Re: Simultaneous-Use oddness.
Alan, Thanks for your reply. I see your point. But this does create an issue when you deprecate a nas when users are connected (which isn't ideal but does happen) because now the session will never close and radius doesn't assume that a missing nas also means missing session, nor does it pass it to checkrad which would determine the same. The solution is simple though (and for the edification of others searching the list) simply modify the simul_count_query to only find sessions that are on an active nas. This assumes that you also are storing the clients information in the db (using nas_query) which I am. Thanks for your help. schu On 07/20/2013 04:58 AM, Alan DeKok wrote: Matthew Schumacher wrote: When I have a session that didn't get expired in a SQL database, and the user tries to connect then freeradius correctly checks the nas using the checkrad script *UNLESS* the nas is no longer defined in the clients. If the nas is missing, radius doesn't bother to call checkrad, and rejects the login as a multiple login. Which is what it should do. So if I deprecate a nas, remove it from the db, then restart freeradius, the next request comes in, free radius finds the session to be open, but then neither checks checkrad or accepts the user. The user is now unable to authenticate until I close the session in the SQL database. Because the sessions are still open. When you delete the client from the DB, you should close all user sessions for that client. This is because the client won't do it... it's no longer a client. Shouldn't freeradius call checkrad anyway and pass it the ip/session/user/port for the non-existent nas and let the checkrad script return 0, then let the user on? That's what I would have though should have happened. No. Deleting a client means that the client doesn't exist. You shouldn't run checkrad against a client which doesn't exist. This is really an administration issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use oddness.
Matthew Schumacher wrote: When I have a session that didn't get expired in a SQL database, and the user tries to connect then freeradius correctly checks the nas using the checkrad script *UNLESS* the nas is no longer defined in the clients. If the nas is missing, radius doesn't bother to call checkrad, and rejects the login as a multiple login. Which is what it should do. So if I deprecate a nas, remove it from the db, then restart freeradius, the next request comes in, free radius finds the session to be open, but then neither checks checkrad or accepts the user. The user is now unable to authenticate until I close the session in the SQL database. Because the sessions are still open. When you delete the client from the DB, you should close all user sessions for that client. This is because the client won't do it... it's no longer a client. Shouldn't freeradius call checkrad anyway and pass it the ip/session/user/port for the non-existent nas and let the checkrad script return 0, then let the user on? That's what I would have though should have happened. No. Deleting a client means that the client doesn't exist. You shouldn't run checkrad against a client which doesn't exist. This is really an administration issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use oddness.
List, I'm bumping this odd issue with Simultaneous-Use: When I have a session that didn't get expired in a SQL database, and the user tries to connect then freeradius correctly checks the nas using the checkrad script *UNLESS* the nas is no longer defined in the clients. If the nas is missing, radius doesn't bother to call checkrad, and rejects the login as a multiple login. Perhaps this has something to do with the fact that my clients are defined in SQL using the nas_query option. So if I deprecate a nas, remove it from the db, then restart freeradius, the next request comes in, free radius finds the session to be open, but then neither checks checkrad or accepts the user. The user is now unable to authenticate until I close the session in the SQL database. Shouldn't freeradius call checkrad anyway and pass it the ip/session/user/port for the non-existent nas and let the checkrad script return 0, then let the user on? That's what I would have though should have happened. Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Use strategy
Mehdi Ravanbakhsh wrote: /So i need to change /*Simultaneous Use check strategy and if user with same Calling Station ID - NAS ip address - NAS port - Called station ID try to connect i need to accept it .* Then write that policy in unlang. It's not hard. *Is there any way to change Simultaneous Use configuration?* The configuration files are editable for a reason. Edit them. You're asking a lot of very detailed questions which are answered in the default config, and in the documentation. Go read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change Simultaneous-Use default value
Hello, How to change default Simultaneous-Use 0 (default) value without using user groups? So, all current users and new, that will be created - will have for example 2 allowed connections? Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com smime.p7s Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change Simultaneous-Use default value
Dmitry Korzhevin wrote: Hello, How to change default Simultaneous-Use 0 (default) value without using user groups? So, all current users and new, that will be created - will have for example 2 allowed connections? Add an entry in the users file: DEFAULT Simultaneous-Use := 2 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-Use is not worrking
Alan, just to let you know. I figure out where was the problem. In default file in session I was having set radutmp and also sql. After I comment radutmp and let just sql it begun to work:) Thanks! Miha On Sat, 03 Nov 2012 15:27:41 -0400 Alan DeKok al...@deployingradius.com wrote: Miha wrote: i am turning out you due to issue with simultaneous-Use. I readed mailing list but did not find any appropriate answer. ... my config: [root@localhost sites-available]# radiusd -X FreeRADIUS Version 2.1.12, for host ... Ready to process requests. The reason to post the debug output is to show what happens when the server receives a packet. You didn't show that. So the debug output is useless, and we can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-Use is not worrking
Hi there,
i am turning out you due to issue with simultaneous-Use. I
readed mailing list but did not find any appropriate
answer.
My configuration:
.../raddb/site-avalible/default: session {mysql}
.../raddb/sql/mysql/dialup.conf: uncomment
simul_count_query..
In radcheck I have put user with cleartext password and
also add line for this user with simultaneous-Use :=1.
When I try to call with simultaneous-Use :=1 call is
rejacted if I put simultaneous-Use :=2 all calls goes
through from this account.
NAS is sending start/stop packet and If call is in progress
there is a NULL value in acc stop time raw.
Accounting and authorization is uncomment:)
my config:
[root@localhost sites-available]# radiusd -X
FreeRADIUS Version 2.1.12, for host
x86_64-unknown-linux-gnu, built on Nov 8 2011 at 15:23:48
Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms
of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file
/usr/local/etc/raddb/radiusd.conf
including configuration file
/usr/local/etc/raddb/proxy.conf
including configuration file
/usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file
/usr/local/etc/raddb/modules/policy
including configuration file
/usr/local/etc/raddb/modules/realm
including configuration file
/usr/local/etc/raddb/modules/acct_unique
including configuration file
/usr/local/etc/raddb/modules/krb5
including configuration file
/usr/local/etc/raddb/modules/files
including configuration file
/usr/local/etc/raddb/modules/mac2ip
including configuration file
/usr/local/etc/raddb/modules/detail
including configuration file
/usr/local/etc/raddb/modules/inner-eap
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/usr/local/etc/raddb/modules/linelog
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file
/usr/local/etc/raddb/modules/counter
including configuration file
/usr/local/etc/raddb/modules/ippool
including configuration file
/usr/local/etc/raddb/modules/echo
including configuration file
/usr/local/etc/raddb/modules/smsotp
including configuration file
/usr/local/etc/raddb/modules/unix
including configuration file
/usr/local/etc/raddb/modules/mschap
including configuration file
/usr/local/etc/raddb/modules/perl
including configuration file
/usr/local/etc/raddb/modules/detail.log
including configuration file
/usr/local/etc/raddb/modules/replicate
including configuration file
/usr/local/etc/raddb/modules/always
including configuration file
/usr/local/etc/raddb/modules/wimax
including configuration file
/usr/local/etc/raddb/modules/mac2vlan
including configuration file
/usr/local/etc/raddb/modules/attr_filter
including configuration file
/usr/local/etc/raddb/modules/opendirectory
including configuration file
/usr/local/etc/raddb/modules/soh
including configuration file
/usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/etc_group
including configuration file
/usr/local/etc/raddb/modules/preprocess
including configuration file
/usr/local/etc/raddb/modules/redis
including configuration file
/usr/local/etc/raddb/modules/logintime
including configuration file
/usr/local/etc/raddb/modules/pap
including configuration file
/usr/local/etc/raddb/modules/expiration
including configuration file
/usr/local/etc/raddb/modules/rediswho
including configuration file
/usr/local/etc/raddb/modules/smbpasswd
including configuration file
/usr/local/etc/raddb/modules/chap
including configuration file
/usr/local/etc/raddb/modules/dynamic_clients
including configuration file
/usr/local/etc/raddb/modules/radutmp
including configuration file
/usr/local/etc/raddb/modules/ldap
including configuration file
/usr/local/etc/raddb/modules/cui
including configuration file
/usr/local/etc/raddb/modules/exec
including configuration file
/usr/local/etc/raddb/modules/passwd
including configuration file
/usr/local/etc/raddb/modules/attr_rewrite
including configuration file
/usr/local/etc/raddb/modules/ntlm_auth
including configuration file
/usr/local/etc/raddb/modules/expr
including configuration file
/usr/local/etc/raddb/modules/digest
including configuration file
/usr/local/etc/raddb/modules/otp
including configuration file
/usr/local/etc/raddb/modules/sradutmp
including configuration file
/usr/local/etc/raddb/modules/checkval
including configuration file
/usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file
/usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/local/etc/raddb/policy.conf
including files in directory
/usr/local/etc/raddb/sites
Re: simultaneous-Use is not worrking
Miha wrote: i am turning out you due to issue with simultaneous-Use. I readed mailing list but did not find any appropriate answer. ... my config: [root@localhost sites-available]# radiusd -X FreeRADIUS Version 2.1.12, for host ... Ready to process requests. The reason to post the debug output is to show what happens when the server receives a packet. You didn't show that. So the debug output is useless, and we can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-Use is not worrking
HI Alan,
log with simultaneous-Use := 1:
rad_recv: Accounting-Request packet from host
xxx.xxx.xxx.xxx port 40165, id=56, length=327
Acct-Status-Type = Start
Acct-Session-Id = 21613e25-697e-4d90-a741-586503d4abcb
User-Name = 018108753.enterprise
Freeswitch-Src = 018108753.enterprise
Freeswitch-CLID = 018108753.enterprise
Freeswitch-Dst = 031681796
Freeswitch-Dialplan = XML
Framed-IP-Address = 84.41.126.2
Freeswitch-Context = enterprise.fs2.softnet.si
Freeswitch-Ani = 018108753.enterprise
Freeswitch-Source = mod_sofia
Freeswitch-Callstartdate =
2012-11-03T21:07:03.383945+0100
NAS-Port = 0
Acct-Delay-Time = 0
NAS-IP-Address = xxx.xxx.xxx.xxx
# Executing section preacct from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
xxx.xxx.xxx.xxx,NAS-IP-Address =
xxx.xxx.xxx.xxx,Acct-Session-Id =
21613e25-697e-4d90-a741-586503d4abcb,User-Name =
018108753.enterprise'
[acct_unique] Acct-Unique-Session-ID = ccb7c871be618e52.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = 018108753.enterprise,
looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} -
xxx.xxx.xxx.xxx
[detail]expand:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-
/usr/local/var/log/radius/radacct/.../detail-20121103
[detail]
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/.../detail-20121103
[detail]expand: %t - Sat Nov 3 21:01:26 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - 018108753.enterprise
++[radutmp] returns ok
[sql] expand: %{User-Name} - 018108753.enterprise
[sql] sql_set_user escaped user -- '018108753.enterprise'
[sql] expand: %{Acct-Delay-Time} - 0
[sql] expand:INSERT INTO radacct
(acctsessionid,acctuniqueid, username,
realm,nasipaddress, nasportid,
nasporttype, acctstarttime,
acctstoptime, acctsessiontime,
acctauthentic,connectinfo_start,
connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause,
servicetype, framedprotocol,
framedipaddress, acctstartdelay,
acctstopdelay,xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',
'%{Freeswitch-Src}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}',
'', '0', '0',
'%{Called-Station-Id}',
'%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -
018108753.enterprise
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 56 to xxx.xxx.xxx.xxx
port 40165
Finished request 0.
Cleaning up request 0 ID 56 with timestamp +2994
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx
port 43949, id=57, length=193
User-Name = 018108753.enterprise
User-Password = xxx
h323-conf-id =
h323-conf-id=21613e25-697e-4d90-a741-586503d4abcb
h323-prompt-id = h323-prompt-id=031681796
NAS-Port-Type = Async
NAS-Port-Id = ISDN 3/0:D:14
User-Name = 1
NAS-Port = 0
NAS-IP-Address = ...
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 018108753.enterprise,
looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - 018108753.enterprise
[sql] sql_set_user escaped user -- '018108753.enterprise'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username =
'%{SQL-User-Name
Re: Simultaneous-Use checking
On Sat, Feb 25, 2012 at 11:51 AM, opti2k4 dr...@email.t-com.hr wrote: Hi, i need little help with this. I have MySQL setup with freeradis, that is working. Now for Simultaneous-Use checking there are no querys to uncomment inside sql.conf by default (installed freeradius over apt-get ). It should be there. See https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/sql/mysql/dialup.conf What else i have to do to get this checking started? - make sure you have acct stored in mysql as well (look at your radacct tables) - make sure the user has Simultaneous-Use attribute (in radcheck/radgroupcheck/whatever) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use checking
Hi,
i need little help with this. I have MySQL setup with freeradis, that is
working. Now for Simultaneous-Use checking there are no querys to uncomment
inside sql.conf by default (installed freeradius over apt-get ).
Now i added to sql.conf
simul_count_query = SELECT COUNT(*) FROM radacct WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
Group checking is disabled.
What else i have to do to get this checking started?
Thx!
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Simultaneous-Use-checking-tp5514541p5514541.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use check but don't reject
Hi I'm using Simultaneous-use := 1 and sql for check on my Freeradius server. When the radius found that customer connected already it reject customer with Reply-Message := \r\nYou are already logged in - access denied\r\n\n. Is the way do not reject customer to be able connect customer and redirect them to Error page? Regards, Alexander. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
Alexander Kosykh wrote: I'm using Simultaneous-use := 1 and sql for check on my Freeradius server. When the radius found that customer connected already it reject customer with Reply-Message := \r\nYou are already logged in - access denied\r\n\n. Is the way do not reject customer to be able connect customer and redirect them to Error page? See the documentation for your NAS or captive portal. This isn't an issue for RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
The question is not how to make captive portal on my NAS, the question is how do not reject customer, who reached max value of simultaneous-use? Regards, Alexander. 2011/12/20 Alan DeKok al...@deployingradius.com Alexander Kosykh wrote: I'm using Simultaneous-use := 1 and sql for check on my Freeradius server. When the radius found that customer connected already it reject customer with Reply-Message := \r\nYou are already logged in - access denied\r\n\n. Is the way do not reject customer to be able connect customer and redirect them to Error page? See the documentation for your NAS or captive portal. This isn't an issue for RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
Hi, The question is not how to make captive portal on my NAS, the question is how do not reject customer, who reached max value of simultaneous-use? if you dont care about them reaching that value, then why are you checking? but if you really do want to redirect them to an error page - then you need to read/check how to do that with your NAS (as Alan said, read your NAS documentation) and instead of the current Simultaneous-Use result, put your own result in (whatever RADIUS attributes/values you need to set for your user to get redirected to some error pagehowever that is don by your NAS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
I tried to do this in my config
session {
# radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
sql
if (Post-Auth-Type == reject) {
ok
block_auth_error # my own policy
}
}
but radius answer is reject whatever and pppoe didn't up
2011/12/21 Alan Buxey a.l.m.bu...@lboro.ac.uk
Hi,
The question is not how to make captive portal on my NAS, the
question is
how do not reject customer, who reached max value of simultaneous-use?
if you dont care about them reaching that value, then why are you
checking?
but if you really do want to redirect them to an error page - then you
need to
read/check how to do that with your NAS (as Alan said, read your NAS
documentation)
and instead of the current Simultaneous-Use result, put your own result in
(whatever
RADIUS attributes/values you need to set for your user to get redirected
to some error
pagehowever that is don by your NAS)
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh avkos...@gmail.com wrote:
I tried to do this in my config
session {
# radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
sql
if (Post-Auth-Type == reject) {
ok
block_auth_error # my own policy
}
}
but radius answer is reject whatever and pppoe didn't up
You need to learn some concepts first.
What radius can do:
- it tells the NAS whether to accept or reject a user
- if the user is accepted, it can tell the NAS how to treat that user.
e.g. what VLAN he should be on, what speed he can have, etc. However
it's up to the NAS whether to actually apply the info sent by radius.
What radius can NOT do:
- be a captive portal
- be a magic box that solves all your problems
From your description, it looks like you should NOT use the default
simultaneous-use code. Rather, you should:
(1) make sure your NAS supports vlan assignment based on radius reply
(2) setup different vlans based on whether a user is currently logged
in elsewhere or not
(3) setup a captive portal on a vlan
(4) configure freeradius to tell the NAS to allocate that vlan when a
user tries to login more than once
I can tell you how to do (4) (or you can just read
raddb/sql/mysql/dialup.conf), but before you do that you need to have
a NAS that supports (1), and you must be able to do (2) and (3). If
you don't know how to do that, get an expert to help you.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
On Wed, Dec 21, 2011 at 5:29 AM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh avkos...@gmail.com wrote: I tried to do this in my config but radius answer is reject whatever and pppoe didn't up You know what, since you say it's pppoe, I can share a setup on my environment that might be adaptable for you. The situation: - pppoe - IP address is (normally) allocated by nas, dynamically, using public IP address - AAA using freeradius The problem: - we want disabled users to still be able to login, but they'd be placed on a special network where they'd only be able to access an info page (or, in your terms, error page) The solution: - setup a private IP pool on the NAS (e.g. 10.x.x.x) - put disabled users in a special group (e.g. disabled-users) - setup sqlippool for that IP address pool (e.g. disabled-users-pool) - setup a special DNS server (any authoritative DNS server supporting wildcard will do) that will resolve all DNS record to a special web server. - setup routing on the NAS so that the private IP pool can access the DNS server and the web server, but it can't access public IP address - add radgroupcheck entry for that group which points to the pool (e.g. Pool-Name := disabled-users-pool) - add radgroupreply entry which will tell users to use the special DNS server (e.g MS-Primary-DNS-Server := 10.0.0.10) That way, when a user in disabled-users group logs in, he'd get a private IP address, and whatever address he typed in browser will bring him to the info page. You might be able to adapt it to your needs by adding Pool-Name and MS-Primary-DNS-Server attribute dynamically using unlang, based on an sql query which checks whether a user is already logged in or not. Somewhat complicated, but should work. If you're still having trouble understanding the example, better ask an expert to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
Hi. I knew how to make all you wrote above. I need to know how to accept customer, when sim-use rejected him. Regards, Alexander. 2011/12/21 Fajar A. Nugraha l...@fajar.net On Wed, Dec 21, 2011 at 5:29 AM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Dec 21, 2011 at 4:18 AM, Alexander Kosykh avkos...@gmail.com wrote: I tried to do this in my config but radius answer is reject whatever and pppoe didn't up You know what, since you say it's pppoe, I can share a setup on my environment that might be adaptable for you. The situation: - pppoe - IP address is (normally) allocated by nas, dynamically, using public IP address - AAA using freeradius The problem: - we want disabled users to still be able to login, but they'd be placed on a special network where they'd only be able to access an info page (or, in your terms, error page) The solution: - setup a private IP pool on the NAS (e.g. 10.x.x.x) - put disabled users in a special group (e.g. disabled-users) - setup sqlippool for that IP address pool (e.g. disabled-users-pool) - setup a special DNS server (any authoritative DNS server supporting wildcard will do) that will resolve all DNS record to a special web server. - setup routing on the NAS so that the private IP pool can access the DNS server and the web server, but it can't access public IP address - add radgroupcheck entry for that group which points to the pool (e.g. Pool-Name := disabled-users-pool) - add radgroupreply entry which will tell users to use the special DNS server (e.g MS-Primary-DNS-Server := 10.0.0.10) That way, when a user in disabled-users group logs in, he'd get a private IP address, and whatever address he typed in browser will bring him to the info page. You might be able to adapt it to your needs by adding Pool-Name and MS-Primary-DNS-Server attribute dynamically using unlang, based on an sql query which checks whether a user is already logged in or not. Somewhat complicated, but should work. If you're still having trouble understanding the example, better ask an expert to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
On Wed, Dec 21, 2011 at 12:56 PM, Alexander Kosykh avkos...@gmail.com wrote:
Hi.
I knew how to make all you wrote above.
Are you sure?
I need to know how to accept
customer, when sim-use rejected him.
Cause if you do, you wouldn't ask that.
Easiest way: simply remove sql (or radutmp, depends on what you
use) from session section. Then simultaneous-use check will be
disabled (e.g. user will be accepted no matter whether they're already
logged in or not).
You will still be able to examine user status and limit using unlang
from %{control:Simultanenous-Use} (which gets its value from
radcheck/radgroupcheck) and %{sql:
whatever-you-find-as-simul_count_query-on-sql/mysql/dialup.conf}.
Using those two values you add reply items (either vlan assignment,
IP/DNS assignment, and so on).
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
How to make checkrad, if disable all in session section? acct-stop
packets is lost sometimes and sql think that customer is online, but he
didn't.
Regards,
Alexander.
2011/12/21 Fajar A. Nugraha l...@fajar.net
On Wed, Dec 21, 2011 at 12:56 PM, Alexander Kosykh avkos...@gmail.com
wrote:
Hi.
I knew how to make all you wrote above.
Are you sure?
I need to know how to accept
customer, when sim-use rejected him.
Cause if you do, you wouldn't ask that.
Easiest way: simply remove sql (or radutmp, depends on what you
use) from session section. Then simultaneous-use check will be
disabled (e.g. user will be accepted no matter whether they're already
logged in or not).
You will still be able to examine user status and limit using unlang
from %{control:Simultanenous-Use} (which gets its value from
radcheck/radgroupcheck) and %{sql:
whatever-you-find-as-simul_count_query-on-sql/mysql/dialup.conf}.
Using those two values you add reply items (either vlan assignment,
IP/DNS assignment, and so on).
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
On Wed, Dec 21, 2011 at 1:22 PM, Alexander Kosykh avkos...@gmail.com wrote: How to make checkrad, if disable all in session section? checkrad should be disabled (i.e. not called by FR) when you comment-out radutmp from session section. You should still be able to run it manually $ checkrad Usage: checkrad nas_type nas_ip nas_port login session_id acct-stop packets is lost sometimes and sql think that customer is online, but he didn't. I belive I responded to a similar question yesterday (search the list archive). You just have to deal with it. Design your system with the full knowledge that SOME accounting packets will be lost. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
Do you have some examples, which work fast to handle 10 AAA/second and check sim-use without freeradius standart methods? Regards, Alexander. 2011/12/21 Fajar A. Nugraha l...@fajar.net I belive I responded to a similar question yesterday (search the list archive). You just have to deal with it. Design your system with the full knowledge that SOME accounting packets will be lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use check but don't reject
On Wed, Dec 21, 2011 at 2:10 PM, Alexander Kosykh avkos...@gmail.com wrote: Do you have some examples, which work fast to handle 10 AAA/second and check sim-use without freeradius standart methods? Did you read what I wrote earlier? All the concepts are there. Converting it to actual code is easy-enough (although takes some time) if you're familiar with freeradius, sqlippool, and unlang. If you're not familiar with it, well, my best advice is either spend some time to study it, or get an expert to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: configuration freeradius for no simultaneous use
Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. 02 декабря 2011, 11:49 от Alan DeKok-2 [via FreeRadius] ml-node+s1045715n5040921...@n5.nabble.com: [hidden email] wrote: i need your help in configuration freeradius for no simultaneous use. doc/Simultaneous-Use See also the Wiki. Have you read that documentation and followed the instructions there? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5040921.html To unsubscribe from configuration freeradius for no simultaneous use, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041046.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: configuration freeradius for no simultaneous use
On Fri, Dec 2, 2011 at 3:37 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. -- FAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: configuration freeradius for no simultaneous use
Dear Alan, i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? 02 декабря 2011, 12:43 от Fajar A. Nugraha l...@fajar.net: On Fri, Dec 2, 2011 at 3:37 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. -- FAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[4]: configuration freeradius for no simultaneous use
2011/12/2 Толик Шавловский tolik_shavlov...@mail.ru: Dear Alan, I assume you want help from anyone, not just Alan, so I'll add some comments here. i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? That's one way to do that (and possibly the most accurate way). But not the ONLY way. You can make it work without the script, if you store accounting data in sql. See (for example) raddb/sql/mysql/dialup.conf, look for simul_count_query and simul_verify_query. But again, you need to store accounting data for it to work. -- Fajar 02 декабря 2011, 12:43 от Fajar A. Nugraha l...@fajar.net: On Fri, Dec 2, 2011 at 3:37 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: configuration freeradius for no simultaneous use
Fajar, thanks. I understand how to search. 02 декабря 2011, 13:53 от Fajar A. Nugraha-2 [via FreeRadius] ml-node+s1045715n5041277...@n5.nabble.com: 2011/12/2 Толик Шавловский [hidden email]: Dear Alan, I assume you want help from anyone, not just Alan, so I'll add some comments here. i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? That's one way to do that (and possibly the most accurate way). But not the ONLY way. You can make it work without the script, if you store accounting data in sql. See (for example) raddb/sql/mysql/dialup.conf, look for simul_count_query and simul_verify_query. But again, you need to store accounting data for it to work. -- Fajar 02 декабря 2011, 12:43 от Fajar A. Nugraha [hidden email]: On Fri, Dec 2, 2011 at 3:37 PM, [hidden email] [hidden email] wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041277.html To unsubscribe from configuration freeradius for no simultaneous use, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041322.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[7]: configuration freeradius for no simultaneous use
Hi again, as i found naslist and naspass are old configuration files, now their functionality is used in clients.conf file. So, i indicated nastype = cisco will freeradius connect to nas in this case? 02 декабря 2011, 14:39 от tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru: Hi, according to doc: === 3. IMPLEMENTATION The server keeps a list of logged-in users in the /var/log/radutmp file. This is also called the session database. When you execute radwho, all that radwho really does is list the entries in this file in a pretty format. Only when someone tries to login who _already_ has an active session according to the radutmp file, the server executes the perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for the presence of both and in that order). This script queries the terminal server to see if the user indeed already has an active session. The script uses SNMP for Livingston Portmasters and Ciscos, finger for Portslave, Computone and Ascend, and Net::Telnet for USR/3Com TC. Since the script has been witten in perl, it's easy to adjust for any type of terminal server. There are implementations in the script for checks using SNMP, finger, and telnet, so it should be easy to add your own check routine if your terminal server is not supported yet. You can find the script in the file src/checkrad.pl. You need to set the correct type in the file /etc/raddb/naslist so that checkrad KNOWS how it should interrogate the terminal server. At this time you can define the following types: = my /usr/local/etc/raddb doesn't has naslist ans naspassword files. If i configure them manually, so freeradius will connect to NAS (we use cisco) via snmp and check user session? So, in such way i don't need script? thanks. 02 декабря 2011, 13:53 от Fajar A. Nugraha-2 [via FreeRadius] [hidden email]: 2011/12/2 Толик Шавловский [hidden email]: Dear Alan, I assume you want help from anyone, not just Alan, so I'll add some comments here. i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? That's one way to do that (and possibly the most accurate way). But not the ONLY way. You can make it work without the script, if you store accounting data in sql. See (for example) raddb/sql/mysql/dialup.conf, look for simul_count_query and simul_verify_query. But again, you need to store accounting data for it to work. -- Fajar 02 декабря 2011, 12:43 от Fajar A. Nugraha [hidden email]: On Fri, Dec 2, 2011 at 3:37 PM, [hidden email] [hidden email] wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041277.html To unsubscribe from configuration freeradius for no simultaneous use, click here. NAML -- View this message in context: Re[6]: configuration freeradius for no simultaneous use Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius for no simultaneous use
Толик Шавловский wrote: So, i indicated nastype = cisco will freeradius connect to nas in this case? Only if the server receives accounting packets, AND a user session is still open, AND that user tries to log in a second time from a different location. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: configuration freeradius for no simultaneous use
Hi, according to doc: === 3. IMPLEMENTATION The server keeps a list of logged-in users in the /var/log/radutmp file. This is also called the session database. When you execute radwho, all that radwho really does is list the entries in this file in a pretty format. Only when someone tries to login who _already_ has an active session according to the radutmp file, the server executes the perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for the presence of both and in that order). This script queries the terminal server to see if the user indeed already has an active session. The script uses SNMP for Livingston Portmasters and Ciscos, finger for Portslave, Computone and Ascend, and Net::Telnet for USR/3Com TC. Since the script has been witten in perl, it's easy to adjust for any type of terminal server. There are implementations in the script for checks using SNMP, finger, and telnet, so it should be easy to add your own check routine if your terminal server is not supported yet. You can find the script in the file src/checkrad.pl. You need to set the correct type in the file /etc/raddb/naslist so that checkrad KNOWS how it should interrogate the terminal server. At this time you can define the following types: = my /usr/local/etc/raddb doesn't has naslist ans naspassword files. If i configure them manually, so freeradius will connect to NAS (we use cisco) via snmp and check user session? So, in such way i don't need script? thanks. 02 декабря 2011, 13:53 от Fajar A. Nugraha-2 [via FreeRadius] ml-node+s1045715n5041277...@n5.nabble.com: 2011/12/2 Толик Шавловский [hidden email]: Dear Alan, I assume you want help from anyone, not just Alan, so I'll add some comments here. i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? That's one way to do that (and possibly the most accurate way). But not the ONLY way. You can make it work without the script, if you store accounting data in sql. See (for example) raddb/sql/mysql/dialup.conf, look for simul_count_query and simul_verify_query. But again, you need to store accounting data for it to work. -- Fajar 02 декабря 2011, 12:43 от Fajar A. Nugraha [hidden email]: On Fri, Dec 2, 2011 at 3:37 PM, [hidden email] [hidden email] wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041277.html To unsubscribe from configuration freeradius for no simultaneous use, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041384.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuration freeradius for no simultaneous use
Hi, i need your help in configuration freeradius for no simultaneous use. So, i need one active user per login/password. I configured user as follow: te...@wimax.com Cleartext-Password := test Framed-Filter-Id = SP=data:MSF=data;, Simultaneous-Use = 1, but my WIMAX CPEs (also WiFi users) continue connecting with the same login/password. what can be the issue? thanks Anatolii -- View this message in context: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5040887.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius for no simultaneous use
On Fri, Dec 2, 2011 at 2:31 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Hi, i need your help in configuration freeradius for no simultaneous use. simultanouse use limit is somewhat ... awkward. So, i need one active user per login/password. I configured user as follow: te...@wimax.com Cleartext-Password := test Framed-Filter-Id = SP=data:MSF=data;, Simultaneous-Use = 1, but my WIMAX CPEs (also WiFi users) continue connecting with the same login/password. what can be the issue? For starters: - do you have accounting active? some setups (e.g. some types of wireless AP with radius/802.1x auth) can't send accounting. simultaneous use check can't work in that setup - do you have some kind of simultaneous check active, either with sql/radutmp/whatever? See raddb/sites-available/default, look for session section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius for no simultaneous use
tolik_shavlov...@mail.ru wrote: i need your help in configuration freeradius for no simultaneous use. doc/Simultaneous-Use See also the Wiki. Have you read that documentation and followed the instructions there? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
Erik wrote: wouldn't you at least see checkrad initiate in the freeradius -X debug if I set the NAS type to cisco? I was just trying to get it to initiate, not expecting it to work. In the debug, it doesn't even come up. I've read in prior posts where you said that checkrad should initiate regardless if the radutmp or mysql modules were used. Are you looking for additional problems, or are you trying to solve the original issue? Fix one thing at a time. There's a good reason checkrad isn't run. The reason is documented. Reflash the NAS so that it has a firmware which supports this feature. which feature(s)? RADIUS accounting, SNMP, finger, or rusers? Your guidance here would really help so I can make sure I acquire appropriate NAS' in the future. Buy a NAS which costs more than $50. You get what you pay for. The NAS should support SNMP. Generally, is there any way to get simultaneous-use to work if a given NAS doesn't send accounting packets to the radius server? 3rd party software? I already gave you my opinion. Do you think asking again will change it? Do you think I was lying to you the first time? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use For Group Using Unlang
Hi, I was able to implement simultaneous-use checking for a group using exec-program-wait attribute. So a user logging in which belongs to the group will be checked against that attribute. It is working but I worry that with too many connections coming from this group of users, it will exhaust the MySQL connection. Because the program used in exec-program-wait opens new connection to MySQL everytime. And even when the program closes the MySQL connection, the port for the connection will not be freed up immediately. It takes sometimes before the port is released. It stays in the close_wait status for sometime. I'd like to implement this using unlang but not sure where to start. The part that I am having difficulty is on where to create the procedure and how to call the procedure. The rest of the things like the DB query I can reuse from the existing program. I want to implement this using unlang to avoid having to open a new MySQL connection. Any example, I can follow? Thanks a lot! Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use For Group Using Unlang
det.explo...@yahoo.com wrote:
I'd like to implement this using unlang but not sure where to start. The part
that I am having difficulty is on where to create the procedure and how to
call the procedure. The rest of the things like the DB query I can reuse from
the existing program. I want to implement this using unlang to avoid having
to open a new MySQL connection.
Any example, I can follow?
The SQL module supports string expansion. The input strings are just
SQL statements. The output is just a one-line string containing the
result of the SQL query.
This means you can call SQL procedures directly from unlang:
if (%{sql: call procedure with args} 2) {
... more than 2 people logged in ..
}
Very simple!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
Are you looking for additional problems, or are you trying to solve the original issue? I'm trying to understand exactly what's happening was wondering why checkrad wasn't being called. If I get a NAS which does SNMP, for example, I wanted to know that checkrad would work in a predictable fashion. Fix one thing at a time. There's a good reason checkrad isn't run. The reason is documented. Could you maybe point me to the document? I've read through alot of them including http://freeradius.org/radiusd/doc/Simultaneous-Use. Remember, I've set the NAS to cisco but checkrad still isn't being triggered. I'll quote some of your previous posts: ADK: If you've configured Simultaneous-Use, then there should be *something* about checkrad in the output. I don't see anything relating to checkrad in the debug output. ADK: Checkrad is called because the server may not have received accounting data. My accounting table is empty, hence nothing is received, yet checkrad is not being called (at least there's nothing in the debug). Buy a NAS which costs more than $50. You get what you pay for. The NAS should support SNMP. So I take it you're saying get a NAS with RADIUS accounting, if possible - if not, get one which is SNMP enabled. I already gave you my opinion. Do you think asking again will change it? Do you think I was lying to you the first time? You gave me your opinion, and I was wondering if someone else may have a different one (like the guy using exec-program-wait) - I suppose I should have made it clear I wasn't asking you the same question again. thanks, Erik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
Erik wrote: I'm trying to understand exactly what's happening was wondering why checkrad wasn't being called. If I get a NAS which does SNMP, for example, I wanted to know that checkrad would work in a predictable fashion. It does. It works. See man checkrad. I'll quote some of your previous posts: ADK: If you've configured Simultaneous-Use, then there should be *something* about checkrad in the output. I don't see anything relating to checkrad in the debug output. For the reasons outlined in man checkrad. ADK: Checkrad is called because the server may not have received accounting data. Since you haven't given the *context* for that comment, I have no idea what it means. My accounting table is empty, hence nothing is received, yet checkrad is not being called (at least there's nothing in the debug). Checkrad is called to double-check duplicate logins. So I take it you're saying get a NAS with RADIUS accounting, if possible - if not, get one which is SNMP enabled. That's what I thought I said. You gave me your opinion, and I was wondering if someone else may have a different one (like the guy using exec-program-wait) - I suppose I should have made it clear I wasn't asking you the same question again. The guy using exec-program-wait for Simultaneous-Use was doing something different. That was clear from his post. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
It does. It works. See man checkrad. Checkrad is called to double-check duplicate logins. Thank you, I understand now. The guy using exec-program-wait for Simultaneous-Use was doing something different. That was clear from his post. Not to me - this is a new world for me I'm doing my best to understand. In any case, you've helped me understand further, so thanks for taking the time to respond. Erik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use For Group Using Unlang
Hi,
Where do I put this piece of code? Can I do this invocation in the authorize
block? Or is it something I put in the radiusd.conf? And where do I put the
custom procedure itself? Is it in /etc/freeradius/modules?
Sorry about this. I'm confused about the placement. First time to add a custom
procedure. Possible to extend this example to show which codes go to which file?
Thanks a lot!
Det
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, November 9, 2011 9:57 PM
Subject: Re: Simultaneous-Use For Group Using Unlang
det.explo...@yahoo.com wrote:
I'd like to implement this using unlang but not sure where to start. The part
that I am having difficulty is on where to create the procedure and how to
call the procedure. The rest of the things like the DB query I can reuse from
the existing program. I want to implement this using unlang to avoid having
to open a new MySQL connection.
Any example, I can follow?
The SQL module supports string expansion. The input strings are just
SQL statements. The output is just a one-line string containing the
result of the SQL query.
This means you can call SQL procedures directly from unlang:
if (%{sql: call procedure with args} 2) {
... more than 2 people logged in ..
}
Very simple!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use For Group Using Unlang
On Thu, Nov 10, 2011 at 9:27 AM, Det Det det.explo...@yahoo.com wrote: Hi, Where do I put this piece of code? Can I do this invocation in the authorize block? Or is it something I put in the radiusd.conf? man unlang Requests are processed through virtual servers (including the default one), in the sections titled authorize, authenticate, post-auth, preacct, accounting, pre-proxy, post-proxy, and session. And where do I put the custom procedure itself? Is it in /etc/freeradius/modules? Alan is using an example where you have an sql procedure. If you don't know what an sql procedure is, then you need to learn what that is (which can be a steep learning curve). The main point is if your exec-program-wait simply do ONE sql query, then you can easily replace it using sql expansion. Use it to replace your exec-program-wait (usually in authorize). If your program currently uses some complex sql queries, then you need to find some way to group them together so they can be invoked as one query. One way to do that is using stored procedure. A documentation for MySQL is here: http://dev.mysql.com/doc/refman/5.5/en/stored-programs-views.html . Since this is not freeradius-specific issue, if you need more info about stored procedure you should ask in their respective list/forum. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use Checking with FreeRadius + MYSQL
-
FreeRadius Version: 2.1.10
-
Hello All,
I've been going in circles for days on how to come up with a
workaround to get simultaneous-use checking working on my FreeRadius +
PEAP MSCHAPv2 deployment. I have read through seemingly all of the
posts... I suspect certain areas which might be causing the problem:
1) my NAS does not seem to be sending accounting information. The
radacct table is empty this is also visible in the debugs. There is
no area to set up RADIUS accounting on the NAS (it's a cheap netgear)
and it doesn't appear to send accounting packets by default.
2) checkrad.pl is not being called automatically when no accounting
data is being returned by simul_count_query. I have the NAS type
set to cisco to trigger checkrad.pl for troubleshooting purposes,
but it doesn't seem to do any good.
First of all - is it possible to do simultaneous-use checking if the
NAS doesn't send radius accounting packets? Can the radius server
somehow autonomously keep track of this without packets from the NAS?
If not, is there another application which will fulfill this function?
Do I need to move to radutmp?
Any input and guidance would be greatly appreciated. Details are below.
thanks in advance!
Erik
==
RELEVANT CONFIGURATIONS (some output omitted):
--
/etc/freeradius/radiusd.conf
modules {
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
--
/etc/freeradius/sql/mysql/dialup.conf
simul_count_query = SELECT COUNT(*) \
#FROM ${acct_table1} \
#WHERE username = '%{SQL-User-Name}' \
#AND acctstoptime IS NULL
# simul_verify_query = SELECT radacctid, acctsessionid, username, \
nasipaddress, nasportid, framedipaddress, \
callingstationid, framedprotocol \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL
--
/etc/freeradius/sites-available/default
authorize {
#sql is the first option in the authorize list.
sql
}
accounting {
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
# radutmp
# sradutmp
}
session {
# radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
sql
}
post-auth {
sql
}
--
/etc/freeradius/sites-available/inner-tunnel
authorize {
#sql is the first option in the authorize list.
sql
}
# *** THERE IS NO ACCOUNTING SECTION***
session {
# radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
sql
}
post-auth {
sql
}
==
MYSQL INFO:
mysql SELECT * FROM radgroupcheck;
++---+--+++
| id | groupname | attribute| op | value |
++---+--+++
| 1 | daloRADIUS-Disabled-Users | Auth-Type| := | Reject |
| 3 | sandruid-ap-wifi | Simultaneous-Use | := | 1 |
++---+--+++
mysql SELECT * FROM radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| lynnae | sandruid-ap-wifi |0 |
+--+--+--+
1 row in set (0.00 sec)
mysql SELECT * FROM nas;
++---+--+---+---+++---+-+
| id | nasname | shortname| type | ports | secret |
server | community | description |
++---+--+---+---+++---+-+
| 5 | 192.168.2.254 | sandruid-ap-wifi | cisco | 0 | | NULL
| | |
++---+--+---+---+++---+-+
5 rows in set (0.00 sec)
==
freeradius -X DEBUG:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.254 port 2060,
id=118, length=149
User-Name = lynnae
NAS-IP-Address = 192.168.2.254
NAS-Port = 0
Called-Station-Id = 30-46-9A-0E-B4-DF:druid
Calling-Station-Id = 7C-61-93-9E-3A-D9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
Erik wrote: I've been going in circles for days on how to come up with a workaround to get simultaneous-use checking working on my FreeRadius + PEAP MSCHAPv2 deployment. I have read through seemingly all of the posts... I suspect certain areas which might be causing the problem: 1) my NAS does not seem to be sending accounting information. The radacct table is empty this is also visible in the debugs. There is no area to set up RADIUS accounting on the NAS (it's a cheap netgear) and it doesn't appear to send accounting packets by default. The Simultaneous-Use checks won't work. 2) checkrad.pl is not being called automatically when no accounting data is being returned by simul_count_query. I have the NAS type set to cisco to trigger checkrad.pl for troubleshooting purposes, but it doesn't seem to do any good. Because the cheap NAS (a) isn't a Cisco box, and (b) doesn't support the protocols needed by checkrad. First of all - is it possible to do simultaneous-use checking if the NAS doesn't send radius accounting packets? Can the radius server somehow autonomously keep track of this without packets from the NAS? No. It's impossible. If not, is there another application which will fulfill this function? Reflash the NAS so that it has a firmware which supports this feature. Do I need to move to radutmp? No. == RELEVANT CONFIGURATIONS (some output omitted): Nothing in the documentation says to post the configuration. We don't need it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
Alan, thanks for the response... Because the cheap NAS (a) isn't a Cisco box, and (b) doesn't support the protocols needed by checkrad. wouldn't you at least see checkrad initiate in the freeradius -X debug if I set the NAS type to cisco? I was just trying to get it to initiate, not expecting it to work. In the debug, it doesn't even come up. I've read in prior posts where you said that checkrad should initiate regardless if the radutmp or mysql modules were used. Reflash the NAS so that it has a firmware which supports this feature. which feature(s)? RADIUS accounting, SNMP, finger, or rusers? Your guidance here would really help so I can make sure I acquire appropriate NAS' in the future. Generally, is there any way to get simultaneous-use to work if a given NAS doesn't send accounting packets to the radius server? 3rd party software? thanks, I appreciate your help. Erik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Checking with FreeRadius + MYSQL
On Wed, Nov 9, 2011 at 5:11 AM, Erik heideb...@gmail.com wrote: I've read in prior posts where you said that checkrad should initiate regardless if the radutmp or mysql modules were used. I really don't recommend using radutmp. And if you use sql, there's no need to use checkrad. Simultanous check is done using simple queries. Reflash the NAS so that it has a firmware which supports this feature. which feature(s)? RADIUS accounting, SNMP, finger, or rusers? Your If you use sql, you only need the NAS to send accounting. In my setup (pretty large deployment), we only check sql records to see whether a user is online or not. We don't check the NAS whether the user is ACTUALLY online, since checking the NAS directly can be slow. If you REALLY want to verify with the NAS, then the NAS should provide some kind of mechanism. Checkrad supports multiple vendors and multiple mechanism (read the file checkrad, it's documented). You could even modify it and write your own mechanism. guidance here would really help so I can make sure I acquire appropriate NAS' in the future. Generally, is there any way to get simultaneous-use to work if a given NAS doesn't send accounting packets to the radius server? 3rd party software? I'd say don't bother. It MIGHT be possible if you write your own checkrad-like program and check ONLY the username, and the NAS can answer whether the username is online or not. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Trying to solve a Simultaneous-Use problem
Marinko, I didn't know how to ask for stalled sessions and I searched for Sim-Use and found nothing useful... So, if you do not want to help, do not answer... -- -Mensagem original- De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org [mailto:freeradius-users- bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Marinko Tarlac Enviada em: segunda-feira, 10 de outubro de 2011 17:59 Para: FreeRadius users mailing list Assunto: Re: Trying to solve a Simultaneous-Use problem We discuss at least once per week about stalled sessions... Search before you ask... On 10/10/2011 10:49 PM, Arran Cudbard-Bell wrote: So, my question is: how can I use Simultaneous-Use in this scenario? Should I make a script that test if the NAS is online every 10 seconds and if not list all clients connect and stop that connections? Should this work? Is there anyone with the same scenario that can share the solution for the problem? --, Yes, Yes, -- You can use radclient to send fake accounting stop packets to clear up the stale sessions. Arran Cudbard-Bell a.cudba...@freeradius.org mailto:a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Trying to solve a Simultaneous-Use problem
On 11 Oct 2011, at 13:34, Nataniel Klug wrote: Arran, Thanks for your answer. So to test the NAS what should I use? A ping packet in a shell script? Yes. Or an SNMP request. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about Simultaneous-Use and Multiple NAS
Set simultaneous login limit to 1 for the account and add the NAS IP address in there where clause of the simul_count_query. Note that doing so require use of an rlm_sql module in the the session section of freeradius config. Regards. Le 10/10/2011 04:48, Dagia Dorjsuren a écrit : Hello, Anyone advise me for my below problem pls. How to configure simultaneous login count for each NAS? for example : there is one account and 2 NAS like NAS1 and NAS2. That account's total simultaneous login count is 2. So, there is that account's first simultaneous login must be from NAS1 and second simultaneous login must be from NAS2. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.horoa.net Alexandre Chapellon Ingénierie des systèmes open sources et réseaux. Follow me on twitter: @alxgomz http://www.twitter.com/alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to solve a Simultaneous-Use problem
So, my question is: how can I use Simultaneous-Use in this scenario? Should I make a script that test if the NAS is online every 10 seconds and if not list all clients connect and stop that connections? Should this work? Is there anyone with the same scenario that can share the solution for the problem? --, Yes, Yes, -- You can use radclient to send fake accounting stop packets to clear up the stale sessions. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to solve a Simultaneous-Use problem
We discuss at least once per week about stalled sessions... Search before you ask... On 10/10/2011 10:49 PM, Arran Cudbard-Bell wrote: So, my question is: how can I use Simultaneous-Use in this scenario? Should I make a script that test if the NAS is online every 10 seconds and if not list all clients connect and stop that connections? Should this work? Is there anyone with the same scenario that can share the solution for the problem? --, Yes, Yes, -- You can use radclient to send fake accounting stop packets to clear up the stale sessions. Arran Cudbard-Bell a.cudba...@freeradius.org mailto:a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to solve a Simultaneous-Use problem
On Tue, Oct 11, 2011 at 3:44 AM, Nataniel Klug listas.n...@cnett.com.brwrote: Hello all, ** ** I am trying to solve a problem about Simultaneous-Use, not in the code because it’s working, but inside my network layout. I have two different NAS the can authenticate the same client for PPPoE, something like this: ** ** ** ** [ internet ] ---+ NAS01 +--- [ client ] | NAS02 | ** ** So the client can be connected to any of those 2 NAS for different reasons and when I have a problem, like a power surge, in one of the NAS I got the connection stopped because the NAS that turned down is not sending any accounting packets to the radius. It’s ok when I use only one NAS but I am using 2 for backup in cases like a power surge or a hard shutdown of the machine. If the simultaneous-use work so the client cannot connect to NAS02 (assuming that NAS01 has been turned down) until NAS01 is powered on and send account-stop to the radius. ** ** So, my question is: how can I use Simultaneous-Use in this scenario? Should I make a script that test if the NAS is online every 10 seconds and if not list all clients connect and stop that connections? Should this work? Is there anyone with the same scenario that can share the solution for the problem? ** ** -- You mean use simultaneous-use = 1? You can use unlang. Assume NAS01 is now dead. There's a stalled session in db. When user try to login using NAS02, check for his username and fill the session to eliminate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about Simultaneous-Use and Multiple NAS
Hello, Anyone advise me for my below problem pls. How to configure simultaneous login count for each NAS? for example : there is one account and 2 NAS like NAS1 and NAS2. That account's total simultaneous login count is 2. So, there is that account's first simultaneous login must be from NAS1 and second simultaneous login must be from NAS2. Thanks,- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
Hi, Thanks a lot! Got it working! I'd like to extend the simul-check to group simul value. That is a group has simul limit, then if limit is reached a user belonging to that group should be denied login. Any idea how to implement this? Thanks! Det From: Fajar A. Nugraha l...@fajar.net To: Det Det det.explo...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2011 3:11 PM Subject: Re: Using DB instead of radutmp for simultaneous-use tracking On Fri, Sep 30, 2011 at 1:50 PM, Det Det det.explo...@yahoo.com wrote: Hi there, In the accounting section, radutmp is used for tracking simultaneous-use. Is there a way to use DB::radacct table instead to check for simultaneous-use? Sure. Comment-out radutmp and uncomment sql from session and accounting section. See also sql/*/dialup.conf, look for simul_count_query. I usually enable simul_count_query and comment-out simul_verify_query. -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
On Tue, Oct 4, 2011 at 4:47 PM, Det Det det.explo...@yahoo.com wrote:
Hi,
Thanks a lot! Got it working! I'd like to extend the simul-check to group
simul value. That is a group has simul limit, then if limit is reached a
user belonging to that group should be denied login. Any idea how to
implement this?
That's tricky.
The easiest thing I can think of is to add a check using unlang in
authorize (use %{sql: expansion to get the data), and if it exceeds
the limit set Auth-Type := Reject
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using DB instead of radutmp for simultaneous-use tracking
Hi there, In the accounting section, radutmp is used for tracking simultaneous-use. Is there a way to use DB::radacct table instead to check for simultaneous-use? thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
On Fri, Sep 30, 2011 at 1:50 PM, Det Det det.explo...@yahoo.com wrote: Hi there, In the accounting section, radutmp is used for tracking simultaneous-use. Is there a way to use DB::radacct table instead to check for simultaneous-use? Sure. Comment-out radutmp and uncomment sql from session and accounting section. See also sql/*/dialup.conf, look for simul_count_query. I usually enable simul_count_query and comment-out simul_verify_query. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Use Per Domain
Hi, Just want to get inputs on how simultaneous-use can be checked per domain not per user. That is limit mydomain.com to have simultaneous-use=x. radgroupcheck will have something like mydomain.com -- simultaneous-use -- x thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use with checkrad
Hi I know its not the best way to do it but I would really like to use simultaneous-use attribute without using the checkrad script. meaning the radius server does the check in radacct table and if the check is true, deny authentication. is this possible? I am using sql and in the radgroupcheck table i have simultaneous-use := 1 and in sites-enabled/defaults under session I have sql selected and the query is present in sql/mysql/dialup.conf is it possible for the freeRADIUS server to do this? Thanks in advance -- View this message in context: http://freeradius.1045715.n5.nabble.com/simultaneous-use-with-checkrad-tp4521260p4521260.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and UserName sent from NAS
Hi Alan, Read doc/Simultaneous-Use. It's a how-to, and most questions are answered there. Thank you.. I will re-read the Simultaneous-Use Doc again.. I may have to start from a simple configuration, before trying to integrate that with e-Directory. Ugh. Upgrade to 2.1.10. I'll upgrade to 2.1.10 prior to trying again. Those look like MAC addresses, perhaps. And that doesn't matter, if you're trying to do Simultaneous-Use for use ziggy. Those are not MAC addresses.. They are randomly generated numbers? Why? don't know.. But it doesn't matter I guess. Just makes it hard for me to understand the debug log, since I'm new at it. Do you get Accounting-Request packets for user ziggy? If not, then Simultaneous-Use will be hard to do. I looked at the debug log again using the http://networkradius.com/freeradius.html debugging output URL (wish I found it sooner). I see Access-Request packets with Ziggy from Packets 3-12 for the authentication portion. The next time I see anything with Username = Ziggy is the Accounting-Request packet when I disconnect from the SSID as indicated in the Acct-Status-Type = Stop. In this packet, the calling-station-ID becomes 0.0.0.0. though.. Is that how it is suppose to look? Since it should be 00-22-fa-a1-ba-e8 ? rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768, id=111, length=188 User-Name = ziggy NAS-Port = 29 NAS-IP-Address = 10.32.156.5 NAS-Identifier = CW32CE0A Airespace-Wlan-Id = 3 Acct-Session-Id = 4defbab6/00:22:fa:a1:ba:e8/12404 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 342 Acct-Status-Type = Stop Acct-Input-Octets = 68833 Acct-Output-Octets = 9551 Acct-Input-Packets = 559 Acct-Output-Packets = 47 Acct-Terminate-Cause = User-Request Acct-Session-Time = 117 Acct-Delay-Time = 0 Calling-Station-Id = 0.0.0.0 Called-Station-Id = 10.32.156.5 On Thu, Jun 9, 2011 at 8:19 PM, Alan DeKok al...@deployingradius.com wrote: Ziggy Bopster wrote: I am want to enable Simultaneous-Use for our users. I have been stuck for many many days trying to figure this out, any help is greatly appreciated. This is my first time posting, so sorry if my netiquette is not correct Read doc/Simultaneous-Use. It's a how-to, and most questions are answered there. I. Configuration of System: FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29 Ugh. Upgrade to 2.1.10. III. Problem: In looking at the debug logs, randomly generated UserName Accounting-Request packets are being sent from the NAS to the FreeRADIUS, before and after the successful authentication of the UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which time the correct UserName is sent by NAS). Those look like MAC addresses, perhaps. And that doesn't matter, if you're trying to do Simultaneous-Use for use ziggy. Do you get Accounting-Request packets for user ziggy? If not, then Simultaneous-Use will be hard to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and UserName sent from NAS
Hi Fajar,
Thanks for replying.. Really appreciate it.
Ask the NAS vendor.
It's CISCO.. I do see one Accounting-Request packet for
Username=Ziggy when I terminate the connection.. But no
Accounting-Request packet for the Start of Username=ziggy logging
in. I do see Access-Request packets for Ziggy. I'll have to check on
that with them. ???
SQL should be faster, and easier to manage
Great.. If I only want to use SQL for Simultaneous-Use checking (and
not User Authentication), is that going to work? I want to use LDAP
for Authenticaiton..
Sure.
In fact, once I get EVERYTHING worked out just like I wanted, I
usually remove unnecessary components.
If your all your user configuration and acct data is on sql, then you
should be able to remove some configuration lines (e.g. unix, radutmp,
detail, etc.)
I will disable RADUTMP other stuff after I get this SQL working. Thanks.
If you have some clients that authenticate using PAP while others
using PEAP/802.1x, then yes. But if ALL your clients only use
PEAP/802.1x, then it shouldn't matter much what you put on
sites-available/default, as long as eap-related options are there.
All our clients will be using PEAP/802.1x.. So does that mean only the
eap.conf file matters? Do I need to make changes in the
sites-available/default and the inner-tunnel files?
The image on
http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html
might give some illustration on the packets involved in EAP/MSCHAPv2
works
Thanks so much for the link.. It is great.. That explains why I have 8
Packets for the PEAP authentication for Ziggy.. :) The rest of the
DEBUG logs contain Accounting-Request Packets..
On Thu, Jun 9, 2011 at 9:16 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Fri, Jun 10, 2011 at 2:26 AM, Ziggy Bopster ziggybops...@gmail.com wrote:
IV. Questions:
1) Why is the NAS sending so many randomly generated numeric
UserName in the Accounting-Request?
2) How can I get the NAS to send the correct Username (Ziggy) instead
of the randomly generated numbers in the Accounting-Request packets to
update in SQL?
Ask the NAS vendor.
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use
to work?
SQL should be faster, and easier to manage
If only sql, can I disable radutmp in configuration files?
Sure.
In fact, once I get EVERYTHING worked out just like I wanted, I
usually remove unnecessary components.
If your all your user configuration and acct data is on sql, then you
should be able to remove some configuration lines (e.g. unix, radutmp,
detail, etc.)
4) What do I need to do to get Simultaneous-Use to work properly?
As Alan ponted out, the included doc is a good start.
You need to have radcct table populated with correct values (which is
related to your question #1 and #2).
5) Should the default inner-tunnel files that have the same
parameters match? (i.e. in authorize {sql} in the default file and the
authorize {sql} in the inner-tunnel file)
Depends.
If you have some clients that authenticate using PAP while others
using PEAP/802.1x, then yes. But if ALL your clients only use
PEAP/802.1x, then it shouldn't matter much what you put on
sites-available/default, as long as eap-related options are there.
6) Why do I see so many packets for Ziggy trying to authenticate just
once.. It is not until about Line 1389 in the debug log (see below
ITEM# 6) that the tunnel actually get's established and the next
packet on Line 1453 has the Acct-Status-Type = Start? There is a
total of about 3174 lines for just one login attempt.
The image on
http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html
might give some illustration on the packets involved in EAP/MSCHAPv2
works
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and UserName sent from NAS
Ziggy Bopster wrote: I am want to enable Simultaneous-Use for our users. I have been stuck for many many days trying to figure this out, any help is greatly appreciated. This is my first time posting, so sorry if my netiquette is not correct Read doc/Simultaneous-Use. It's a how-to, and most questions are answered there. I. Configuration of System: FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29 Ugh. Upgrade to 2.1.10. III. Problem: In looking at the debug logs, randomly generated UserName Accounting-Request packets are being sent from the NAS to the FreeRADIUS, before and after the successful authentication of the UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which time the correct UserName is sent by NAS). Those look like MAC addresses, perhaps. And that doesn't matter, if you're trying to do Simultaneous-Use for use ziggy. Do you get Accounting-Request packets for user ziggy? If not, then Simultaneous-Use will be hard to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and UserName sent from NAS
On Fri, Jun 10, 2011 at 2:26 AM, Ziggy Bopster ziggybops...@gmail.com wrote:
IV. Questions:
1) Why is the NAS sending so many randomly generated numeric
UserName in the Accounting-Request?
2) How can I get the NAS to send the correct Username (Ziggy) instead
of the randomly generated numbers in the Accounting-Request packets to
update in SQL?
Ask the NAS vendor.
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use
to work?
SQL should be faster, and easier to manage
If only sql, can I disable radutmp in configuration files?
Sure.
In fact, once I get EVERYTHING worked out just like I wanted, I
usually remove unnecessary components.
If your all your user configuration and acct data is on sql, then you
should be able to remove some configuration lines (e.g. unix, radutmp,
detail, etc.)
4) What do I need to do to get Simultaneous-Use to work properly?
As Alan ponted out, the included doc is a good start.
You need to have radcct table populated with correct values (which is
related to your question #1 and #2).
5) Should the default inner-tunnel files that have the same
parameters match? (i.e. in authorize {sql} in the default file and the
authorize {sql} in the inner-tunnel file)
Depends.
If you have some clients that authenticate using PAP while others
using PEAP/802.1x, then yes. But if ALL your clients only use
PEAP/802.1x, then it shouldn't matter much what you put on
sites-available/default, as long as eap-related options are there.
6) Why do I see so many packets for Ziggy trying to authenticate just
once.. It is not until about Line 1389 in the debug log (see below
ITEM# 6) that the tunnel actually get's established and the next
packet on Line 1453 has the Acct-Status-Type = Start? There is a
total of about 3174 lines for just one login attempt.
The image on
http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html
might give some illustration on the packets involved in EAP/MSCHAPv2
works
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with simultaneous use and radutmp
Hi folks. I have a FreeRadius server working with Mikrotik as NAS, and I'm often receiveing message of multiple connection at log, and the user is not able to connect. I found some solutions at google but it's to whom uses freeradius with sql as session manager. I'm using radutmp file and I couldn't find any solution to kill the session locked at the radutmp file. anyone can help me..?? The message I'm receiving is: Sat Apr 23 18:02:03 2011 : Auth: Multiple logins (max 1) : [###@/no User-Password attribute] (from client ###.##.0.0/24 port 35226 cli ##:##:##:##:##:##) My Freeradius version is 2.1. Thanks Rodrigo Yoshioka - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with simultaneous use and radutmp
On Sun, Apr 24, 2011 at 6:06 AM, Rodrigo Yoshioka ro_yoshioka2...@yahoo.com.br wrote: Hi folks. I have a FreeRadius server working with Mikrotik as NAS, and I'm often receiveing message of multiple connection at log, and the user is not able to connect. I found some solutions at google but it's to whom uses freeradius with sql as session manager. I'm using radutmp file and I couldn't find any solution to kill the session locked at the radutmp file. anyone can help me..?? The message I'm receiving is: Sat Apr 23 18:02:03 2011 : Auth: Multiple logins (max 1) : [###@/no User-Password attribute] (from client ###.##.0.0/24 port 35226 cli ##:##:##:##:##:##) My Freeradius version is 2.1. Try http://freeradius.org/radiusd/man/radzap.html IMHO it's better to use sql instead. For example, if whatever NAS you use can also use interim update, then you can also modify simultaneous query to: - only select records whose acct-stop-time is newer than 2 x interim-update time - only select records whose CallingStationId is different than current calling station id Those two conditions can help filter-out stale sessions. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with simultaneous use and radutmp
Hi, I thought that there would have another way to solve that. I tried once to change the session manager to sql, but it stopped working, I gave up of this tough. Its an live environment so I'm not able to do a lot of tests, but I'll try againd... I'll try about radzap, lets see if it works if I make an script to monitoring radius log and apply the changes automaticaly when some session stale. Thanks a lot Rodrigo Yoshioka De: Fajar A. Nugraha l...@fajar.net Para: Rodrigo Yoshioka ro_yoshioka2...@yahoo.com.br; FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Sábado, 23 de Abril de 2011 23:54 Assunto: Re: Help with simultaneous use and radutmp On Sun, Apr 24, 2011 at 6:06 AM, Rodrigo Yoshioka ro_yoshioka2...@yahoo.com.br wrote: Hi folks. I have a FreeRadius server working with Mikrotik as NAS, and I'm often receiveing message of multiple connection at log, and the user is not able to connect. I found some solutions at google but it's to whom uses freeradius with sql as session manager. I'm using radutmp file and I couldn't find any solution to kill the session locked at the radutmp file. anyone can help me..?? The message I'm receiving is: Sat Apr 23 18:02:03 2011 : Auth: Multiple logins (max 1) : [###@/no User-Password attribute] (from client ###.##.0.0/24 port 35226 cli ##:##:##:##:##:##) My Freeradius version is 2.1. Try http://freeradius.org/radiusd/man/radzap.html IMHO it's better to use sql instead. For example, if whatever NAS you use can also use interim update, then you can also modify simultaneous query to: - only select records whose acct-stop-time is newer than 2 x interim-update time - only select records whose CallingStationId is different than current calling station id Those two conditions can help filter-out stale sessions. -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with simultaneous use and radutmp
On Sun, Apr 24, 2011 at 10:15 AM, Rodrigo Yoshioka ro_yoshioka2...@yahoo.com.br wrote: Hi, I thought that there would have another way to solve that. I tried once to change the session manager to sql, but it stopped working, I had a problem with simul_verify_query in an old FR setup (simultaneous check doesn't work when it's enabled). So now I simply use a modified version of simul_count_query, while commenting out simul_verify_query. Perhaps it's the same problem in your setup. I gave up of this tough. Its an live environment so I'm not able to do a lot of tests, but I'll try againd... Just setup a new FR + MYSQL instance. It's not that hard, and you can even do it with Virtualbox on your PC/laptop. For a NAS you can use an AP with chillispot it in (like dd-wrt compatible APs). It's easiy to setup, and should work correctly with interim-updates as long as you set it 60s. When everything works you can apply the changes to production environment. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use = 1 not working
Hello
I do have a free radius. It uses system authentication (unix users)
Heres my radiusd.conf excerpt
nabble_embed
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
#
# The location of the wtmp file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
/nabble_embed
and my users file is this:
nabble_embed
DEFAULT Auth-Type = System
Simultaneous-Use = 1,
Fall-Through = 1
/nabble_embed
Ive configured my clients files and has the proper NAS type.
Problem is multiple user can login. How do i resolve that?
Please help
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Simultaneous-Use-1-not-working-tp3373045p3373045.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1 not working
raisedtozero wrote: Hello Ive configured my clients files and has the proper NAS type. Problem is multiple user can login. How do i resolve that? Read doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have refered the doc again, and found some problem when the Vendor is PPP using simultaneous-use
it says that for PPP, we should choose other in the type, but other means don't bother checking, I believe what radutmp says. So which means if a user has a stuck entry in the session database she will not be able to login again. And I have met such problem also. When the wifi sudden shutdown or disconnect, which will leave the record of the user still online in the database, I have to clear it up manually, that 's not convenient. So what should I do with PPTP+PPP+Freeradius+MySQL when I have to set the simultaneous-use = 1 -- *Space Lee* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous use
hi all, I have to implement Simultaneous-Use on my freeraduis. Running freeradius-2.1.9-2 on CentOS 5.4 64 bit. I have followed all the steps listed here: http://www.how2forge.org/authentication-authorization-and-accounting-with-freeradius-and-mysql-backend-and-webbased-management-with-daloradius I also uncommented the SQL queries that check for simultaneous use. Unfortunately I did not get past first base. Can anybody give me a few pointers, please? Thanks, Tom To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous use
Tom Cooper wrote: hi all, I have to implement Simultaneous-Use on my freeraduis. Running freeradius-2.1.9-2 on CentOS 5.4 64 bit. I have followed all the steps listed here: http://www.how2forge.org/authentication-authorization-and-accounting-with-freeradius-and-mysql-backend-and-webbased-management-with-daloradius Great. Have you tried following the documentation that is included with the server? I also uncommented the SQL queries that check for simultaneous use. Unfortunately I did not get past first base. Can anybody give me a few pointers, please? Read the FAQ for it doesn't work. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
its worked after changing the NAS type to other instead of cisco , On Mon, Aug 30, 2010 at 11:19 PM, ziko emobux...@yahoo.com wrote: Go to /etc/raddb/sql/mysql/dialup.conf file and find Simultaneous Use Checking Queries and there uncomment needed lines. then add simultaneous-use attribute to user. It worked for me. -- *From:* Student University studen...@gmail.com *To:* FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Mon, August 30, 2010 11:31:03 PM *Subject:* Simultaneous-Use Dears , anyone has been successfully configured Simultaneous-Use:=1 if so please share this experience . Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Dears , anyone has been successfully configured Simultaneous-Use:=1 if so please share this experience . Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
Go to /etc/raddb/sql/mysql/dialup.conf file and find Simultaneous Use Checking Queries and there uncomment needed lines. then add simultaneous-use attribute to user. It worked for me. From: Student University studen...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Mon, August 30, 2010 11:31:03 PM Subject: Simultaneous-Use Dears , anyone has been successfully configuredSimultaneous-Use:=1 if so please share this experience . Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Dears , i configured *Simultaneous*-*Use:=1 , i followed the document step by step but i noticed that radutmp not updated and when check this file using radwho i see an entries for previously logged users even i disconnect all users ,,, Best Regard , * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem about simultaneous-use parameter and windows DC.
Hello guys. We set up a freeradius server several months ago. We use postgresql database for Users and Clients databases, and all works fine. Then we want to use a windows domain controller to do the anthentication by calling ntlm_auth. After some tests, it works too. But now we have no idea how to enable the simultaneous-use parameter, because tables of Users database is actually empty, all user informations are in the windows DC. Is there any way to enable the simultaneous-use parameter? Thanks! Miles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem about simultaneous-use parameter and windows DC.
李程 wrote: But now we have no idea how to enable the simultaneous-use parameter, because tables of Users database is actually empty, all user informations are in the windows DC. Is there any way to enable the simultaneous-use parameter? doc/Simultaneous-Use This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem about simultaneous-use parameter and windows DC.
I've read that. But found nothing useful. All it metions about enabling the parameter is to add it to 'Users' or rad*check table. And there is nothing about windows DC. : / Date: Fri, 6 Aug 2010 08:36:13 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Problem about simultaneous-use parameter and windows DC. 李程 wrote: But now we have no idea how to enable the simultaneous-use parameter, because tables of Users database is actually empty, all user informations are in the windows DC. Is there any way to enable the simultaneous-use parameter? doc/Simultaneous-Use This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem about simultaneous-use parameter and windows DC.
李程 wrote: I've read that. But found nothing useful. Nonsense: This solution checks the radutmp file. This file is kept up-to-date from the Accounting records the NAS sends. Did you read that? Did you understand what it means? All it metions about enabling the parameter is to add it to 'Users' or rad*check table. And there is nothing about windows DC. Because using a Windows DC is irrelevant. The Simultaneous-Use functionality doesn't use a Windows DC. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem about simultaneous-use parameter and windows DC.
Date: Fri, 6 Aug 2010 08:53:22 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Problem about simultaneous-use parameter and windows DC. 李程 wrote: I've read that. But found nothing useful. Nonsense: This solution checks the radutmp file. This file is kept up-to-date from the Accounting records the NAS sends. Did you read that? Did you understand what it means? No matter what I use, windows DC or other Users database, radutmp or sql - what I am using, will keep the Accounting records right? All it metions about enabling the parameter is to add it to 'Users' or rad*check table. And there is nothing about windows DC. Because using a Windows DC is irrelevant. The Simultaneous-Use functionality doesn't use a Windows DC. Obviously. Just want to know how to enable Simultaneous-Use if we don't want to add the parameter to 'Users' file or any database tables, is there any way? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: return a special value in reply when simultaneous use
Hello again, I continue working on this, but I can't find the solution. Can I check the result of simul_count_query? Thank you again Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return a special value in reply when simultaneous use
Hello again,
I'm working with Freeradius 2.1.8
I'm using session (sql) to control simultaneous use.
I would like to return a special value if an user try to access with
credentials in use.
I have it working adding a new attribute to request list whit the result of
the simul_count_query, and checking this value later in post_auth section.
session {
if (%{Realm} == xxx.es) {
update request {
Num-Open-Session := %{sql:SELECT COUNT(*) FROM
radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL}
}
sql
}
}
post-auth {
sql
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
Post-Auth-Type REJECT {
if (%{request:Num-Open-Session}){
update reply {
Codigo-Reject = Sesion-Abierta
}
}
else{
update reply {
Codigo-Reject = Credenciales-Erroneas
}
}
I think that this not is the better way to do, but...
Thank you very much
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
return a special value in reply when simultaneous use
Hello,
I'm working with Freeradius 2.1.8
I'm using session (sql) to control simultaneous use.
I would like to return a special value if an user try to access with
credentials in use.
Group session {...} always resturns ok, so I don't know what can I do in
post-auth to distinguish between all reject.
I test this configuration in my default server:
session {
if (%{Realm} == xxx.es) {
sql
}
}
post-auth {
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
sql
Post-Auth-Type REJECT {
if (simulcount) {
update reply {
Codigo-Reject = Sesion-Abierta
}
}
update reply {
Codigo-Reject = Credenciales-Erroneas
}
sql
attr_filter.access_reject
}
}
But don't work.
Here is part of the debug info for an accept request:
[pap] User authenticated successfully
++[pap] returns ok
+- entering group session {...}
++? if (%{Realm} == xxx.es)
expand: %{Realm} - xxx.es
?? Evaluating (%{Realm} == xxx.es) - TRUE
++? if (%{Realm} == xxx.es) - TRUE
++- entering if (%{Realm} == xxx.es) {...}
. . .
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
+++[sql] returns ok
++- if (%{Realm} == xxx.es) returns ok
+- entering group post-auth {...}
And here is part of the debug info for an reject request for simultaneous
use:
[pap] User authenticated successfully
++[pap] returns ok
+- entering group session {...}
++? if (%{Realm} == xxx.es)
expand: %{Realm} - xxx.es
?? Evaluating (%{Realm} == xxx.es) - TRUE
++? if (%{Realm} == xxx.es) - TRUE
++- entering if (%{Realm} == xxx.es) {...}
. . .
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
+++[sql] returns ok
++- if (%{Realm} == xxx.es) returns ok
} # server rinuex
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++? if (simulcount)
? Evaluating (simulcount) - TRUE
++? if (simulcount) - TRUE
I need help. Thank you very much and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Simultaneous-Use
Tian wrote: I Install FreeRadius in FreeBSD through Ports. I run radius -X ... run radtest is OK! BUT Simultaneous-Use IS NOT AVAIL !! WHY? This is documented. See doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use via exec ?
hi all I am trying to load simultaneous-use parameter via exec . I have tried it in any section ( authorize / accounting / post-auth and .. ) at beginning and end of the section , but I dont know why freeradius is not reading it .. its just working when I am using it in sql . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use via exec ?
power159 wrote: I am trying to load simultaneous-use parameter via exec . What does that mean? I have tried it in any section ( authorize / accounting / post-auth and .. ) at beginning and end of the section , but I dont know why freeradius is not reading it .. its just working when I am using it in sql . See the FAQ for it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fradius v2.1.7 Simultaneous-Use
Every day at least once, someone asks this question... Mark wrote: Hi list, I have been trying to find out more information regarding the use of the Simultaneous-Use option for FreeRadius. I have been checking google and most guides seem to point to /etc/raddb/sql.conf and to uncomment the appropriate lines. However, I have not been able to find the Simultaneous-Use option in on my radius server's sql.conf. Does anyone know if that may have been moved to somewhere else or did I miss something on the installation? The distro for the server in question is fedora11. Any help would be much appreciated. Kind regards, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: fradius v2.1.7 Simultaneous-Use
Hi list, I have been trying to find out more information regarding the use of the Simultaneous-Use option for FreeRadius. I have been checking google and most guides seem to point to /etc/raddb/sql.conf and to uncomment the appropriate lines. However, I have not been able to find the Simultaneous-Use option in on my radius server's sql.conf. Does anyone know if that may have been moved to somewhere else or did I miss something on the installation? The distro for the server in question is fedora11. Any help would be much appreciated. Kind regards, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fradius v2.1.7 Simultaneous-Use
Mark wrote: I have been trying to find out more information regarding the use of the Simultaneous-Use option for FreeRadius. I have been checking google Why? This *is* documented in the server. See doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use doc
I am trying to understand the simultaneous-use docI am having trouble with a part that says:Note that you need to add the Simultaneous-Use parameter to the check item (first line), not the reply item, using the ':=' operator.I am not sure where to add the Simultaneous-Use parameter. Does it go in ldap.attrmap.config ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use doc
J Brandon Polley wrote: I am trying to understand the simultaneous-use doc I am having trouble with a part that says: Note that you need to add the Simultaneous-Use parameter to the check item (first line), not the reply item, using the ':=' operator. I am not sure where to add the Simultaneous-Use parameter. Does it go in ldap.attrmap.config ? No. See man users, or doc/rlm_sql Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Simultaneous-Use problem with Mikrotik NAS clients
Hello Fajar, mysql select * from radgroupreply; ++---+--++---+ | id | GroupName | Attribute ? ? ? ?| op | Value | ++---+--++---+ | ?1 | HZ ? ? ? ?| Simultaneous-Use | := | 1 ? ? | ++---+--++---+ Shouldn't this be on radgroupcheck? My radgroupcheck table is empty. Does it cause the problem? Regards, fbi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Simultaneous-Use problem with Mikrotik NAS clients
Yes, Simulaneous-Use is a check item, not a reply. 2010/2/12 Fojtán Balázs István bal...@fojtan.hu Hello Fajar, mysql select * from radgroupreply; ++---+--++---+ | id | GroupName | Attribute ? ? ? ?| op | Value | ++---+--++---+ | ?1 | HZ ? ? ? ?| Simultaneous-Use | := | 1 ? ? | ++---+--++---+ Shouldn't this be on radgroupcheck? My radgroupcheck table is empty. Does it cause the problem? Regards, fbi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Simultaneous-Use problem with Mikrotik NAS clients
Hello, Yes, Simulaneous-Use is a check item, not a reply. Ok, I did this mistake, sorry. Now I've deleted the Simultaneous-Use := 1 record from radgroupreply (now this is empty), and inserted it into the radgroupcheck. mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | HZ| Simultaneous-Use | := | 1 | ++---+--++---+ I've got this in my radius.log: Fri Feb 12 10:33:59 2010 : Error: [sql] Failed to check the terminal server for user 'hz1'. Fri Feb 12 10:33:59 2010 : Auth: Login OK: [hz1/CHAP-Password] (from client HZ Test port 2156920837 cli 00:0E:35:3F:68:29) Is it means that, the freeradius can't verify on the NAS client whether the user is online? Regards, fbi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem with Mikrotik NAS clients
Hello, After I've made your suggested change (inserted the Simultaneous-Use := 1 record into radgroupcheck table), the checkrad.pl script run, when I use radtest to a user, who is listed by radwho. I've set the $debug, $snmpget, $snmpwalk, $cmmty_string variables in the /usr/sbin/checkrad. After I get this message to checkrad's debug file: Fri Feb 12 14:13:19 2010 checkrad mikrotik 172.16.2.246 2147483647 hz1 80600043 Returning 2 (error detected) Is there any settings to get more detailed debug info somewhere? I've set a firewall logger between the freeradius and the NAS client, but it has not any packet detected. The snmpwalk or telnet (to reach the mikrotik NAS) are working fine if I try them from a simple linux shell. Regards, fbi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem with Mikrotik NAS clients
2010/2/11 Fojtán Balázs István bal...@fojtan.hu:
simul_count_query = SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL
it uses ${acct_table1} (should be radacct by default). Have you
enabled accounting?
mysql select * from radcheck;
++--+---+++
| id | UserName | Attribute | op | Value |
++--+---+++
| 1 | hz1 | user-password | == | Tfregep5uy |
what does radacct look like? What's the result of (for example)
SELECT COUNT(*) \
FROM radacct \
WHERE username = 'hz1' \
AND acctstoptime IS NULL;
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Simultaneous-Use problem with Mikrotik NAS clients
Hello Fajar,
thanks for your rapid response!
simul_count_query = SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL
it uses ${acct_table1} (should be radacct by default). Have you
enabled accounting?
Yes, the accounting is working. It is some field listed from radacct table:
mysql select
radacctid,acctsessionid,username,nasipaddress,nasporttype,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets
from radacct where username=hz1;
+---+---+--+---+-+-+-+-+--+
| radacctid | acctsessionid | username | nasipaddress | nasporttype |
acctstarttime | acctstoptime| acctinputoctets |
acctoutputoctets |
+---+---+--+---+-+-+-+-+--+
| 3 | 8062 | hz1 | 172.16.2.246 | Wireless-802.11 |
2010-01-28 12:47:46 | 2010-01-28 12:50:37 | 21399 |
51376 |
| 4 | 8063 | hz1 | 172.16.2.246 | Wireless-802.11 |
2010-01-29 17:42:58 | 2010-01-29 17:45:17 | 20811 |
50802 |
| 160 | 80800010 | hz1 | 172.17.2.246 | Wireless-802.11 |
2010-02-08 17:54:56 | 2010-02-08 17:56:01 | 18320 |
35545 |
| 161 | 80800011 | hz1 | 172.17.2.246 | Wireless-802.11 |
2010-02-08 17:56:26 | 2010-02-08 18:18:37 | 590798 |
2356358 |
| 183 | 8043 | hz1 | 172.17.2.246 | Wireless-802.11 |
2010-02-09 13:48:52 | 2010-02-09 13:49:07 |9573 |
10237 |
| 189 | 80b7 | hz1 | 172.17.2.246 | Wireless-802.11 |
2010-02-09 15:21:20 | 2010-02-09 15:21:26 |8474 |
8869 |
| 230 | 8060 | hz1 | 172.17.2.246 | Wireless-802.11 |
2010-02-10 15:44:02 | 2010-02-10 15:46:52 | 580051 |
896533 |
+---+---+--+---+-+-+-+-+--+
mysql select * from radcheck;
++--+---+++
| id | UserName | Attribute | op | Value |
++--+---+++
| 1 | hz1 | user-password | == | Tfregep5uy |
what does radacct look like? What's the result of (for example)
SELECT COUNT(*) \
FROM radacct \
WHERE username = 'hz1' \
AND acctstoptime IS NULL;
mysql SELECT COUNT(*) FROM radacct WHERE username = 'hz1' AND
acctstoptime IS NULL;
+--+
| COUNT(*) |
+--+
|1 |
+--+
regards,
fbi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
