Simultaneous use control

2002-11-18 Thread Luiz Lima 
I'm trying to use FreeRADIUS simultaneous use control. All requests are
proxied to another RADIUS server. However, I wanted FreeRADIUS to control
this.

From debug (radiusd -X) it looks to me that FreeRADIUS sends the request to
the other server before checking.

It worked once but I had to remove the configuration. Now I can't make it
work again...

I've posted the files which I think are relevant. If something is important
from radiusd.conf (which is too big for a polite post) please let me know. I
have not huntgroups or realms (outside the proxy.conf file) defined.

I've included also a debugged session of one of these cases. Ok, you'll see
that the destination RADIUS server did block the simultaneous login, but I
need FreeRADIUS to do that (because it does it better when it works).

I could really use some help here. Thanks

--
Luiz Lima
Image Link Internet
http://www.imagelink.com.br


/etc/raddb/users
===
DEFAULT Auth-Type := System, Simultaneous-Use := 1
Fall-Through = 1
===

/etc/raddb/proxy.conf
===
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 60
default_fallback = no
}
realm NULL {
type= radius
authhost= 10.0.0.1:1645
accthost= 10.0.0.1:1646
secret  = mypassword
}
===

/etc/raddb/attrs
===
DEFAULT
Port-Limit := 1
===

debug
===
rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195,
length=70
NAS-IP-Address = 200.216.95.212
NAS-Port = 1342767363
NAS-Port-Type = Virtual
User-Name = user-login-here
Password = \\K\\;\014\373\276h\267\361\225\201\376;A\204
rad_lowerpair:  User-Name now 'user-login-here'
rad_lowerpair:  Password now 'user-password-here'
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
  modcall[authorize]: module attr_filter returns noop
rlm_realm: Looking up realm NULL for User-Name = user-login-here
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = user-login-here
  rlm_realm: Proxying request from user user-login-here to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm:  Preparing to proxy authentication request to realm NULL
  modcall[authorize]: module suffix returns updated
users: Matched DEFAULT at 1
  modcall[authorize]: module files returns ok
modcall: group authorize returns updated
Sending Access-Request of id 1 to 10.0.0.1:1645
User-Name = user-login-here
NAS-IP-Address = 200.216.95.212
NAS-Port = 1342767363
NAS-Port-Type = Virtual
Password = }w\237\342\203\265\020\242\301q}\320\303\271RR
Proxy-State = 195
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 10.0.0.1:1645, id=1, length=61
Proxy-State = 0x313935
Reply-Message = Simultaneous login limit exceeded!
rad_lowerpair:  Stripped-User-Name now 'user-login-here'
rad_lowerpair:  Password now 'user-password-here'
Login incorrect (Home Server says so): [user-login-here/user-password-here]
(from client 200-216-4-170 port 1342767363)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
rl_next:  returning NULL
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195,
length=70
Sending Access-Reject of id 195 to 200.216.4.170:1645
Reply-Message = Simultaneous login limit exceeded!
===

radwho -r
===
user-login-here,user-login-here,PPP,S1342767363,Fri
11:37,200.216.95.212,200.149.171.85
===


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Keeping servers in sync

2002-10-07 Thread Luiz Lima 

 The retries sent by the server are ONLY for about 30 seconds.
 What you're talking about is having the server send Alive packets
 for as long as the user is logged in, which may be hours.

 That means the server has probably 100 to 1000 times as much
 information to keep track of, which isn't a good thing.

What if a second program was written to periodicaly read radutmp and
generate the Alive packets? I could be a daemon or something to be run by
crond. Would anyone but me find it usefull?

Well, now all I need is to learn C and start coding... :-)

Thanks a lot for all the info, Alan.

--
Luiz Lima
Image Link Internet
http://www.imagelink.com.br


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Keeping servers in sync

2002-10-05 Thread Luiz Lima 

Hello,

I'm new to this list, altough I've been using FreeRADIUS for a while now. I
use it exclusively to receive requests from my DSL customers and relay them
to my other RADIUS server (which is a Vircom Proxy and Roaming RADIUS
Server -- VPRRS). I use FreeRADIUS for nothing else. All my DSL operations
are run by the telco and I only authenticate the users.

What happens is that I can see that VPRRS shows different users than
FreeRADIUS. It's like Vircom's server would loose control of who is actually
online. At this momment, there are 55 users online and VPRRS only shows 21.

I DO know that the telco screws things a little bit, including duplicate
ports, different session-ids and things like that, but FreeRADIUS seems to
recover more gracefully than VPRRS from those mistakes. They use Cisco
equipment (DSL concentrators and a software called Dashboard to authenticate
the users after they are already connected to the DSL system).

Anyway, what I want to know is if FreeRADIUS can generate Alive packets to
VPRRS with the goal of keeping them in sync. The telco does not send
watchdogs packets of its own. Can FreeRADIUS that? Or if there's any other
way to keep them together at all times?

Thanks a lot.

--
Luiz Lima
Image Link Internet
http://www.imagelink.com.br


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html