The way I do this is to keep my radacct in an SQL database, to which I've added several columns. then I use the rlm_perl with a bit of code like this:
sub authorize
{# Check for probation period
if(db_probation($RAD_CHECK{UserName})) {
radiusd::radlog(L_INFO, "Client $RAD_CHECK{UserName} Attempted to log in during probation");
return RLM_MODULE_REJECT;
}
# return the result return RLM_MODULE_OK; }
sub db_probation { my ($UserName)= @_; my $probation= 0;
# Get the database handle
my($dbh, $err)= db_open();
if(defined $dbh) {# Fetch the probation etry
my $query= "select * from radacct Where UserName='$UserName' and ProbationTo>".time();
if(my $q= $dbh->prepare($query)) {
if($q->execute()) {
if($q->fetchrow_hashref) {
# There is a probation entry !
$probation= 1;}
} else { $err= "failure executing probation query: ".$dbh->errstr; }
# Close the query
$q->finish(); } else { $err= "failure preparing probation query: ".$dbh->errstr; }
}# Return whatever we found. return $probation; }
There's actually quite a bit more happening around the edges with this module
on our system, so that code I've trimmed out probably won't work as is,
however you can see what it's doing.
When I terminate a session because of congestion, I set the column "ProbationTo"
for the session I've terminated to be a epoc time 15 minutes in the future and
when the user trys to log in before then the record is found and authorisation
is rejected.
db_open() is simply a perl function I use to do a DBI::new to open the database handle
and then cache it.
I also realise now that I'm re-reading the code that I've failed to handle error conditions,
I'll have to fix that :-)
Bruce
John Eckert wrote:
Thanks.
I have included the "rlm_counter" module in my radiusd.conf and each time the server gets an "stop" request he adds he Acct-Session-Time.
Looks like this:
rlm_counter: Packet Unique ID = '5bf5b6a4e87be179' rlm_counter: Counter Unique ID = '5dddb8291191804a' rlm_counter: User=john, Counter=488. rlm_counter: User=john, New Counter=524. modcall[accounting]: module "daily" returns ok for request 31
But how can I set a maximum usage time? I have added
Max-Daily-Session = 500
to my "radgroupreply" table but I can still logon, even with my counter being at 524.
And, the attribute "session-timeout" isn't added to the reply, so my NAS doesn't log out the user, either.
Any short or long hints?
Version info: freeradius 0.9.2-4 on debian, mysql database
Thank you
John Eckert.
-On Donnerstag, 8. Januar 2004 11:53 -0500 Alan DeKok <[EMAIL PROTECTED]> wrote:
John Eckert <[EMAIL PROTECTED]> wrote:
I have successfully configured my freeradius server to answer the accounting request and to give the user an internet access for lets say 30 Minutes. After 30 Minutes the user gets kicked.
_But_: After he gets kicked he is able to login again with the same username and password.
Is there a way to prevent this?
rlm_counter
Gives the user limited time access per day/week/month/whatever
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John E. --
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
