"Alan DeKok" <[EMAIL PROTECTED]> writes: > Ted Cabeen <[EMAIL PROTECTED]> wrote: >> Right. But if you change the behavior of checkrad to always allow on >> other, nothing happens because it's over-ridden in the code. If the >> other nastype doesn't do anything, it either shouldn't be defined in >> checkrad or there should be a comment there indicating that it never >> gets run. > > Ah, I see what you mean. > >> With "other" configured as it is, freeradius is a fail-deny system. >> If the server can't confirm the login is duplicate, it rejects the >> user, presuming the utmp file is correct. I want the opposite >> behavior, where radius only denies a user when it's positively >> confirmed that they're already logged in the maximum amount of times. >> A config file option seems the best solution to me. > > So create a nas type of "fail-allow", and edit checkrad to always > return 0 for that type. It should be ~3 lines of perl in checkrad, > and because it isn't named "other", the server should call checkrad > for it, and do what you want.
That's not a bad idea, but the problem is that I don't know the IPs that the requests will be originating from. The outsourced dialup provider has thousands of NASes across the US, and I don't have a list of every NAS they have. Looking at the code, I just noticed that radutmp is also always trusted when the request comes from an unknown NAS, which happens as well/ Essentially, what I want to do is to never trust the radutmp file. Right now, the server can't be configured to do that. -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
