kartzman <[EMAIL PROTECTED]> wrote: > We'd like to limit the number of simultaneous users on FreeRadius (We > are using freeradius-snapshot-20040203) and a Cisco Aironet 1200 > Wireless access point.
Ah, yes... the joys of AP's. > Things are not working and the problem may be that the Aironet 1200 > doesn't record user logins when the PEAP protocol is enabled. Cisco > says it does so for the TACACS protocol and that information is in MIB > under TACACS (enterprises.9.2.9.2.1.18.0 .. 16) but since we use Radius > authentication and not TACACS these OIDs have null values. I'm told, > however, that we can get the MAC address on each port of the Aironet 1200. And all of the users have username "anonymous". > Looking at how the simultaneous use works in Radius, it calls checkrad > which issues an SNMP request to find out from the AP if a person is > already logged in. If you list the NAS type as "other", this doesn't happen. For your purposes, this may be good enough. > One thought we had was to replace the checkrad script with something > that somehow queries the Aironet to get the current "associations" > which give I guess the port number and MAC address. I would figure out the "somehow" first, and then worry about how to make FreeRADIUS do that. > We would then have to keep a record of each user's MAC address when > they authenticate and check against that. I suppose that would have > to be a hook in the code near where it processes the Radius > Accounting Start records. We would probably also need a hook to > remove the MAC address when the user logs out (Radius Accounting > Stop record). Do any such hooks already exist? You can write a module and hook it into the "accounting" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html