Fabrice,
Thanks for this, I just want to clarify something. If in your example a student has 3 live devices and tries to connect a 4th does it just fail to connect? Also is the eduPersonPrimaryAffiliation attribute in your example a container, group or some sort of custom ldap attribute? Paul From: Durand fabrice [mailto:[email protected]] Sent: August 2, 2015 11:30 AM To: [email protected] Subject: Re: [PacketFence-users] Replacing authorized device Hello Paul, What you can probably do is the following: In the role section let's use the 10 value for student and teacher (Only 10 registered devices are allowed per user). I suppose you are using an Active Directory as authentication source and you use it to associate the roles. So let's have a look first in raddb/modules edit ldap then add (Feel free to adapt it) : ldap ldap_ad_user { server = "info.acme.ca" identity = "CN=admin,DC=acme,DC=ca" password = password basedn = "DC=info,DC=acme,DC=ca" filter = "(sAMAccountName=%{User-Name})" scope = "sub" base_filter = "(objectclass=user)" password_attribute = NT-Password } then in packetfence-tunnel (in conf/radiusd/packetfence-tunnel) in authorize section: update request { Tmp-String-1 := "%{ldap_ad_user:ldap:///OU=Users,DC=acme,DC=ca <ldap://OU=Users,DC=acme,DC=ca> ? eduPersonPrimaryAffiliation?sub?sAMAccountName=%{User-Name}}" } if (Tmp-String-1 == "student") { update control { Simultaneous-Use := 3 } } elsif (Tmp-String-1 == "teacher") { update control { Simultaneous-Use := 5 } } # else { # update control { # Simultaneous-Use := 0 # } # } So with this configuration, only 10 devices are allowed to be registered per user. Then if the attribute eduPersonPrimaryAffiliation contain student then only 3 devices can be connected at the same time and if it contain teacher then only 5 devices can be connected at the same times. This setup is not exactly what you want but it's close. Regards Fabrice Le 2015-08-01 01:29, Polar Geek a écrit : Hello all, While my main issue is being looked into I have an additional question. Basically what I want to know is this. If I have set a user account to allow only 1 registered device and they want to register a new/replacement device before the existing registration expires. How does the end user accomplish this. In several other captive portal solutions I have used either as an admin or end-user, if a user logins into a new device it automatically disables the existing device. PacketFence instead seems to just deny the new device with no recourse for a replacement. Am I missing something like a setting that would change this behaviour? Effectively what I would like is to allow my students and teachers to use only specific number of non-school provided devices simultaneously. Students might legitimately need to use a laptop, tablet or phone on our network at any given time. But I dont want all those devices live the moment they enter the school. Just the one theyre actually using. Thanks in advance. Paul Taylor Luther College High School ---------------------------------------------------------------------------- -- _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
