Cached attributes

Christian Strauf strauf at rz.tu-clausthal.de
Thu Feb 25 14:01:18 CET 2016


>This is the one which means we're reluctant to cache the vlan attribute
>between authentications.  We want to be able to drop people into our
>"containment" vlan promptly when we get wind of abusive behaviour, and if
>we're caching the vlan itself they won't get put in the new vlan until the
>cache entry expires.
If your equipment supports Change of Authorization (CoA) you should be able to handle these cases quite elegantly by putting an "update coa" snippet into the accounting section of the server section that is responsible for those particular NASes. The examples in

	sites-available/originate-coa

look pretty instructive (sorry, haven't yet done what you intend to do in our environment, so I'm pretty useless with helping you with the exact details put I still think that in theory CoA is the best way to do this). If you have the cached inner user-name, you can use unlang to determine if you want to send a CoA packet for that particular user at that point of time and what VLAN assignment it should contain.

The only use case that you mentioned that really needs CoA or some alternative is banning "naughty" users. If CoA is no option, you could also lower the re-authentication interval on your NASes so that the maximum time until the VLAN assignment can be changed is the re-auth interval.

I hope that I understood you correctly and that what I write makes sense. :)

Christian
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2172 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160225/1e88a4d3/attachment-0001.bin>


More information about the Freeradius-Users mailing list