Freeradius 3.0.15 x OpenLDAP (auth) x MySQL (acct): Limit Simultaneous Use

[Alan DeKok]

On Sep 6, 2018, at 9:41 PM, Jon Battista <jonbattista at gmail.com> wrote:
> I am currently attempting to set up FreeRadius 3.x to limit simultaneous
> connection based on a User's LDAP Group. For example, people in the
> Employee LDAP Group get 2 connections.
> 
> After extensive research, I have surmised the best way to do so is to use a
> SQL DB for Accounting, which I currently have all set up. Unless LDAP can
> be used for Accounting?

  No.

> As it stands, I can query how many active connections a User has
> (simul_count_query) from the radacct table of my local MySQL radius DB, so
> now I am trying to figure out how to *set* and *enforce* the Simultaneous-Use
> attribute.

  You set the Simultaneous-Use attribute, and the server does the enforcement.

https://wiki.freeradius.org/guide/SQL%20HOWTO

  Look for "Simultaneous-Use"

> Where I am caught up is the LDAP x SQL interfacing regarding the
> Simultaneous-Use attribute.
> 
> How and where does FreeRadius look for this attribute?

  You set it when the user is logging in.  e.g. when the server receives an Access-Request packet.

  You can set it just like any other attribute.

> Does this have to be in LDAP for the Group/User and FreeRadius queries for it

  That can work.

> or can I define
> within my FreeRadius configs somewhere?

  That can work, too.  It all depends what you want.

> Most examples say to enforce it on
> a per-user basis by using the Users file, but what about SQL on a large
> scale?

  It can be set in SQL, too.

  Are you using SQL for other authorization?  If not, don't set it there.  Set it in LDAP, or set it in another place.

> I've been scouring over the documentation with no luck. Again, LDAP is
> enabled and working. SQL Accounting is enabled and logging activity.
> Something I did notice was that radacct is NOT getting the groupname column
> when I run: *simul_count_query*

  The groupname column in radacct isn't used.

  Alan DeKok.