We'd like to limit the number of simultaneous users on FreeRadius (We are using freeradius-snapshot-20040203) and a Cisco Aironet 1200 Wireless access point.
We've followed the instructions in Chapter 6 (p.112) of the O'Reilly Radius book. (We've installed SNMP_Session and BER and set Simultaneous-Use in etc/raddb/users). Things are not working and the problem may be that the Aironet 1200 doesn't record user logins when the PEAP protocol is enabled. Cisco says it does so for the TACACS protocol and that information is in MIB under TACACS (enterprises.9.2.9.2.1.18.0 .. 16) but since we use Radius authentication and not TACACS these OIDs have null values. I'm told, however, that we can get the MAC address on each port of the Aironet 1200. Any suggestions here? Looking at how the simultaneous use works in Radius, it calls checkrad which issues an SNMP request to find out from the AP if a person is already logged in. One thought we had was to replace the checkrad script with something that somehow queries the Aironet to get the current "associations" which give I guess the port number and MAC address. We would then have to keep a record of each user's MAC address when they authenticate and check against that. I suppose that would have to be a hook in the code near where it processes the Radius Accounting Start records. We would probably also need a hook to remove the MAC address when the user logs out (Radius Accounting Stop record). Do any such hooks already exist? Again, comments, advise and suggestions are welcome. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
