Arran Cudbard-Bell a.cudbardb at
Fri Nov 8 11:02:51 CET 2013

> i am not so much clear how LDAP can be used to authenticate SM's. i have little idea from my research that i can use Session-Timeout attribute so that SM needs to authenticate everyday. This is here the confusion is. 
> i can figure out using MSSQL query from our CRM database that who has not paid. But what should happen if customer did not paid? user should be deleted from LDAP? so that SM is unable to authenticate by FR ? Am i correct that LDAP can be used in such scenario ? i know many admins are using such techniques. Thats why seeking help & their advice. 
> if someone has little time just to help me understanding how to put components together, will very very grateful. all component has been setup but could not understand how it would work together.  

No, generally you mark up the object in LDAP with an attribute indicating that the account is disabled. The LDAP module in both v2 and v3 supports this, though the one in v3 can use the presence or the absence (depending on what you configure) as the indicator.

Check to see if your NAS supports CoA, DM or disconnect via SNMP. IIRC the standard 802.1X MIB includes provisions for terminating a session or at least forcing re-authentication.

Check to see if the user is still enabled on every accounting request, and during post-auth and do the appropriate thing.

FYI asking architecture questions on the FreeRADIUS mailing list is generally frowned upon. We already expect you to know how to do your job and understand AAA infrastructure before posting here. It might perhaps, be better seeking help in one of the numerous network operators forums/lists.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list