Return Access-Accept/-Reject depending on other active sessions during post-authentication
Alan DeKok
aland at deployingradius.com
Sun Dec 16 17:07:53 CET 2012
Matthias Nagel wrote:
> Now, I would like to write some kind of RADIUS policy to prevent this behaviour.
(a) store information in a database
(b) use "unlang" to query the database
> This policy is supposed to do the following during the post-authentication phase:
>
> 1) If there is no active session on the NAS port, just return Access-Accept
You may need to create a new table which stores active sessions.
INSERT data into it on authentication / accounting start. DELETE data
on accounting stop.
> 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept.
Store the Tunnel-Private-Group-ID of a session on INSERT. Query it on
the next session authentication.
> 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject.
Query the DB. If it doesn't match, reject.
> Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if "unlang" or some other configuration directive can perform such a check.
"unlang" is just a way to write policies. It does NOT store data.
SQL databases store data.
The two together can solve this problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list