block users on-the-fly
Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Mon 16 Oct 2006 16:25, Guilherme Franco wrote:
Hi,
Does anyone already have a program to block freeradius on-the-fly?
ie: user has PAID = YES in radcheck table.
Sure.
Change:
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND calledstationid
= '%{Called-Station-Id}' \
ORDER BY id
to
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND calledstationid
= '%{Called-Station-Id}' \
AND PAID = 'YES' \
ORDER BY id
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
pgp6m1fcdzGmO.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
I've been through exactly the same hell authenticating a bunch of VPN users. The fundamental problem is that FreeRADIUS is event-driven: ie, it can only do anything when someone sends a RADIUS request to it. This means, for our purposes, that freeradius needs to be *asked* if a user can continue to be connected. I did this by making VPN users be re-authenticated every 30 minutes by the VPN NAS - if the nas recieves an Access-Accept packet, then all is well, it continues to provide service (I also bundle on some max-upload and max-download attributes, so the user's speed can be changed on their gigabyte total, but this is an aside) - however, if it recieves and access-deny, the user is booted from the nas. What you need to do is get your NAS box to re-authenticate the users every n minutes (or hours or whatever you prefer). Depending on how you're authenticating in the first place, this could be done in any number of ways... However, unless your current solution is either software-based or has the functions in it already, it's probably going to be expensive to implement. If your NAS has a 'status list' function and a 'kick user' function (eg, telnet administration interface), you could write a script that connects to the status list, compares the usernames with the MySQL database, and then connects via telnet to the admin interface to issue a 'kill $user' command. I've seen this done before, and in some cases it can be less resource-intensive than the increased amount of RADIUS auth packets. However it's only really any good for 1 or 2 NAS'es - if you want your system to scale to 30-40 nases then you'll probably want to keep it simple to manage and debug, and get radius to handle periodic reauthentication. Hope this helps, Jan On 16/10/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks, I didn't know about the POD (it wasn't on the wiki when I've read it before) On 10/16/06, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks Owen On 10/16/06, Owen DeLong [EMAIL PROTECTED] wrote: On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
