access-request:
- check sessions table for nonexpired and confirmed sessions based on whatever criteria (eg. same username)
- return count in criteria-dependent attribute (behaviour file may use that value in its policy; database may have a limit)
before access-accept:
- insert new record containing interval and timeout, not confirmed, expiry is now + 60
- set class to nonce . last record id . orig-class (from upstream
and/or our own profile) . hmac
- accounting
- check dup, if dup, respond, done
- verify class hmac
- insert accounting record, also including verified status
- if accounting-start:
- update expiry to now + session_timeout
- update confirmed to yes
- else if accounting-interim:
- update expiry to now + period * 2
- update confirmed to yes
- else if accounting-stop:
- update expiry to now
- update confirmed to yes
- before proxying, get orig-class from Class and set Class to it.
- proxy
- reply