Freeradius 3.0.15 x OpenLDAP (auth) x MySQL (acct): Limit Simultaneous Use
aland at deployingradius.com
Fri Sep 7 13:05:45 CEST 2018
On Sep 6, 2018, at 9:41 PM, Jon Battista <jonbattista at gmail.com> wrote:
> I am currently attempting to set up FreeRadius 3.x to limit simultaneous
> connection based on a User's LDAP Group. For example, people in the
> Employee LDAP Group get 2 connections.
> After extensive research, I have surmised the best way to do so is to use a
> SQL DB for Accounting, which I currently have all set up. Unless LDAP can
> be used for Accounting?
> As it stands, I can query how many active connections a User has
> (simul_count_query) from the radacct table of my local MySQL radius DB, so
> now I am trying to figure out how to *set* and *enforce* the Simultaneous-Use
You set the Simultaneous-Use attribute, and the server does the enforcement.
Look for "Simultaneous-Use"
> Where I am caught up is the LDAP x SQL interfacing regarding the
> Simultaneous-Use attribute.
> How and where does FreeRadius look for this attribute?
You set it when the user is logging in. e.g. when the server receives an Access-Request packet.
You can set it just like any other attribute.
> Does this have to be in LDAP for the Group/User and FreeRadius queries for it
That can work.
> or can I define
> within my FreeRadius configs somewhere?
That can work, too. It all depends what you want.
> Most examples say to enforce it on
> a per-user basis by using the Users file, but what about SQL on a large
It can be set in SQL, too.
Are you using SQL for other authorization? If not, don't set it there. Set it in LDAP, or set it in another place.
> I've been scouring over the documentation with no luck. Again, LDAP is
> enabled and working. SQL Accounting is enabled and logging activity.
> Something I did notice was that radacct is NOT getting the groupname column
> when I run: *simul_count_query*
The groupname column in radacct isn't used.
More information about the Freeradius-Users