Freeradius Upgrade from 3.0.1 to 3.2.2

Alan DeKok aland at deployingradius.com
Wed Feb 22 19:11:54 UTC 2023


On Feb 22, 2023, at 1:47 PM, Steven Walters <steven.walters1 at gmail.com> wrote:
> Our fixed line customers authenticate with username and password. Our fixed
> line customers can have a mobile VAS linked to fixed line. Customer can
> have single SIM or multiple SIM linked to fixed line username on LDAP.
> 
> In the case of mobile service, we receive the MSISDN in the radius access
> request. We then lookup the username which has the MSISDN linked on LDAP.
> If subscriber name has this MSISDN linked, the radius will respond with the
> username in the access-accept. If no match is found it will respond with
> access-reject.

  OK.  So "if not found in LDAP, reject".  Luckily, the ldap module will return "notfound", which is a bit better indication than "!ok" or "!updated".

	ldap
	if (notfound) {
		reject
	}


> When the radius receives the accounting start for this session it will have
> the username of the fixed line service returned in the access-accept and
> not the MSISDN which was original in the access request.

  That makes sense.

> So basically, in the case of the mobile VAS, the authentication finds the
> username on LDAP which has the MSISDN linked as a VAS and if no username
> has the MSISDN (for example customer cancelled the VAS but is still trying
> to use the SIM) it will send an access reject. No password checks are done
> for mobile service.
> 
> This mobile VAS was implemented before I joined so there might be better
> alternative to provide the same result.

  The "notfound' return code is the best indication of "not found" .

  Alan DeKok.



More information about the Freeradius-Users mailing list