Matthias Nagel wrote: > Now, I would like to write some kind of RADIUS policy to prevent this > behaviour.
(a) store information in a database (b) use "unlang" to query the database > This policy is supposed to do the following during the post-authentication > phase: > > 1) If there is no active session on the NAS port, just return Access-Accept You may need to create a new table which stores active sessions. INSERT data into it on authentication / accounting start. DELETE data on accounting stop. > 2) If there is at least one active session on the NAS port and the > 'Tunnel-Private-Group-ID' of that session equals the > 'Tunnel-Private-Group-ID' of the new request, return Access-Accept. Store the Tunnel-Private-Group-ID of a session on INSERT. Query it on the next session authentication. > 3) If there is at least one active session on the NAS port and the > 'Tunnel-Private-Group-ID' of that session DOES NOT equal the > 'Tunnel-Private-Group-ID' of the new request, return Access-Reject. Query the DB. If it doesn't match, reject. > Is this possible to do? I have the accounting information in a SQL database, > hence I know, if there are active sessions on some port. But I do not know, > which would be the correct RADIUS configuration section and I do not know if > "unlang" or some other configuration directive can perform such a check. "unlang" is just a way to write policies. It does NOT store data. SQL databases store data. The two together can solve this problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
