"Alan DeKok" <[EMAIL PROTECTED]> writes: > Ted Cabeen <[EMAIL PROTECTED]> wrote: >> The documentation for the functionality of the "other" nastype when >> used with Simultaneous login blocking is substantially lacking. The >> documentation in doc/Simultaneous-Use mentions that "other" means >> don't check. > > Pretty much. > >> However, the checkrad.pl script has an entry in it for "other". >> This is misleading because it implies that the "other" nastype is >> handled by the script. > > If you run it, or look at the source, you will see that checkrad > *always* returns "true" for "other".
Right. But if you change the behavior of checkrad to always allow on other, nothing happens because it's over-ridden in the code. If the other nastype doesn't do anything, it either shouldn't be defined in checkrad or there should be a comment there indicating that it never gets run. >> However, if you look in the code in src/main/session.c, there is a >> block that prevents outright the running of checkrad when the >> nastype is other. > > Having the same check in multiple places makes the code more robust. I guess, but if one totally overrides the other what's the point of having it in the first place? checkrad is never run with a nastype of other. Why should it handle an argument that it never gets run with? >> In my environment, we use some outsourced dialup that provides no >> access to the NAS boxes for checkrad processing. > > So they're type "other". Exactly. >> Would it be possible to either add an option to control the treatment >> of nastypes of type "other", run checkrad for every duplicate login >> check or to more clearly document this? > > I'm not sure what the problem is. > > You seem to want to re-define the meaning of "other", and I can't > see why that would do anything useful. With "other" configured as it is, freeradius is a fail-deny system. If the server can't confirm the login is duplicate, it rejects the user, presuming the utmp file is correct. I want the opposite behavior, where radius only denies a user when it's positively confirmed that they're already logged in the maximum amount of times. A config file option seems the best solution to me. -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
