On Wed, Sep 11, 2002 at 07:59:26AM +1000, Brett Maxfield wrote: > I think that you are right, insofar as having re-authentication as part > of the radius server itself would be a very bad idea. From a design > point of view it should be a completely seperate server, but for the > sake of reusability of freeradius rules it would make sense to package > such a program with freeradius.
Not really, such an application would never work well in practice. The only feasible way to implement this (as far as I can see) is if you are talking about PPP users that do CHAP. Create a VSA which is a re-authorise timer. It would be 20-40 or so of additional code in pppd and no additional code in the radius server. This would not be load based. > If this were a seperate daemon, it would be up to the user to decide if > they needed to run it. The problem i have with leaving kickoffs up to > the user's application, is that it means you have to duplicate the rules > you have already written as part of the radius daemon in a third party > application. So write one up. I doubt it will be well received. (But if it *is* good, no reason it wouldn't be included with freeradius.) If you want to pursue this at least start by generating a more fleshed out design ... so you can be thoroughly flamed. :-) /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
