Hello Michael -
Thanks for the trace and configuration information. The problem you have is due to the NAS not sending an Access-Request for the second channel of the ISDN connection. If Radaitor does not receive an Access-Request, it then follows that Radiator cannot Reject it, hence cannot enforce the MAXLOGINS. You will have to do some investigation on the NAS, but the simplest approach may be to return a "Port-Limit = 1" in the initial Access-Accept, assuming that the NAS will actually honour it. regards Hugh At 10:14 +1000 01/11/27, Michael Bellears wrote: >We have a client who is using Radiator 2.18 and Radmin 1.5. > >We are utilising MAXLOGINS to restrict simultaneous connections from >some permanent dial-up customers. (Eg. Ones that have only paid for >56/64k) > >I am seeing users that connect with mutilink ISDN able to connect with >more than one simultaneous connection (Which we don't want!) - >Radmin/radwho.pl and portmaster are all reporting simultaneous logins. > >A trace4 debug shows a unusual Access-Request for the first connection >from the offending user -> (Full trace 4 of the connection at end of >message) > >Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler >'Realm=DEFAULT' >Mon Nov 26 11:45:12 2001: DEBUG: Deleting session for gsqld001, >xxx.xxx.xxx.xxx, 1 > >But I do not see an Access-Request for the second connection - Only an >Accounting-Request -> > >*** Sending to xxx.xxx.xxx.xxx port 1026 .... >Code: Accounting-Response >Identifier: 137 >Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168> >Attributes: > >Mon Nov 26 11:45:13 2001: DEBUG: Packet dump: >*** Received from xxx.xxx.xxx.xxx port 1026 .... >Code: Accounting-Request >Identifier: 138 >Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127> >Attributes: > Acct-Session-Id = "76000463" > User-Name = "gsqld001" > NAS-IP-Address = xxx.xxx.xxx.xxx > NAS-Port = 14 > NAS-Port-Type = ISDN > Acct-Status-Type = Start > Acct-Authentic = RADIUS > > >radwho.pl output -> > >gsqld001 xxx.xxx.xxx.xxx 1 76000462 Mon Nov 26 >11:45:12 2001 0 00:08:48 xxx.xxx.xxx.xxx.246 ISDN >Framed-User >gsqld001 xxx.xxx.xxx.xxx 14 76000463 Mon Nov 26 >11:45:13 2001 0 00:08:47 xxx.xxx.xxx.xxx.246 ISDN >Framed-User > >mysql> select USERNAME, MAXLOGINS from RADUSERS where >USERNAME="gsqld001"; >+----------+-----------+ >| USERNAME | MAXLOGINS | >+----------+-----------+ >| gsqld001 | 1 | >+----------+-----------+ >1 row in set (0.00 sec) > > >Trace 4 Debug -> > >Mon Nov 26 11:45:12 2001: DEBUG: Packet dump: >*** Received from xxx.xxx.xxx.xxx port 1026 .... >Code: Access-Request >Identifier: 136 >Authentic: <30><16>&<30>z<177>%<20>&<165><137>w<174><205>S{ >Attributes: > User-Name = "gsqld001" > User-Password = >"<151>Zq<164><24>s<23><156><14><171><29>tW<29><206><201>" > NAS-IP-Address = xxx.xxx.xxx.xxx > NAS-Port = 1 > NAS-Port-Type = ISDN > Service-Type = Framed-User > Framed-Protocol = PPP > Called-Station-Id = "55849500" > Calling-Station-Id = "755381085" > >Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler >'Realm=DEFAULT' >Mon Nov 26 11:45:12 2001: DEBUG: Deleting session for gsqld001, >xxx.xxx.xxx.xxx, 1 >Mon Nov 26 11:45:12 2001: DEBUG: do query is: delete from RADONLINE >where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=01 > >Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with >Radius: >:AuthRADMIN') > >Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with >Radius: >:AuthRADMIN') > >Mon Nov 26 11:45:12 2001: DEBUG: Query is: select PASS_WORD, >STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where >USERNAME='gsqld001' and BAD >LOGINS < 5 and VALIDFROM < 1006739112 and VALIDTO > 1006739112 > >Mon Nov 26 11:45:12 2001: DEBUG: Radius::AuthRADMIN looks for match with >gsqld001 >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Radius::AuthRADMIN >lo >oks for match with gsqld001') > >Mon Nov 26 11:45:12 2001: DEBUG: Query is: select NASIDENTIFIER, >NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where >USERNAME='gsqld00 >1' > >Mon Nov 26 11:45:12 2001: DEBUG: Radius::AuthRADMIN ACCEPT: >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Radius::AuthRADMIN >AC >CEPT: ') > >Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADUSERS set >BADLOGINS=0 where USERNAME='gsqld001' > >Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS >Mon Nov 26 11:45:12 2001: DEBUG: Query is: select TIME_STAMP, YIADDR, >SUBNETMASK, DNSSERVER from RADPOOL >where POOL='pool1' and STATE=0 order by TIME_STAMP > >Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADPOOL set >STATE=1, >TIME_STAMP=1006739112, >EXPIRY=1006820228, USERNAME='gsqld001' where >YIADDR='xxx.xxx.xxx.xxx.246' and TIME_STAMP =1006394858 > >Mon Nov 26 11:45:12 2001: DEBUG: Access accepted for gsqld001 >Mon Nov 26 11:45:12 2001: DEBUG: Packet dump: >*** Sending to xxx.xxx.xxx.xxx port 1026 .... >Code: Access-Accept >Identifier: 136 >Authentic: <30><16>&<30>z<177>%<20>&<165><137>w<174><205>S{ >Attributes: > Session-Timeout = 81116 > Framed-Protocol = PPP > Framed-IP-Netmask = 255.255.255.255 > Framed-Routing = None > Framed-MTU = 1500 > Framed-Compression = Van-Jacobson-TCP-IP > Framed-IP-Netmask = 255.255.255.0 > Framed-IP-Address = xxx.xxx.xxx.xxx.246 > >Mon Nov 26 11:45:12 2001: DEBUG: Packet dump: >*** Received from xxx.xxx.xxx.xxx port 1026 .... >Code: Accounting-Request >Identifier: 137 >Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168> >Attributes: > Acct-Session-Id = "76000462" > User-Name = "gsqld001" > NAS-IP-Address = xxx.xxx.xxx.xxx > NAS-Port = 1 > NAS-Port-Type = ISDN > Acct-Status-Type = Start > Acct-Authentic = RADIUS > Called-Station-Id = "55849500" > Calling-Station-Id = "755381085" > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = xxx.xxx.xxx.xxx.246 > Acct-Delay-Time = 0 > >Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler >'Realm=DEFAULT' >Mon Nov 26 11:45:12 2001: DEBUG: Adding session for gsqld001, >xxx.xxx.xxx.xxx, 1 >Mon Nov 26 11:45:12 2001: DEBUG: do query is: delete from RADONLINE >where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=01 > >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADONLINE >(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, >FRAMEDIPADDRE >SS, NASPORTTYPE, SERVICETYPE) values ('gsqld001', 'xxx.xxx.xxx.xxx', 01, >'76000462', 1006739112, 'xxx.xxx.xxx.xxx.246', 'ISDN', 'Framed-User') > > >Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with >Radius: >:AuthRADMIN') > >Mon Nov 26 11:45:12 2001: DEBUG: Handling accounting with >Radius::AuthRADMIN >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling accounting >w >ith Radius::AuthRADMIN') > >Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADUSERS set >TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0, >OCTETSOUTLEFT=OCTETSOUTLEFT >-0 where USERNAME='gsqld001' > >Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADUSAGE > (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME, >ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS, >Client_Phon >e_Number) > values > ('gsqld001', 1006739112, 1, 0, '76000462', >'xxx.xxx.xxx.xxx.246', 'xxx.xxx.xxx.xxx', 1, '55849500', '755381085') > >Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS >Mon Nov 26 11:45:12 2001: DEBUG: Accounting accepted >Mon Nov 26 11:45:12 2001: DEBUG: Packet dump: >*** Sending to xxx.xxx.xxx.xxx port 1026 .... >Code: Accounting-Response >Identifier: 137 >Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168> >Attributes: > >Mon Nov 26 11:45:13 2001: DEBUG: Packet dump: >*** Received from xxx.xxx.xxx.xxx port 1026 .... >Code: Accounting-Request >Identifier: 138 >Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127> >Attributes: > Acct-Session-Id = "76000463" > User-Name = "gsqld001" > NAS-IP-Address = xxx.xxx.xxx.xxx > NAS-Port = 14 > NAS-Port-Type = ISDN > Acct-Status-Type = Start > Acct-Authentic = RADIUS > Called-Station-Id = "55849500" > Calling-Station-Id = "755381085" > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = xxx.xxx.xxx.xxx.246 > Acct-Delay-Time = 0 > > >Mon Nov 26 11:45:13 2001: DEBUG: Handling request with Handler >'Realm=DEFAULT' >Mon Nov 26 11:45:13 2001: DEBUG: Adding session for gsqld001, >xxx.xxx.xxx.xxx, 14 >Mon Nov 26 11:45:13 2001: DEBUG: do query is: delete from RADONLINE >where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=014 > >Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADONLINE >(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, >FRAMEDIPADDRE >SS, NASPORTTYPE, SERVICETYPE) values ('gsqld001', 'xxx.xxx.xxx.xxx', >014, '76000463', 1006739113, 'xxx.xxx.xxx.xxx.246', 'ISDN', >'Framed-User') > >Mon Nov 26 11:45:13 2001: DEBUG: Handling with Radius::AuthRADMIN >Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739113, 4, 'Handling with >Radius: >:AuthRADMIN') > >Mon Nov 26 11:45:13 2001: DEBUG: Handling accounting with >Radius::AuthRADMIN >Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADMESSAGES >(TIME_STAMP, TYPE, MESSAGE) values (1006739113, 4, 'Handling accounting >w >ith Radius::AuthRADMIN') > >Mon Nov 26 11:45:13 2001: DEBUG: do query is: update RADUSERS set >TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0, >OCTETSOUTLEFT=OCTETSOUTLEFT >-0 where USERNAME='gsqld001' > >Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADUSAGE > (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME, >ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS, >Client_Phon >e_Number) > values > ('gsqld001', 1006739113, 1, 0, '76000463', >'xxx.xxx.xxx.xxx.246', 'xxx.xxx.xxx.xxx', 14, '55849500', '755381085') > >Mon Nov 26 11:45:13 2001: DEBUG: Handling with Radius::AuthDYNADDRESS >Mon Nov 26 11:45:13 2001: DEBUG: Accounting accepted >Mon Nov 26 11:45:13 2001: DEBUG: Packet dump: >*** Sending to xxx.xxx.xxx.xxx port 1026 .... >Code: Accounting-Response >Identifier: 138 >Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127> >Attributes: > > >Config file -> > ># You should consider this file to be a starting point only ># $Id $ > >Foreground >LogStdout >LogDir . >DbDir . > >#DbDir /root/radiator/Radiator-2.18 >#LogDir /var/log/radacct >DictionaryFile /root/Radiator-2.18/dictionary > ># AuthPort specifies the port to list on for authentication requests ># Can be a numeric port number or a service name from /etc/services ># Defaults to 1645 >#AuthPort 1645 >AuthPort 1812 > ># AcctPort specifies the port to list on for accounting requests ># Can be a numeric port number or a service name from /etc/services ># Defaults to 1646 >#AcctPort 1646 >AcctPort 1813 > >BindAddress xxx.xxx.xxx.2 > ># Dont turn this up too high, since all log messages are logged ># to the RADMESSAGES table in the database. 3 will give you everything ># except debugging messages >Trace 4 > ># You will probably want to change this to suit your site. ># You should list all the clients you have, and their secrets ># If you are using the Radmin Clients table, you wil probably ># want to disable this. >#<Client DEFAULT> ># Secret mysecret ># DupInterval 0 >#</Client> > ># You can put additonal (or all) client details in your Radmin ># database table ># and get their details from there with something like this: ># You can then use the Radmin 'Add Radius Client' to add new clients. ><ClientListSQL> > DBSource dbi:mysql:radmin:localhost > DBUsername radmin > DBAuth xxxxxxxxx ></ClientListSQL> > ><SNMPAgent> > Community xxxxxxxx ></SNMPAgent> > ># You can also set up an address pool for Radiator to manage. ># The standard Radmin tables include a RADPOOL address pool table. ># see the example in addressallocator.cfg ><AddressAllocator SQL> > # This name allows us to refer to it from inside > # an AuthBy DYNADDRESS > Identifier myallocator > > # For mysql, use something like this > DBSource dbi:mysql:radmin:localhost > DBUsername radmin > DBAuth xxxxxxxxx > > # If SessionTimeout is set by a previous AuthBy > # then that is used as the expiry time. Otherwise > # DefaultLeasePeriod (in seconds) is used. > # Defaults to 1 day > #DefaultLeasePeriod 86400 > > # How often we check the database for expired leases > # leases can expire if an acounting stop is lost > # or if the session goes longer than the lease > # we originally asked for. Defaults to 1 day. > #LeaseReclaimInterval 86400 > > # Define the pools that are to be in our database > # defining pools here will make AddressAllocator SQL > # ensure that all the addresses are present in the database > # at startup. You dont have to define pools here. If you dont, > # AddressAllocator SQL will just use whatever addresses > # it finds in the RADPOOL table. > <AddressPool pool1> > Subnetmask 255.255.255.0 > Range xxx.xxx.xxx.200 xxx.xxx.xxx.250 > DNSServer xxx.xxx.xxx.1 > </AddressPool> > # <AddressPool pool2> > # Subnetmask 255.255.255.127 > # Range 192.2.2.62 192.2.2.99 > # </AddressPool> ></AddressAllocator> > > ># Handle everyone with RADMIN ><Realm DEFAULT> > AuthByPolicy ContinueWhileAccept > > <AuthBy RADMIN> > # Change DBSource, DBUsername, DBAuth for your database > # See the reference manual. You will also have to > # change the one in <SessionDatabse SQL> below > # so its the same > DBSource dbi:mysql:radmin:localhost > DBUsername radmin > DBAuth xxxxxxxxx > > # You can add to or change these if you want, but you > # will probably want to change the database schema first > > AccountingTable RADUSAGE > AcctColumnDef USERNAME,User-Name > AcctColumnDef TIME_STAMP,Timestamp,integer > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer > AcctColumnDef >ACCTINPUTOCTETS,Acct-Input-Octets,integer > AcctColumnDef >ACCTOUTPUTOCTETS,Acct-Output-Octets,integer > AcctColumnDef ACCTSESSIONID,Acct-Session-Id > AcctColumnDef >ACCTSESSIONTIME,Acct-Session-Time,integer > AcctColumnDef >ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address > AcctColumnDef NASIDENTIFIER,NAS-Identifier > AcctColumnDef NASIDENTIFIER,NAS-IP-Address > AcctColumnDef NASPORT,NAS-Port,integer > AcctColumnDef DNIS,Called-Station-Id > AcctColumnDef Client_Phone_Number,Calling-Station-Id > AcctColumnDef Connect_info,Connect-Info > > # This updates the time and octets left > # for this user > AcctSQLStatement update RADUSERS set >TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, >OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, >OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n' > > # These are the classic things to add to each users > # reply to allow a PPP dialup session. It may be > # different for your NAS. This will add some > # reply items to everyone's reply > AddToReply Framed-Protocol = PPP,\ > Framed-IP-Netmask = 255.255.255.255,\ > Framed-Routing = None,\ > Framed-MTU = 1500,\ > Framed-Compression = Van-Jacobson-TCP-IP > </AuthBy> > > # AuthBy DYNADDRESS needs to be the last AuthBy. If > # all the previous ones have succeeded, then an address > # is allocated > <AuthBy DYNADDRESS> > # This refers to the AddressAllocator > # defined below. IT says tyo us that allocator > # to get an address. Insterad ofg this, you can > # put the <AddressAllocator xxx> clause directly > # in here > Allocator myallocator > > # This specifies how to form the pool hint, that > # the allocator uses to specifiy which pool > # to allocate an address from. The default > # is %{Reply:PoolHint}, ie a pseudo > # attribute in teh current reply, > # presumably set by an earlier > # AuthBy, but it could be for example > # the NAS IP address or similar, or a hardwired > # string. > #PoolHint %{Reply:PoolHint} > PoolHint pool1 > > # These parameters tell us how to set reply > # attribtues from the result of the allocation. > # The left hand side of each pair is > # the "name" of the data item. The right hand > # side is the Radius attribute name to use > # in the reply. The valid data item names are: > # yiaddr - The allocated address > # subnetmask - The subnet mask to use > # dnsserver - the IP address of the DNS server > # The defualt mappings are: > #MapAttribute yiaddr, Framed-IP-Address > #MapAttribute subnetmask, Framed-IP-Netmask > > # The AuthBy FILE above sets the pseudo reply attribute > # PoolHint as the clue to the address allocator > # need to strip it out at the end of processing > StripFromReply PoolHint > > </AuthBy> ><AuthLog FILE> > Identifier myauthlogger > Filename authlog > SuccessFormat >%l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Assigned:%a:Reply:%{Reply:Reply-Message}:Connect_In > >fo:%{Connect-Info}:SUCCESS > FailureFormat >%l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Reply:%{Reply:Reply-Message}:FAILURE > > LogSuccess 1 > LogFailure 1 ></AuthLog> ></Realm> > ><SessionDatabase SQL> > # This database spec usually should be exactly the same > # as in <AuthBy RADMIN> above > DBSource dbi:mysql:radmin:localhost > DBUsername radmin > DBAuth xxxxxxxxx > >Regards, >Michael > > > >=== >Archive at http://www.open.com.au/archives/radiator/ >Announcements on [EMAIL PROTECTED] >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.