FreeRadius Server: RadGroupReply attribute for maximum connected users

freeradius

I have a FreeRadius server and I'd like to set a limitation for the number of users connected to a specific NAS. My current set up is that every user that connects to a certain NAS is added to the Radius User Group that is attached to that NAS. Then, RadGroupReply does the stuff that I want to do for the users of a specific NAS. Currently, I am able to set a maximum download speed restriction as well as session timeout, but I'm wondering what's the attribute to use if I were to limit the maximum number of users allowed to connect to a specific NAS.

Thanks.

Best Answer

Sure, first you need to set up RADIUS accounting with an SQL database like postgresql or MySQL.

Then you need to implement a solution for stale session detection. This can be as simple as enabling Interim-Updates and closing out sessions where the last update was before (NOW() - <interim time>) using a cron job. How to calculate a time in the past varies wildly from database to database, so you'll have to find the right syntax for the database you use.

Finally you'd need to write an unlang policy that gets a live session count for a NAS and compares it to the configured maximum. In FreeRADIUS v3.0.x you can associate arbitrary pairs with NAS by adding them to client sections.

Example client section:

client test {
    ipaddr = 127.0.0.1
    secret = 'testing123'
    max_users = 10
}

Example policy:

authorize {
    if ("%{sql:SELECT COUNT(*) FROM radacct WHERE nasipaddress = '%{NAS-IP-Address}' AND acctstoptime != NULL}" > "%{client:max_users}") {
        update reply {
            Reply-Message := 'Sorry, too many users connected, please try again later'
        }
        reject
    }
}
Related Topic