page")

The solution:
- setup a private IP pool on the NAS (e.g. 10.x.x.x)
- put disabled users in a special group (e.g. "disabled-users")
- setup sqlippool for that IP address pool (e.g. "disabled-users-pool")
- setup a special DNS server (any authoritative DNS server supporting
wildcard will do) that will resolve all DNS record to a special web
server.
- setup routing on the NAS so that the private IP pool can access the
DNS server and the web server, but it can't access public IP address
- add radgroupcheck entry for that group which points to the pool
(e.g. Pool-Name := "disabled-users-pool")
- add radgroupreply entry which will tell users to use the special DNS
server (e.g MS-Primary-DNS-Server := "10.0.0.10")

That way, when a user in "disabled-users" group logs in, he'd get a
private IP address, and whatever address he typed in browser will
bring him to the info page.

You might be able to adapt it to your needs by adding Pool-Name and
MS-Primary-DNS-Server attribute dynamically using unlang, based on an
sql query which checks whether a user is already logged in or not.
Somewhat complicated, but should work.

If you're still having trouble understanding the example, better ask
an expert to help you.

-- 
Fajar