Hello,
> Run the radius server in debugging mode (-x) and see what the NAS actually > sends to the server when a person tries to authenticate. That will show you > the data you can use in the users file to help determine where packets get > proxied. I believe the Called-Station-Id is sent only in accounting packets, > which is sent after successful authentication. > My understanding is that freeradius first checks radutemp and if it sees a user logged on with the same username as one attempting to log on, it calls checkrad to query the NAS. This from the documentation on Simultaneous-Use: "...Only when someone tries to login who _already_ has an active session according to the radutmp file, the server executes the perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for the presence of both and in that order). This script queries the terminal server to see if the user indeed already has an active session." Now, it makes sense to me that this checking would be done before the authentication process, since it is the more efficient path. However, I am not familiar with the logic flow of freeradius, so I do not know this for certain. If it does check radutmp, and call checkrad when necessary, before authentication, then it has access to the Called-Station-Id, since this is available in the requesting packet from the new user. It also has access to the Called-Station-Id for all users currently logged on, since the NAS keeps record of this in a table. At least my NAS does, since this is how they know which modem bank to assign my customers to. So, I am fairly certain that both the username and Called-Station-Id are available when/if checkrad is called. Since this is written in perl, it would be the most logical place to start working on a fix; i.e., would require recompiles of radiusd.c. However, I can not see any traffic coming out of the checkrad script, it doesn't seem to be writing to checkrad.log. Does freeradius-0.7.1, in fact, call the perl script checkrad? I did find where checkrad is called from the session.c module, so I know that the thought is in the code, but it doesn't seem to get triggered. However, I also see in my radius.log that certain sessions are being flagged as 'Multiple logins,' so I know something is catching them, but I don't know what. Do you? I will look at running freeradius in debug mode, but I would rather set debug flags in checkrad. > Have you looked into using realms? I read this in the duplicate-users documentation: "Now, about now, many of you are thinking, "what about realms?" Well, realms are great, but, in general, it will require the end user to add "@domain.com", which is a pain. It means ISP A has to call 375 people and tell them to add that to their login name." and decided against realms, since I would have to notify a few thousand people. Thanks, Murrah Boswell > > Kevin Bonner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
