Re: [Help-gnu-radius] Fall-through

[Sergey Poznyakoff]

> DEFAULT Group = "web", Simultaneous-Use = 0
>         Fall-Through = 1
> 
> DEFAULT Group = "unlim", Simultaneous-Use = 1
>         Fall-Through = 1
> 
>     What I need to know is, which Simultaneous-Use would take effect -- the
> first, or the second?

This is determined by so called 'additivity' bit. If you wish the
first occurrence to take effect, you should set the additivity to
'none'. To do so, the corresponding line in your raddb/dictionary
must be:

ATTRIBUTE       Simultaneous-Use        1034    integer - [L--R-R]N

(the last 'N' on the line sets the additivity).

Similarly, if you wish the second occurrence to take precedence over
the first, you should set the additivity to replace:

ATTRIBUTE       Simultaneous-Use        1034    integer - [L--R-R]=

>     Also, I'm looking at having some servers (eg. mail) taking their
> passwords from Radius, and I was wondering, is there a way to set it up so

You may use PAM to achieve this functionality. The pam_radius module
from the distribution provides a way to authenticate through radius.
It does not provide for accounting, though.

> that I can have Simultaneous-Use = 1, and they can only dial in once, but
> can connect as many times as they like to other servers?

That is more difficult to implement. It assumes some kind of caching
the authentication credentials, which radius does not provide. However,
the SQL accounting table may be used for authentication purposes, but
you'll have to write a PAM module for it. The basic idea is: the
module looks into accounting table for a record with user_name containing
the name of the user being authenticated and status field = 1. The
presence of such a record means that the user is currently on-line, so
the module returns positive response, otherwise it should return
negative response.

Regards,
Sergey