> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Friday, February 20, 2004 3:25 PM > To: [EMAIL PROTECTED] > Subject: Re: Port limit & concurrency checks, wholesale > accounting, and dealing with dead servers > > > "Troy Settle" <[EMAIL PROTECTED]> wrote: > > I've searched a bit on this, but am coming up empty handed > so far. Can > > anyone point me in the right direction for enforcing port-limit as > > passed by the home server? > > I don't think you're supposed to enforce it. The NAS is supposed to > enforce it.
I'm sorry, I thought this was why most radius servers now have concurrency checking built in. Why would FreeRadius have something like radcheck if not to enforce the total number of concurrent logins each user is allowed to have? So, NAS-1 is supposed to know that [EMAIL PROTECTED] is logged in on NAS-2 and not allow the connection? I don't know what equipment you're using Alan, but my boxes (Lucent TNT) do not talk amongst themselves from pop to pop. The problem when you're a proxy server, is that you don't know how many ports (logins) a particular user is allowed unless the home server sends a radius attribute such as 'Port-Limit' in response to the authentication request. If there's a mechanism in Freeradius for this, I've not yet seen it. > > > I've come to the conclusion that depending on my wholesale customers > > to enforce concurrency limits is not getting me very far. > > It's difficult to solve political problems in software. Not > impossible, just difficult. In this case, it shouldn't even be difficult. Freeradius already has concurrency checks (awkwardly called simultaneous-use). I just need to know how to enforce those checks based on information passed from the home server. I also need to know how to track those limits so that I can accurately bill the VISP for his customers that are allowed to use multiple ports (multiple ports per login, or just multiple logins per customer). > > > Second, does anyone have any suggestions/scripts/whatever > for tracking > > port usage on a per-realm basis? > > Per-realm rlm_counter? Ok, at the end of the month, how does rlm_counter tell me the min/max/average/95th-percentile for each realm? I was hoping for something more along the lines of a script written in whichever language that could parse out a detail file or SQL database for a given time period and report back. I could do this with MRTG or similar, but I'd rather not. > > > Finally, if a home server is marked as dead, is there a way > I can get > > Freeradius to go ahead and authenticate the caller under a special > > profile? > > DEFAULT realm. I was thinking something more along the lines of a check item to determine if the home server is dead or alive. One person responded with the suggestion of a second entry in the proxy.conf that points to an open server, which I do now. I was hoping to be able to do this in a single server. -- Troy Settle Pulaski Networks http://www.psknet.com 866.477.5638 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
