Re: User with 2 profiles but different simultaneous-use in each
On Thu, 15 Apr 2004, Kostas Zorbadelos wrote: > At Wed, 14 Apr 2004 17:44:52 +0300 (EEST), > Kostas Kalevras wrote: > > > > Well now that i think of it, the module can't really help you on that subject. > > But in any case you can check the comments in the latest radiusd.conf, it's now > > part of the stable modules list. > > > > Is it in 0.9.3 release or in the cvs snapshot? I think it's in raddb/experimental.conf in the 0.9.3 release In the latest cvs snapshot it's in radiusd.conf > > > As for your problem, you can just always set Simultaneous-Use = 1. For ISDN you > > just need to also set Port-Limit = 2 for the user to be able to use 2 channels. > > So everything should work just fine with just that. Just make sure that > > Port-Limit is only returned on ISDN connections, else a user can get 2 DSL > > connections from the PTT and do multilink PPP (just guessing i am not that > > familiar with how ADSL works, i think it just transmits PPP frames so it's > > possible). Since you are using LDAP something like this: > > > > --users-- > > > > DEFAULT NAS-Port-Type == ISDN, Ldap-Group == "adsl-users" > > Port-Limit := 2 > > > > Thanks Kostas. I am familiar with the Port-Limit attribute, in fact I > use it already in a profile for prepaid cards. But from the way I have > seen it works, it just instructs the router to allow a bundle > interface with up to 2 channels (if the value is 2). This way if someone has > value 0 in this attribute he won't be allowed to have a bundle > interface and every connection he will attempt with on demand ISDN or > ISDN 128 will fail. > However the authentication is independent of that. If an ISDN user > tries to get a second channel he will initiate an > authorization/authentication sequence normally and he will fail if > Simultaneous-Use is 1. > This is the way I believe things work, let me know if I am wrong. Read around line 683 in src/main/auth.c if you want source code details. In any case freeradius will use the Port-Limit attribute (if available) to determine if a user is allowed to open another channel on multilink connections (like 128 ISDN). So you can have simultaneous-use=1 to not allow double logins but port-limit=2 to allow a user to open a second channel on a multilink connection. > In any case thanks. > > > -- > Kostas Zorbadelos > Currently at: Otenet IT Department > mailto: [EMAIL PROTECTED] > > Out there in the darkness, out there in the night > out there in the starlight, one soul burns brighter > than a thousand suns. > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
At Wed, 14 Apr 2004 17:44:52 +0300 (EEST), Kostas Kalevras wrote: > > Well now that i think of it, the module can't really help you on that subject. > But in any case you can check the comments in the latest radiusd.conf, it's now > part of the stable modules list. > Is it in 0.9.3 release or in the cvs snapshot? > As for your problem, you can just always set Simultaneous-Use = 1. For ISDN you > just need to also set Port-Limit = 2 for the user to be able to use 2 channels. > So everything should work just fine with just that. Just make sure that > Port-Limit is only returned on ISDN connections, else a user can get 2 DSL > connections from the PTT and do multilink PPP (just guessing i am not that > familiar with how ADSL works, i think it just transmits PPP frames so it's > possible). Since you are using LDAP something like this: > > --users-- > > DEFAULT NAS-Port-Type == ISDN, Ldap-Group == "adsl-users" > Port-Limit := 2 > Thanks Kostas. I am familiar with the Port-Limit attribute, in fact I use it already in a profile for prepaid cards. But from the way I have seen it works, it just instructs the router to allow a bundle interface with up to 2 channels (if the value is 2). This way if someone has value 0 in this attribute he won't be allowed to have a bundle interface and every connection he will attempt with on demand ISDN or ISDN 128 will fail. However the authentication is independent of that. If an ISDN user tries to get a second channel he will initiate an authorization/authentication sequence normally and he will fail if Simultaneous-Use is 1. This is the way I believe things work, let me know if I am wrong. In any case thanks. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
On Wed, 7 Apr 2004, Kostas Zorbadelos wrote: > At Tue, 6 Apr 2004 12:14:59 +0300 (EEST), > Kostas Kalevras wrote: > > > Dear Kostas > first of all thanks for your answer. > I don't have this module compiled in the binary versions I compiled. I > saw its source code however inside src/modules. Is it an experimental > module that needs to be 'activated' in the configure step? > What is its function exactly? (I know that you are the most relevant > person to ask and I didn't see any documentation for it apart from the > source code) > Using this module can I achieve the locking senario I want? That is, > when the user is logged in an ISDN line (has Simultaneous-Use=2) > can I reject him if he tries to loggin as an ADSL at the same time? Wel now that i think of it, the module can't really help you on that subject. But in any case you can check the comments in the latest radiusd.conf, it's now part of the stable modules list. As for your problem, you can just always set Simultaneous-Use = 1. For ISDN you just need to also set Port-Limit = 2 for the user to be able to use 2 channels. So everything should work just fine with just that. Just make sure that Port-Limit is only returned on ISDN connections, else a user can get 2 DSL connections from the PTT and do multilink PPP (just guessing i am not that familiar with how ADSL works, i think it just transmits PPP frames so it's possible). Since you are using LDAP something like this: --users-- DEFAULT NAS-Port-Type == ISDN, Ldap-Group == "adsl-users" Port-Limit := 2 > > Looking forward to your answer to also learn the role of your module. > > Kostas > > > On Mon, 5 Apr 2004, Kostas Zorbadelos wrote: > > > > > > > > > > > Hello to everyone. > > > I have the following problem where I work. We have a user, lets say > > > kzorba that is an ADSL user and has a specific profile (check and > > > reply attributes). We want to limit the Simultaneous-Use of > > > the user for this service to 1. We also want for the same user to be > > > able to use an ISDN 128 backup connection in case his ADSL line has a > > > problem. I this case our user has a different profile and > > > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn > > > channels). So the question is: how can I lock the user in a way that > > > when he uses his ADSL connection, not to be able to connect with ISDN > > > at all (that's easy since Simultaneous-Use is 1 in this case and won't > > > be allowed to login for anything else) and the opposite (when in as an > > > ISDN not to be able to use the ADSL). > > > Any suggestions are highly appreciated. > > > > Since you keep different profiles for each connection (ADSL or ISDN) then you > > can add a check item for the NAS-Port-Type (Virtual or ISDN) in each one and use > > rlm_checkval to only allow the corresponding port-type for each profile. > > > > > > > > Thanks in advance > > > > > > Kostas > > > > > > PS: By the way we have our user database in LDAP but I think that's > > > irrelevant. > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
At Wed, 7 Apr 2004 01:36:11 +0400,
Alexander M. Pravking wrote:
>
Alexander thank you very much.
You understood exactly the locking senario I want to achieve.
Your first post seemed wonderfull, too bad it doesn't work. I will
look into rlm_perl if there is no other way.
Thanks again.
Kostas
> I'm sorry for misleading you, you can't configure it this way.
>
> On Tue, Apr 06, 2004 at 09:46:33AM +0400, Alexander M. Pravking wrote:
> > On Mon, Apr 05, 2004 at 08:16:24PM +0300, Kostas Zorbadelos wrote:
> > > Hello to everyone.
> > > I have the following problem where I work. We have a user, lets say
> > > kzorba that is an ADSL user and has a specific profile (check and
> > > reply attributes). We want to limit the Simultaneous-Use of
> > > the user for this service to 1. We also want for the same user to be
> > > able to use an ISDN 128 backup connection in case his ADSL line has a
> > > problem. I this case our user has a different profile and
> > > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn
> > > channels). So the question is: how can I lock the user in a way that
> > > when he uses his ADSL connection, not to be able to connect with ISDN
> > > at all (that's easy since Simultaneous-Use is 1 in this case and won't
> > > be allowed to login for anything else) and the opposite (when in as an
> > > ISDN not to be able to use the ADSL).
> > > Any suggestions are highly appreciated.
> >
> > You could do it in authorize {} section instead of session {}.
> > Say you have defined 2 attrs (e.g. of type integer): ADSL-Up and ISDN-Up.
> > Assuming you have accounting in SQL, you could do:
> >
> > ADSL-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND
> > NASPortType = 'Ethernet' AND AcctStopTime IS NULL}`
> > ISDN-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND
> > NASPortType = 'ISDN' AND AcctStopTime IS NULL}`
> >
> > (Note the backquotes; the behavour can change soon.)
>
> That's fine. But... These attributes should go into config items,
> so you cannot use users file to check them, since attributes being
> checked are always taken from the request:
>
> > Then put 2 entries in "users" file:
> > DEFAULT NAS-Port-Type == ISDN, ADSL-Up > 0, Auth-Type := Reject
> > Reply-Message := "You have your ADSL up, ISDN connections disabled"
> >
> > DEFAULT NAS-Port-Type == Ethernet, ISDN-Up > 0, Auth-Type := Reject
> > Reply-Message := "To use ADSL, first stop your backup ISDN connections"
>
> Instead, you can use rlm_perl (I'd recommend post-auth section, but then you
> should patch rlm_perl a little ;-):
>
> sub authorize {
> if ($RAD_REQUEST{'NAS-Port-Type'} eq 'ISDN'
> and $RAD_CHECK{'ADSL-Up'} > 0) {
>
> $RAD_REPLY{'Reply-Message'} =
> "You have your ADSL up, ISDN connections disabled";
> return RLM_MODULE_REJECT;
> }
>
> if ($RAD_REQUEST{'NAS-Port-Type'} eq 'Ethernet'
> and $RAD_CHECK{'ISDN-Up'} > 0) {
>
> $RAD_REPLY{'Reply-Message'} =
> "To use ADSL again, first stop your backup ISDN connections";
> return RLM_MODULE_REJECT;
> }
> return RLM_MODULE_NOOP;
> }
>
> --
> Fduch M. Pravking
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
At Tue, 6 Apr 2004 12:14:59 +0300 (EEST), Kostas Kalevras wrote: > Dear Kostas first of all thanks for your answer. I don't have this module compiled in the binary versions I compiled. I saw its source code however inside src/modules. Is it an experimental module that needs to be 'activated' in the configure step? What is its function exactly? (I know that you are the most relevant person to ask and I didn't see any documentation for it apart from the source code) Using this module can I achieve the locking senario I want? That is, when the user is logged in an ISDN line (has Simultaneous-Use=2) can I reject him if he tries to loggin as an ADSL at the same time? Looking forward to your answer to also learn the role of your module. Kostas > On Mon, 5 Apr 2004, Kostas Zorbadelos wrote: > > > > > > > Hello to everyone. > > I have the following problem where I work. We have a user, lets say > > kzorba that is an ADSL user and has a specific profile (check and > > reply attributes). We want to limit the Simultaneous-Use of > > the user for this service to 1. We also want for the same user to be > > able to use an ISDN 128 backup connection in case his ADSL line has a > > problem. I this case our user has a different profile and > > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn > > channels). So the question is: how can I lock the user in a way that > > when he uses his ADSL connection, not to be able to connect with ISDN > > at all (that's easy since Simultaneous-Use is 1 in this case and won't > > be allowed to login for anything else) and the opposite (when in as an > > ISDN not to be able to use the ADSL). > > Any suggestions are highly appreciated. > > Since you keep different profiles for each connection (ADSL or ISDN) then you > can add a check item for the NAS-Port-Type (Virtual or ISDN) in each one and use > rlm_checkval to only allow the corresponding port-type for each profile. > > > > > Thanks in advance > > > > Kostas > > > > PS: By the way we have our user database in LDAP but I think that's > > irrelevant. > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
I'm sorry for misleading you, you can't configure it this way.
On Tue, Apr 06, 2004 at 09:46:33AM +0400, Alexander M. Pravking wrote:
> On Mon, Apr 05, 2004 at 08:16:24PM +0300, Kostas Zorbadelos wrote:
> > Hello to everyone.
> > I have the following problem where I work. We have a user, lets say
> > kzorba that is an ADSL user and has a specific profile (check and
> > reply attributes). We want to limit the Simultaneous-Use of
> > the user for this service to 1. We also want for the same user to be
> > able to use an ISDN 128 backup connection in case his ADSL line has a
> > problem. I this case our user has a different profile and
> > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn
> > channels). So the question is: how can I lock the user in a way that
> > when he uses his ADSL connection, not to be able to connect with ISDN
> > at all (that's easy since Simultaneous-Use is 1 in this case and won't
> > be allowed to login for anything else) and the opposite (when in as an
> > ISDN not to be able to use the ADSL).
> > Any suggestions are highly appreciated.
>
> You could do it in authorize {} section instead of session {}.
> Say you have defined 2 attrs (e.g. of type integer): ADSL-Up and ISDN-Up.
> Assuming you have accounting in SQL, you could do:
>
> ADSL-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND NASPortType
> = 'Ethernet' AND AcctStopTime IS NULL}`
> ISDN-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND NASPortType
> = 'ISDN' AND AcctStopTime IS NULL}`
>
> (Note the backquotes; the behavour can change soon.)
That's fine. But... These attributes should go into config items,
so you cannot use users file to check them, since attributes being
checked are always taken from the request:
> Then put 2 entries in "users" file:
> DEFAULT NAS-Port-Type == ISDN, ADSL-Up > 0, Auth-Type := Reject
> Reply-Message := "You have your ADSL up, ISDN connections disabled"
>
> DEFAULT NAS-Port-Type == Ethernet, ISDN-Up > 0, Auth-Type := Reject
> Reply-Message := "To use ADSL, first stop your backup ISDN connections"
Instead, you can use rlm_perl (I'd recommend post-auth section, but then you
should patch rlm_perl a little ;-):
sub authorize {
if ($RAD_REQUEST{'NAS-Port-Type'} eq 'ISDN'
and $RAD_CHECK{'ADSL-Up'} > 0) {
$RAD_REPLY{'Reply-Message'} =
"You have your ADSL up, ISDN connections disabled";
return RLM_MODULE_REJECT;
}
if ($RAD_REQUEST{'NAS-Port-Type'} eq 'Ethernet'
and $RAD_CHECK{'ISDN-Up'} > 0) {
$RAD_REPLY{'Reply-Message'} =
"To use ADSL again, first stop your backup ISDN connections";
return RLM_MODULE_REJECT;
}
return RLM_MODULE_NOOP;
}
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
On Mon, 5 Apr 2004, Kostas Zorbadelos wrote: > > > Hello to everyone. > I have the following problem where I work. We have a user, lets say > kzorba that is an ADSL user and has a specific profile (check and > reply attributes). We want to limit the Simultaneous-Use of > the user for this service to 1. We also want for the same user to be > able to use an ISDN 128 backup connection in case his ADSL line has a > problem. I this case our user has a different profile and > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn > channels). So the question is: how can I lock the user in a way that > when he uses his ADSL connection, not to be able to connect with ISDN > at all (that's easy since Simultaneous-Use is 1 in this case and won't > be allowed to login for anything else) and the opposite (when in as an > ISDN not to be able to use the ADSL). > Any suggestions are highly appreciated. Since you keep different profiles for each connection (ADSL or ISDN) then you can add a check item for the NAS-Port-Type (Virtual or ISDN) in each one and use rlm_checkval to only allow the corresponding port-type for each profile. > > Thanks in advance > > Kostas > > PS: By the way we have our user database in LDAP but I think that's > irrelevant. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
On Mon, Apr 05, 2004 at 08:16:24PM +0300, Kostas Zorbadelos wrote:
> Hello to everyone.
> I have the following problem where I work. We have a user, lets say
> kzorba that is an ADSL user and has a specific profile (check and
> reply attributes). We want to limit the Simultaneous-Use of
> the user for this service to 1. We also want for the same user to be
> able to use an ISDN 128 backup connection in case his ADSL line has a
> problem. I this case our user has a different profile and
> Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn
> channels). So the question is: how can I lock the user in a way that
> when he uses his ADSL connection, not to be able to connect with ISDN
> at all (that's easy since Simultaneous-Use is 1 in this case and won't
> be allowed to login for anything else) and the opposite (when in as an
> ISDN not to be able to use the ADSL).
> Any suggestions are highly appreciated.
You could do it in authorize {} section instead of session {}.
Say you have defined 2 attrs (e.g. of type integer): ADSL-Up and ISDN-Up.
Assuming you have accounting in SQL, you could do:
ADSL-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND NASPortType =
'Ethernet' AND AcctStopTime IS NULL}`
ISDN-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND NASPortType =
'ISDN' AND AcctStopTime IS NULL}`
(Note the backquotes; the behavour can change soon.)
Then put 2 entries in "users" file:
DEFAULT NAS-Port-Type == ISDN, ADSL-Up > 0, Auth-Type := Reject
Reply-Message := "You have your ADSL up, ISDN connections disabled"
DEFAULT NAS-Port-Type == Ethernet, ISDN-Up > 0, Auth-Type := Reject
Reply-Message := "To use ADSL, first stop your backup ISDN connections"
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
