"Troy Settle" <[EMAIL PROTECTED]> wrote:
> I'm sorry, I thought this was why most radius servers now have
> concurrency checking built in. Why would FreeRadius have something like
> radcheck if not to enforce the total number of concurrent logins each
> user is allowed to have?
FreeRADIUS does this when configured, but it doesn't currently use
Port-Limit to enforce that when home servers ask for limiting
concurrent logins.
> So, NAS-1 is supposed to know that [EMAIL PROTECTED] is logged in
> on NAS-2 and not allow the connection? I don't know what equipment
> you're using Alan, but my boxes (Lucent TNT) do not talk amongst
> themselves from pop to pop.
I understand. But can't the home server track and enforce
simultaneous access? That makes a huge amount of more sense.
Think of what happens when there are 4 POP providers doing
proxying. A home server sends each "Port-Limit = 2" for a user, and
now the user can login 8 times! The horror!
It's not up to the proxying server to enforce concurrent logins for
a home server. And Port-Limit is NOT the right attribute to use.
>From the RFC's, Port-Limit:
---
is intended for use in conjunction with Multilink PPP [12] or
similar uses.
---
I'm not sure that Multilink PPP works across multiple NASes. If it
does, then there's some reason for a proxying server to remember and
enforce Port-Limit. If it doesn't, then the proxying server should
send the attribute back to the NAS, and forget about it.
> The problem when you're a proxy server, is that you don't know how many
> ports (logins) a particular user is allowed unless the home server sends
> a radius attribute such as 'Port-Limit' in response to the
> authentication request.
Please explain why it's the responsibility of the proxy server to
track this. Please explain how this works across multiple POP
providers.
It doesn't. Port-Limit isn't intended to limit concurrent access.
> In this case, it shouldn't even be difficult. Freeradius already has
> concurrency checks (awkwardly called simultaneous-use). I just need to
> know how to enforce those checks based on information passed from the
> home server.
Put the Port-Limit into a database, and do:
DEFAULT Realm = "port-limit-realm", Simultaneous-Use = `%{db: get Port-Limit}`
Dynamic expansion of variables is a cool thing.
> I also need to know how to track those limits so that I can
> accurately bill the VISP for his customers that are allowed to use
> multiple ports (multiple ports per login, or just multiple logins
> per customer).
You don't track the limits. You enforce the limits. Once you
enforce the limits, you record user activity in your accounting logs.
You then bill from those accounting logs.
What the home server sent for Port-Limit is irrelevant, unless
you're billing based on services the user *could* have used, but chose
not to. In that case, you can bill them infinite amounts for
providing no services...
> Ok, at the end of the month, how does rlm_counter tell me the
> min/max/average/95th-percentile for each realm?
No, but it's a simple DB. There's a perl script to root through
it. You can edit the script to do get such statistics.
> I was thinking something more along the lines of a check item to
> determine if the home server is dead or alive.
That would be a good idea. Patches are welcome.
> One person responded with the suggestion of a second entry in the
> proxy.conf that points to an open server, which I do now. I was
> hoping to be able to do this in a single server.
Please read proxy.conf. There is a configuration entry which tells
the server whether or not to fail over to a DEFAULT realm if all home
servers are marked dead. That DEFAULT realm may be LOCAL, in which
case it's handled locally...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
