On Thu, 25 Sep 2003, Ossama Suleiman wrote:
> many many thanks, it is very useful
>
> but there is one thing left, i would be very grateful if you can help me
> with it
>
> i have to different isdn types isdn 64k (simultenous-use=1) and isdn 128k
> (simultenious-use=2)
>
> if i define it by nas-port-type in the users file, i won't be able to
> differntiate between user: isdn64 and isdn128
>
> beside i in the rare case that a user wants to use the same username and
> password pair with say 30 connections (simultenous-use=30) how will i be
> able to define a SPECIAL case like that?? should i create him too a new
> group?? and how should i define that group in the users file??
>
> Thank you so much for your help
> best regards
>
> ossama
I've never used simultenous-use, but I'll give it a shot. In the schema
file you will find
attributetype
( 1.3.6.1.4.1.3317.4.3.1.53
NAME 'radiusSimultaneousUse'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
So, then you could add this to the ldap entry
dn: uid=test1,ou=users,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: test
radiusgroupname: isdn
radiussimultaneoususe: 2
Make sure you've got this in ldap.attrmap
checkItem Simultaneous-Use radiusSimultaneousUse
> ----- Original Message -----
> From: "Dustin Doris" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Thursday, September 25, 2003 7:02 PM
> Subject: Re: ldap authentication / simultenious-use
>
>
> >
> >
> > On Thu, 25 Sep 2003, Ossama Suleiman wrote:
> >
> > > dear all,
> > >
> > > while authenticationg against ldap i enabled the compare_check_items
> > > = yes, cause i wanted to use nas-port-type based authentication, because
> > > i have to kinds of users, analog and ISDN, in order to prevent analog
> > > users from using ISDN services
> > > which is working fine now
> > >
> > > but the problem i faced is in simultenous-use, as it is a check item
> > > too, if the radius don't receive it while authenticating the user, the
> > > user get's rejected
> > >
> > > beside i want to use simultenous-use to differentiate between
> > > isdn64K and isdn 128K
> > >
> > > any help??
> > >
> > > thanks and best regards
> > >
> > > ossama
> > >
> >
> > You could try using Groups instead.
> >
> > in your ldap directory, say you have a user named test that has async
> > access and test1 that has isdn access
> >
> > dn: uid=test,ou=users,ou=radius,dc=mydomain,dc=com
> > objectclass: radiusprofile
> > uid: test
> > radiusgroupname: dial
> >
> > dn: uid=test1,ou=users,ou=radius,dc=mydomain,dc=com
> > objectclass: radiusprofile
> > uid: test
> > radiusgroupname: isdn
> >
> > Then in your users file you have
> >
> > DEFAULT NAS-Port-Type == ISDN, Ldap-Group == isdn
> > Fall-Through = no
> >
> > DEFAULT NAS-Port-TYpe == Async, Ldap-Group == dial
> > Fall-Through = no
> >
> > DEFAULT Auth-Type := Reject
> > Reply-Message = "Please call ...."
> >
> > Then in radiusd.conf in your ldap section, you define the attribute that
> > corresponds to ldap-group.
> >
> > groupmembership_attribute = radiusGroupName
> >
> > Here is what happens.
> >
> > User dials in and hits radius server with NAS-Port-Type = Async. Radius
> > will lookup the user in the ldap directory and look for the attribute
> > radiusGroupName = dial. If the user has that particular attribute set, it
> > will authorize the user. If not, then it will fall through to Reject.
> > The same with the isdn users when they connect.
> >
> > If the users are able to have access to both, then include both
> > radiusGroupName entries.
> >
> > ie.
> >
> > dn: uid=test2,ou=users,ou=radius,dc=mydomain,dc=com
> > objectclass: radiusprofile
> > uid: test
> > radiusgroupname: isdn
> > radiusgroupname: dial
> >
> >
> > Hope that is helpful.
> >
> > Dustin Doris
> >
> >
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
