Hello Paul,
yes, if the student have 3 live devices then the 4th will just fail to
connect.
eduPersonPrimaryAffiliation is just an example of an ldap attribute you
can use but you can probably use more complexe request
http://wiki.freeradius.org/modules/rlm_ldap#LDAP-xlat
Regards
Fabrice
Le 2015-08-03 20:49, Polar Geek a écrit :
Fabrice,
Thanks for this, I just want to clarify something.
If in your example a student has 3 live devices and tries to connect a
4^th does it just fail to connect?
Also is the eduPersonPrimaryAffiliation attribute in your example a
container, group or some sort of custom ldap attribute?
Paul
*From:*Durand fabrice [mailto:[email protected]]
*Sent:* August 2, 2015 11:30 AM
*To:* [email protected]
*Subject:* Re: [PacketFence-users] Replacing authorized device
Hello Paul,
What you can probably do is the following:
In the role section let's use the 10 value for student and teacher
(Only 10 registered devices are allowed per user).
I suppose you are using an Active Directory as authentication source
and you use it to associate the roles.
So let's have a look first in raddb/modules
edit ldap then add (Feel free to adapt it) :
ldap ldap_ad_user {
server = "info.acme.ca"
identity = "CN=admin,DC=acme,DC=ca"
password = password
basedn = "DC=info,DC=acme,DC=ca"
filter = "(sAMAccountName=%{User-Name})"
scope = "sub"
base_filter = "(objectclass=user)"
password_attribute = NT-Password
}
then in packetfence-tunnel (in conf/radiusd/packetfence-tunnel) in
authorize section:
update request {
Tmp-String-1 :=
"%{ldap_ad_user:ldap:///OU=Users,DC=acme,DC=ca
<ldap://OU=Users,DC=acme,DC=ca>?
eduPersonPrimaryAffiliation?sub?sAMAccountName=%{User-Name}}"
}
if (Tmp-String-1 == "student") {
update control {
Simultaneous-Use := 3
}
}
elsif (Tmp-String-1 == "teacher") {
update control {
Simultaneous-Use := 5
}
}
# else {
# update control {
# Simultaneous-Use := 0
# }
# }
So with this configuration, only 10 devices are allowed to be
registered per user.
Then if the attribute eduPersonPrimaryAffiliation contain student then
only 3 devices can be connected at the same time and if it contain
teacher then only 5 devices can be connected at the same times.
This setup is not exactly what you want but it's close.
Regards
Fabrice
Le 2015-08-01 01:29, Polar Geek a écrit :
Hello all,
While my main issue is being looked into I have an additional
question.
Basically what I want to know is this. If I have set a user
account to allow only 1 registered device and they want to
register a new/replacement device before the existing registration
expires. How does the end user accomplish this.
In several other captive portal solutions I have used either as an
admin or end-user, if a user logins into a new device it
automatically disables the existing device. PacketFence instead
seems to just deny the new device with no recourse for a
replacement. Am I missing something like a setting that would
change this behaviour?
Effectively what I would like is to allow my students and teachers
to use only specific number of non-school provided devices
simultaneously. Students might legitimately need to use a laptop,
tablet or phone on our network at any given time. But I don’t want
all those devices live the moment they enter the school. Just the
one they’re actually using.
Thanks in advance.
Paul Taylor
Luther College High School
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
