(RADIATOR) rejecting usernames with extra characters

[Mohammad Tariq]

I'm using radiator 2.14.1 with LDAP 4.11. I have set the maxsession to one but there are users who are cheating by adding extra characters and are able to have multiple concurrent logins. For example, a user "bobsmith", " bobsmith" (with a leading space) and "\bobsmith" is able to have three concurrent logins while " bobsmith" and "\bobsmith" do not exist in the LDAP. Any help on how to prevent multiple logins will be highly appreciated.         # Foreground # LogStdout LogDir  /var/adm LogFile  %L/radius.log DbDir  /usr/local/etc   Trace  3 # <Client DEFAULT>  Secret xxxxx  DupInterval 2  </Client>   #Handler to reject users with extra characters <Handler User-Name=/\\x/>         <AuthBy FILE>             Filename %D/reject         </AuthBy> </Handler> <Realm xxxxxx>                  RewriteUsername tr/-.A-Za-z0-9_@//cd          RewriteUsername s/^([^@]+).*/$1/         RewriteUsername tr/[A-Z]/[a-z]/   PasswordLogFileName %L/radpwd.log    <AuthBy GROUP>   AuthByPolicy ContinueWhileReject     <AuthBy SQL>   DBSource dbi:mysql:database=xxxx;host=xxxxx   DBUsername radius   DBAuth xxxxx     Timeout 30   # don't identify, accounting only   AuthSelect   AccountingTable accounting   AcctColumnDef USERNAME,User-Name   AcctColumnDef TIME_STAMP,Timestamp,integer   AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type   AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer   AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer   AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer   AcctColumnDef ACCTSESSIONID,Acct-Session-Id   AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer   AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause    AcctColumnDef ACCTCHARGE,Acct-Charge   AcctColumnDef NASIDENTIFIER,NAS-Identifier   AcctColumnDef NASPORT,NAS-Port, integer   AcctColumnDef DNIS,Called-Station-Id     </AuthBy>       <AuthBy LDAP2>   #DefaultSimultaneousUse 1   # Tell Radiator how to talk to the LDAP server   Host  ldap-lh.arabcircle.net.sa   Port   389    AuthDN  uid=radius,ou=xxx,o=xxx    AuthPassword xxxxx   BaseDN  o=xxx     UsernameAttr uid   PasswordAttr    userpassword #  Simultanueous-Use  number   </AuthBy>     # These are the classic things to add to each users   # reply to allow a PPP dialup session. It may be   # different for your NAS. This will add some   # reply items to everyone's reply   DefaultReply Service-Type = Framed-User,\    Framed-Protocol = PPP,\    Framed-IP-Netmask = 255.255.255.128,\    Framed-IP-Address = 255.255.255.255,\    Framed-Routing = None,\    Framed-MTU = 600,\    Framed-Compression = Van-Jacobson-TCP-IP,\    Session-Timeout = 1200  </AuthBy> MaxSessions 1  # Log accounting to the detail file in LogDir  AcctLogFileName %L/detail </Realm>         This is what I have in the reject file. DEFAULT Auth-Type = Reject     Regards Tariq