Re: Checkrad / Simultaneous-Use clarification please

Thu, 10 Sep 2009 04:10:42 -0700 

From: "Alan DeKok" <al...@deployingradius.com>

"If you want to check the stripped user name... then use it."



How can I control this?  I am assuming you are referring to proxy.con realm 
configuration?


"Why you ask?"


The 'powers that be' have declared that the same userid may log in via 
multiple realms (access technologies) up to a certain connection limit.
So u...@realm1 and u...@realm2 count as 2 connections for user.  In their 
original form, radius would view them as two distinct userids.



I need the form 'u...@realm' for authentication right after the 
simultaneous-use check.



How, specifically, can I get the Simultaneous-Use function to use the 
Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the 
remainder of the processing?  (I have seen references to variable in some 
cases having a form of %{prefix:User-Name} but am unclear of how/where  that 
can/should be used.



I have searched the internet, the docs available, and some of the source 
code in attempting to understand freeradius, only posting questions when I 
am truly puzzled.  Indications of "how" to do (or NOT do) something are most 
appreciated.  This is a significant upgrade effort, and I'm ok with 
re-designing how things are achieved, if I can determine WHAT the 'best way' 
should be.  I have NO control over the rules that apply to users and 
accounts in the real world.  (I especially love when they CONTRADICT! - 
Marketing...)


Thanks,
-craig


----- Original Message ----- 
From: "Alan DeKok" <al...@deployingradius.com>

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Sent: Thursday, September 10, 2009 4:16 AM
Subject: Re: Checkrad / Simultaneous-Use clarification please



Craig Campbell wrote:

We currently have users that log in both with and without realms.


 Well... then you have to manage that.


In radutmp we log the stripped username (i.e. no realm component).


 Why?


Since the radutmp data has no realm  part for the username, how do I get
the Simultaneous-Use code to check the username without the realm
component? Currently the realm portion is carried through until the
accounting processing (for radutmp).


 I don't understand.  You give radutmp a stripped user name, but you
don't give the session checking a stripped user name?

 If you want to check the stripped user name... then use it.


If I understand correctly, f...@comfort will pass Sinultaneous-Use
because radutmp is logging these as just "fred".


 Yes.  Because you told it to treat them as different users.

 If you want the simultaneous checking to check the stripped user name,
then strip the user name...

 Alan DeKok.

-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



__________ Information from ESET Smart Security, version of virus 
signature database 4412 (20090909) __________


The message was checked by ESET Smart Security.

http://www.eset.com






__________ Information from ESET Smart Security, version of virus signature 
database 4412 (20090909) __________

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to