Re: Restrict to initial NAS used to logon
Not sure what max access-period would be? If it relates to single
session then use Session-Timeout to fix max length. If it relates to
total time allowed then use sqlcounter (which will set Session-Timeout
dinamically). If you are setting a Session-Timeout that will be the same
for lagre number of users use groups and set it (once) in radgroupcheck.
You don't have access to nasname (from clients.conf) and it is not
logged in radacct anyway. What you are describing would work if you add
NAS-Identifier to the schema. If you don't want to alter sql schema you
will have to add NAS-Identifier check into radcheck at first logon.
Every other time script will run without doing anything - not very
efficient but ...
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] piše:
Hi,
I will have to consider the NAS-Identifier replacing NAS-IP-Address.
This is not for our use, this is at a customer site. I'm leary about using
a field for something other than its intention (Or adding a field that is
unexpected) due to the possibility of them installing a package later on
that has certainly expectations of the data being a certain way).
I later realized that SOMETHING would need to be set in the
radcheck , but was hoping for it to be a bit self contained. I
see things like the Simultaneous use, and the ability to check max
access-period, and was hoping I could somehow tell the system
to SELECT the nasname (if that field existed) from radacct, and
compare against the current nasname from the record. If there was
no current, go ahead. If there was a current, if it matched go
ahead. Maybe even something with the COUNT of unique nasname,
and if it was 0 , its ok. If its 1, better match the current one.
NAS-Identifier is not stored in radacct by default. But you can add it to
or replace NAS-IP-Address with it in radacct table and accounting
queries.
radacct is used for - accounting. You need to put NAS-Identifier check in
radcheck to stop users from connecting from other APs. You can a script
at logon to insert it or run outside script at certain intervals that
will set it up for you. Anyway you need to:
- check radacct if user has logged on before
- if not insert NAS-Identifier check into radcheck table with the value
of the current request
If you add NAS-Identifier field into radacct table you don't need to add
anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before
- if he had check that value of NAS-Identifier in the request matches the
one in radacct table
I was trying to avoid as much outside stuff as possible. I guess I
could perl it if it means that much to me. I was just hopinf after seeing
some of the sqlcounter stuff, if there was some way to accomplish it
that way.
Thanks, Tuc
Ivan Kalik
Kalik Informatika ISP
Dana 10/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] piše:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
NAS-Identifier is not stored in radacct by default. But you can add it to
or replace NAS-IP-Address with it in radacct table and accounting
queries.
radacct is used for - accounting. You need to put NAS-Identifier check in
radcheck to stop users from connecting from other APs. You can a script
at logon to insert it or run outside script at certain intervals that
will set it up for you. Anyway you need to:
- check radacct if user has logged on before
- if not insert NAS-Identifier check into radcheck table with the value
of the current request
If you add NAS-Identifier field into radacct table you don't need to add
anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before
- if he had check that value of NAS-Identifier in the request matches the
one in radacct table
Ivan Kalik
Kalik Informatika ISP
Dana 10/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] piše:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Hi,
I will have to consider the NAS-Identifier replacing NAS-IP-Address.
This is not for our use, this is at a customer site. I'm leary about using
a field for something other than its intention (Or adding a field that is
unexpected) due to the possibility of them installing a package later on
that has certainly expectations of the data being a certain way).
I later realized that SOMETHING would need to be set in the
radcheck , but was hoping for it to be a bit self contained. I
see things like the Simultaneous use, and the ability to check max
access-period, and was hoping I could somehow tell the system
to SELECT the nasname (if that field existed) from radacct, and
compare against the current nasname from the record. If there was
no current, go ahead. If there was a current, if it matched go
ahead. Maybe even something with the COUNT of unique nasname,
and if it was 0 , its ok. If its 1, better match the current one.
NAS-Identifier is not stored in radacct by default. But you can add it to
or replace NAS-IP-Address with it in radacct table and accounting
queries.
radacct is used for - accounting. You need to put NAS-Identifier check in
radcheck to stop users from connecting from other APs. You can a script
at logon to insert it or run outside script at certain intervals that
will set it up for you. Anyway you need to:
- check radacct if user has logged on before
- if not insert NAS-Identifier check into radcheck table with the value
of the current request
If you add NAS-Identifier field into radacct table you don't need to add
anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before
- if he had check that value of NAS-Identifier in the request matches the
one in radacct table
I was trying to avoid as much outside stuff as possible. I guess I
could perl it if it means that much to me. I was just hopinf after seeing
some of the sqlcounter stuff, if there was some way to accomplish it
that way.
Thanks, Tuc
Ivan Kalik
Kalik Informatika ISP
Dana 10/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict to initial NAS used to logon
Hi, Looking to restrict a user to only be able to log in and re-log in to the initial NAS they first ever logged onto. (Hotspot) Looking at the radacct file where it looks like the check-items normally go against, I'm not seeing anything I can use as an identifier. The nasipaddress is always 0.0.0.0. Maybe calledstationid, except if we swap equipment out during the lifetime of a users id it won't match. Is anyone doing anything like this already? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Tuc at T-B-O-H.NET wrote: Looking to restrict a user to only be able to log in and re-log in to the initial NAS they first ever logged onto. (Hotspot) Looking at the radacct file where it looks like the check-items normally go against, I'm not seeing anything I can use as an identifier. The nasipaddress is always 0.0.0.0. Maybe calledstationid, except if we swap equipment out during the lifetime of a users id it won't match. Is anyone doing anything like this already? They usually use equipment that sends a NAS identifier. Or, use the Packet-Src-IP-Address attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Tuc at T-B-O-H.NET wrote: Looking to restrict a user to only be able to log in and re-log in to the initial NAS they first ever logged onto. (Hotspot) Looking at the radacct file where it looks like the check-items normally go against, I'm not seeing anything I can use as an identifier. The nasipaddress is always 0.0.0.0. Maybe calledstationid, except if we swap equipment out during the lifetime of a users id it won't match. Is anyone doing anything like this already? They usually use equipment that sends a NAS identifier. Hrm I just originally went on the assumption that the sending side was partially braindead, and wasn't sending it. Your comment made me dump a session on 1812 and 1813... 1812: Radius Protocol Code: Access-Request (1) Packet identifier: 0x0 (0) Length: 216 Authenticator: A9A4B05B3C01784A8DF58849DB987135 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=5 t=User-Name(1): tuc AVP: l=18 t=CHAP-Challenge(60): 894209E703975A194529D13926790197 AVP: l=19 t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289 AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=6 t=Service-Type(6): Login-User(1) AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=18 t=Acct-Session-Id(44): 47fe006e AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=18 t=Message-Authenticator(80): F0AE0A9EE7DAC32F9AA6089A5A9C3A70 AVP: l=40 t=Vendor-Specific(26) v=WISPr(14122) 1813: Radius Protocol Code: Accounting-Request (4) Packet identifier: 0x6 (6) Length: 142 Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=6 t=Acct-Status-Type(40): Start(1) AVP: l=5 t=User-Name(1): tuc AVP: l=11 t=Class(25): 303730333435363738 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=10 t=NAS-Port-Id(87): AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=18 t=Acct-Session-Id(44): 47fe006e So it looks like its sending it, just not making it into the radacct files. :-/ So where to start looking for that? Or, use the Packet-Src-IP-Address attribute. Thats gonna take a bit of headscratching to figure out about. :) But thanks for the lead. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
So it looks like its sending it, just not making it into the radacct files. :-/ So where to start looking for that? Or, use the Packet-Src-IP-Address attribute. Thats gonna take a bit of headscratching to figure out about. :) But thanks for the lead. Since you don't need NAS-IP-Address you can replace it with NAS-Identifier in sql.conf schema. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
