Alan DeKok wrote: > Brett Maxfield <[EMAIL PROTECTED]> wrote: > >>My understanding is that authentication basically happens once, at >>logon. What i would like is for some external agent (not radius) to >>create a list of online users (via SNMP or Telnet/Finger) and >>periodically re-query that list of users against the radius server to >>see if they would be authenticated, based on the current situation. > > That's problematic, and I'm not sure it's a good idea. > > Do you really want to simplify the work of writing and enforcing > timeouts in an application, by increasing the load on the RADIUS > server and the network?
I think that you are right, insofar as having re-authentication as part of the radius server itself would be a very bad idea. From a design point of view it should be a completely seperate server, but for the sake of reusability of freeradius rules it would make sense to package such a program with freeradius. If this were a seperate daemon, it would be up to the user to decide if they needed to run it. The problem i have with leaving kickoffs up to the user's application, is that it means you have to duplicate the rules you have already written as part of the radius daemon in a third party application. As far as the network load of checking for users, it would have to be left up to the end user. If all the traffic beween the kickoff server and the access servers is across an ethernet it might be acceptable. Cheers Brett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html