Re: freeradius mysql simultaneous-use question URGENT
'sql' is listed in the accounting section. Anyway I figured out that I was testing it incorrectly using NTRadping for I was testing for double logins by using Accounting (start/stop) as the Request typeinstead of using Authentication Request as the request type. I have successfully tested it and it works well now :) Thanks! Soujanya From: "Alan DeKok" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: freeradius mysql simultaneous-use question URGENT=20 Date: Tue, 16 Dec 2003 16:33:11 -0500 Reply-To: [EMAIL PROTECTED]=20 Soujanya Rao [EMAIL PROTECTED] wrote: Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done.=20=20 Ensure that 'sql' is listed in the 'accounting' section.=20 Run: radiusd -X=20 Alan DeKok. Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing
freeradius mysql simultaneous-use question URGENT
Hi,
I am new to freeradius. I need some help in using simultaneous-use for detecting double logins using mysql only. Here is my current set up:
select * from radgroup check
++--- +---++---+| id | GroupName | Attribute | op | Value |+++++---+
| 2 | static | Auth-Type | == | Local |+++++---+| 4 | static | Simultaneous-Use | := | 1 |++++-++
select * from usergroup
++-+-+| id | UserName | GroupName |++-+-+| 33 | PW006 | static |++--++
select * from radcheck
++---+++--+| id | UserName | Attribute | op | Value |++---+++--+| 18 | PW006 | Password | == |abcd |++---++-+-+
In my radius.conf I have a set up like this:
session { sql}
In sql.conf, the "Simultaneous Use Checking Queries" are uncommented
I am using NTRadping to test for simultaneous-use and am failing to do so!
I am doing an accounting start using NTRadPing for the same user with adifferent NAS-IP-Address (Additional RADIUS attributes)and a different port NAS-Port (additional RADIUS attribute). Though simultaneous-use is setup the user is not stopped for double login at all. It creates two entries in the radaact table and when I run accounting stop it updates the relevant radacct records with the AcctStopTime.
Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done. The sqltrace.log does not show that the uncommented statements in sql.conf are executed. How do I make sure that they get executed. Also please let me know if this is a correct procedure for testing the same.
Thanks in advance,
Soujanya
.
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing
Re: freeradius mysql simultaneous-use question URGENT
Soujanya Rao [EMAIL PROTECTED] wrote: Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done. Ensure that 'sql' is listed in the 'accounting' section. Run: radiusd -X Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use works only with finger?
If I use freeradius with portsale check mulltiple logins (Simultaneous-Use) works only with finger? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with Simultaneous-Use
Why if I use: qwerty Auth-Type = Crypt-Local, Crypt-Password == $1$PkxbkAzR$byaCpj1GQOL0HxbxhJHRb0, Simultaneous-Use := 0 Exec-Program-Wait = /usr/local/billing/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobsen-TCP-IP Ihave : Mon Oct 27 16:42:36 2003 : Auth: Multiple logins (max 0) : [qwerty/qwerty] (from client condor port 0) if Iuse: qwerty Auth-Type = Crypt-Local, Crypt-Password == $1$PkxbkAzR$byaCpj1GQOL0HxbxhJHRb0, Simultaneous-Use := 1 Exec-Program-Wait = /usr/local/billing/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobsen-TCP-IP Ihave: Mon Oct 27 16:57:53 2003 : Auth: Login OK: [qwerty/qwerty] (from client condor port 0) Mon Oct 27 16:58:49 2003 : Auth: Login OK: [qwerty/qwerty] (from client condor port 1) Why Auth: Login OK??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous use not working in mysql
I have freeradius 0.9 with mysql module working, but simultaneous use is not working well. I want that all users to have only active session at a time. This is an example of my database configuration: - mysql select * from radcheck where username='demo'; +--+--+---+++ | id | UserName | Attribute | op | Value | +--+--+---+++ | 2058 | demo | Password | == | demopa | +--+--+---+++ 1 row in set (0.00 sec) mysql select * from usergroup where username='anexo02'; +--+--+---+ | id | UserName | GroupName | +--+--+---+ | 2055 | demo | dynamic | +--+--+---+ 1 row in set (0.00 sec) - (table radgroupcheck) mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | dynamic | Auth-Type| := | Local | | 2 | dynamic | Simultaneous-Use | := | 1 | ++---+--++---+ 2 rows in set (0.00 sec) -- But the users are able to load several time, similtaneous-use=1 is not working. Any idea why? Omar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: simultaneous use not working in mysql
How is the session configuration at radiusd.conf ? Are you check with sql session or radutmp ? If sql, check if simultaneous-use sql line is enabled at the end of sql.conf file. Sergio Jose Ferreira WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Omar Armas Enviada em: segunda-feira, 27 de outubro de 2003 16:00 Para: [EMAIL PROTECTED] Assunto: simultaneous use not working in mysql I have freeradius 0.9 with mysql module working, but simultaneous use is not working well. I want that all users to have only active session at a time. This is an example of my database configuration: - mysql select * from radcheck where username='demo'; +--+--+---+++ | id | UserName | Attribute | op | Value | +--+--+---+++ | 2058 | demo | Password | == | demopa | +--+--+---+++ 1 row in set (0.00 sec) mysql select * from usergroup where username='anexo02'; +--+--+---+ | id | UserName | GroupName | +--+--+---+ | 2055 | demo | dynamic | +--+--+---+ 1 row in set (0.00 sec) - (table radgroupcheck) mysql select * from radgroupcheck; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | dynamic | Auth-Type| := | Local | | 2 | dynamic | Simultaneous-Use | := | 1 | ++---+--++---+ 2 rows in set (0.00 sec) -- But the users are able to load several time, similtaneous-use=1 is not working. Any idea why? Omar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: simultaneous use not working in mysql
On Mon, 2003-10-27 at 13:22, Sergio Jose Ferreira wrote:
How is the session configuration at radiusd.conf ?
check with sql session or radutmp ?
I suppose both of them. In my radius.conf:
session {
radutmp
sql
}
Should I leave sql only?
If sql, check if simultaneous-use sql line is enabled at the end of sql.conf
file.
In sql.conf, the Simultaneous Use Checking Queries are uncommented.
Omar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: simultaneous use not working in mysql
Omar,
I think so.
You can get a copy of my config files at :
http://www.ispadmin.com.br/downloads.html
Sergio Jose Ferreira
WGO Internet
-Mensagem original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] nome de Omar Armas
Enviada em: segunda-feira, 27 de outubro de 2003 17:53
Para: [EMAIL PROTECTED]
Assunto: Re: RES: simultaneous use not working in mysql
On Mon, 2003-10-27 at 13:22, Sergio Jose Ferreira wrote:
How is the session configuration at radiusd.conf ?
check with sql session or radutmp ?
I suppose both of them. In my radius.conf:
session {
radutmp
sql
}
Should I leave sql only?
If sql, check if simultaneous-use sql line is enabled at the end of
sql.conf
file.
In sql.conf, the Simultaneous Use Checking Queries are uncommented.
Omar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disable Simultaneous-Use for proxied users only?
I've run into an interesting dilemma. We've been using Simultaneous-Use checking on our users, and it's worked great. Unfortunately, we're now also offering dialup in other cities through MegaPOP, and since those aren't our servers, obviously we can't snmp or finger-check to see if users are really logged on. We've got several users who are having line or modem problems so they lose their connection un-gracefully and end up with a session stuck in the radacct table. We have to then clear out the session manually so they can log on. I've tried all sorts of combinations of huntgroups, attrs, and users configurations, but I can't seem to come up with a simple configuration that says something like If the user is dialing into these NASes (meaning our own personal ones), check for simultaneous use, otherwise, don't. I'm sure I'm probably making this way too complicated, but I've been over and over the docs on proxy, simultaneous use, huntgroups, users etc, and I'm not getting anywhere. The closest I came was disabling simultaneous use for non-proxied users while leaving it enabled for proxied users, which is the exact opposite. :-) I tried flipping some things around, but no go. Anyone have any ideas on this, or can maybe tell me which doc(s) to go back to again? Does it sound like this is even possible? Thanks! :-) Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
On Fri, 19 Sep 2003 11:8:55 +0800 [EMAIL PROTECTED] wrote: test Auth-Type = Crypt-Local, Crypt-Password == $1$YoWRpiSV$QsHmtOSFoOGEw4i7LjaLV/, Simultaneous-Use := 1 Hi all! How to configure some accounts be limited to only one login at a time and some not? EMAIL:[EMAIL PROTECTED] TEL:020-87114020 020-87114021 2003-09-19 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
see /doc/Simultaneous-Use Am Fre, 2003-09-19 um 05.08 schrieb : Hi all! How to configure some accounts be limited to only one login at a time and some not? EMAIL:[EMAIL PROTECTED] TEL:020-87114020 020-87114021 2003-09-19 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Hi all! How to configure some accounts be limited to only one login at a time and some not? EMAIL:[EMAIL PROTECTED] TEL:020-87114020 020-87114021 2003-09-19 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Simultaneous-Use
why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect (external check failed): [test/test] (from client condor port 0) -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Problem with Simultaneous-Use
Hi, What your start script are return ? return 0 - ok return 1 - fail sergio wgo internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Double Enviada em: quarta-feira, 17 de setembro de 2003 10:11 Para: [EMAIL PROTECTED] Assunto: Problem with Simultaneous-Use why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect (external check failed): [test/test] (from client condor port 0) -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Simultaneous-Use
On Wed, 17 Sep 2003 10:28:18 -0300 Sergio Jose Ferreira [EMAIL PROTECTED] wrote: ok! thanks! I understand my mistake %) Hi, What your start script are return ? return 0 - ok return 1 - fail sergio wgo internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Double Enviada em: quarta-feira, 17 de setembro de 2003 10:11 Para: [EMAIL PROTECTED] Assunto: Problem with Simultaneous-Use why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect (external check failed): [test/test] (from client condor port 0) -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Simultaneous-Use
why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1, Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect [test/test] (from client condor port 0) if I don`t use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have: Auth: Login OK: [qwerty/qwerty] (from client condor port 0) -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Again problem with Simultaneous-Use
why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1, Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect [test/test] (from client condor port 0) if I don`t use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have: Auth: Login OK: [qwerty/qwerty] (from client condor port 0) -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again problem with Simultaneous-Use
On Wed, 17 Sep 2003 18:25:56 +0400 (MSD) Double [EMAIL PROTECTED] wrote: I I understand my mistake %) Simultaneous-Use = 1 fail Simultaneous-Use := 1 ok why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1, Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect [test/test] (from client condor port 0) if I don`t use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have: Auth: Login OK: [qwerty/qwerty] (from client condor port 0) -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Technical Support Administrator of NARZAN Network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again problem with Simultaneous-Use
You should read the man page for users regarding the usage of =,:=, +=, etc... You usually need to use := with Simul-Use Nick On Wednesday 17 September 2003 09:25, Double wrote: why if I use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1, Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have a problem: Auth: Login incorrect [test/test] (from client condor port 0) if I don`t use Simultaneous-Use : testAuth-Type := Crypt-Local, Crypt-Password == $1$0MrvlCBQ$udnwuVmMLsn8GphGQQugF1 Exec-Program-Wait = /usr/local/bin/start %u, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I have: Auth: Login OK: [qwerty/qwerty] (from client condor port 0) -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again problem with Simultaneous-Use
Double [EMAIL PROTECTED] wrote: why if I use Simultaneous-Use : ... Posting the same message multiple times won't endear you to people. Here's a hint: You didn't read 'doc/Simultaneous-Use'. And if you did, you didn't read it carefully enough, because you're not doing what it says. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group-Simultaneous-Use
Evren Yurtesen wrote: I dont believe freeradius can do this. At least not with SQL because I didnt see any SELECT commands which satisfy this situation in sql.conf One way is set something like that simul_count_query = SELECT COUNT(*) FROM radacct inner Join usergroup on radacct.UserName = usergroup.UserName where usergroup.GroupName = 'Group-Name' AND AcctStopTime = 0 In this situation you can limit only one group and not limit connections per-user. I think better way is write rlm_sql_counter module for this proporsal, because it work in same algorithm. Add some Attribute SQL-Group-Simulation-Use and SQL-Group-Name -Simulation-Use And check count(*) SQL-Group-Simulation-Use for SQL-Group-Name-Simulation-Use it need a little practice in C and a 1-2 hour. But there could be a simple way to manage this problem. By assigning one username to your group and giving 20 as Simultaneous-Use limit. So everybody use the same user/pass combination. Now I am sure, most probably you already thought of this :) but you cant use. Well, it also shouldnt be very difficult to add a groupwise simultaneous use attribute to freeradius since it already has simultaneous use attribute, this should be trivial. Instead of writing a script, maybe you should dig into sources :) I want to have a simultaneous-use limit for groups. E.g., I have, say, 50 users in group1 and I want to set limit for group1 to, say, 20... If there are already 20 online dialup users at any given time, 21st users will be denied access. (user-group relation is already set up in database) Is there an attribute to achieve this or should I go for writing a small script to execute externally upon every request?? Rick. Posted throw the news.gmane.com To group gmane.comp.freeradius.user - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group-Simultaneous-Use
Hi, I want to have a simultaneous-use limit for groups. E.g., I have, say, 50 users in group1 and I want to set limit for group1 to, say, 20... If there are already 20 online dialup users at any given time, 21st users will be denied access. (user-group relation is already set up in database) Is there an attribute to achieve this or should I go for writing a small script to execute externally upon every request?? Thanks.. Ali gunduz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres Simultaneous use queries
ThanX On Wed, Aug 13, 2003 at 02:33:57PM +0200, Ulrich Walcher wrote: Is there any reason why the Simultaneous Use Checking Queries that are present in sql.conf and oraclesql.conf do not appear in postgresql.conf? They are in 0.9 and current CVS. Please check it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres Simultaneous use queries
On Wed, Aug 13, 2003 at 02:33:57PM +0200, Ulrich Walcher wrote: Is there any reason why the Simultaneous Use Checking Queries that are present in sql.conf and oraclesql.conf do not appear in postgresql.conf? They are in 0.9 and current CVS. Please check it. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VoIP and Simultaneous-use
Hi all! I've been trying to get simultaneous-use work with Cisco VoIP calls. After looking through this list and doing some test over a freeradius-0.9.0 on BSDi4.3 I found that it's not posible, so I only want to confirm this. During accounting session radutmp module stores some information about users on radutmp file. This information includes nas and nas-port. If a register with a nas and nas-port already exists in this file, it is erased and a new register is created with new data. And this is done before simultaneous-use is checked (is it right?) The problem is that for a voip call (i am using it throgh an IVR) the nas-port is always 0, so for the same user (called PIN) calling from the same nas, we are only able to see one entry in radutmp file. For this reason, simultaneous-use doesn't work. If all of this is correct, is there another way to check simultaneous use? Thanks and regards Guillermo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgres Simultaneous use queries
Is there any reason why the Simultaneous Use Checking Queries that are present in sql.conf and oraclesql.conf do not appear in postgresql.conf? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VoIP and Simultaneous-use
Guillermo Delmastro [EMAIL PROTECTED] wrote: The problem is that for a voip call (i am using it throgh an IVR) the nas-port is always 0, so for the same user (called PIN) calling from the same nas, we are only able to see one entry in radutmp file. For this reason, simultaneous-use doesn't work. If all of this is correct, is there another way to check simultaneous use? Find some other way of telling user sessions apart. Caller ID, maybe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms and Simultaneous use
Is there another possibility I've overlooked? Conditional check-items? It's very good idea - Conditional check-items. I just want to show another real-life example where it can be very helpful feature. We sale different internet services, including dialup and campus (ethnernet clients get internet access via VPN server, which talk with RADIUS to auth them) services, which are RADIUS-authenticated. For avoiding cross-authentication for this users (for example, dialup user try his usernamepassword to access to VPN-server - without this check users will be auth-ed ok, but billing will fail - it use different tarif plans, even they billed for different kind of accounting data - in dialup its time, in campus its ip-traffic size) I add next rows to the radgroupcheck: id | groupname | attribute | value | op ++---+---+ 31 | campus | Client-IP-Address | a.a.a.a | == 32 | scn.ru | Client-IP-Address | b.b.b.b | == 33 | sibinet.ru | Client-IP-Address | b.b.b.b | == rows with id=32,33 is dialup users realms. Currently, we going to authenticate mail services via RADIUS-server also, and its problematic - almost all our users have emails in @scn.ru domain and all requests from mail-server will be rejected, because mail-server have different Client-IP-Address, not 'b.b.b.b'. Furthermore, for mail-authentication we plan to use Postfix (try telnet mail.freebsd.org 25 :-) and it will authenticate POP and SMTP services. For SMTP (mail delivering) we need to check only existence of the user, so User-Password/Crypt-Password attributes also should be conditionally checked! -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use and wholesale dialup
We're finding that some NAS providers are not returning *any* accounting records. I'm not referring to the occasional intermittant loss or delay of a record which is to be expected. It seems that receiving this data is not an unreasonable request, is this sort of thing normal in the wholesale arrangement? Simultaneous-use without the ability to contact the NAS is not recommended, but I do understand that it is being used successfully in this configuration. Does anyone have any tips or tricks to reduce false positives? There was some mention or adding a one minute cache of auth records, but that's not currently available. Thanks for the input. Regards, Chris Chris Miller NetGate Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous use of two DBs
Hi, I want to log start/stop packets in postgresql and use DB2 for authentication information. All my user information resides in DB2.. I cannot migrate it to postgresql. I couldn't figure out how I could do this in sql.conf.. Anyone has any suggestions or documents about this? Thanks Ali Gunduz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous use of two DBs
I don't know for sure about DB2 and Postgres but databases I am familiar with (Oracle, SqlServer, MySql) have the ability to export and import tables via csv files. That would let you move the data. There are also some commercial utilities to let you do it, and there are ODBC drivers available for most databases as well. Depending on the referential integrity that is implemented and the features of your particular database, the order that you import them may be important. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ali Gunduz Sent: Thursday, July 17, 2003 8:25 AM To: [EMAIL PROTECTED] Subject: Simultaneous use of two DBs Hi, I want to log start/stop packets in postgresql and use DB2 for authentication information. All my user information resides in DB2.. I cannot migrate it to postgresql. I couldn't figure out how I could do this in sql.conf.. Anyone has any suggestions or documents about this? Thanks Ali Gunduz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous use of two DBs
Well, I'm sure there are some migration utilities but I can't stop using DB2 (management's decision).. I can't use DB2 for start/stop packet logging (that's another issue that can't be solved) So I have to use DB2 for authentication purposes and I have to use postgresql (or any other lightweight DB) for logging purposes.. Any more suggestions? :) Thanks Ali -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim McCracken Sent: Thursday, July 17, 2003 16:51 To: [EMAIL PROTECTED] Subject: RE: Simultaneous use of two DBs I don't know for sure about DB2 and Postgres but databases I am familiar with (Oracle, SqlServer, MySql) have the ability to export and import tables via csv files. That would let you move the data. There are also some commercial utilities to let you do it, and there are ODBC drivers available for most databases as well. Depending on the referential integrity that is implemented and the features of your particular database, the order that you import them may be important. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ali Gunduz Sent: Thursday, July 17, 2003 8:25 AM To: [EMAIL PROTECTED] Subject: Simultaneous use of two DBs Hi, I want to log start/stop packets in postgresql and use DB2 for authentication information. All my user information resides in DB2.. I cannot migrate it to postgresql. I couldn't figure out how I could do this in sql.conf.. Anyone has any suggestions or documents about this? Thanks Ali Gunduz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous use of two DBs
Define 2 db instances. Use one for autentication and the other for accounting. Joao Frade -Original Message- From: Ali Gunduz [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 17 de Julho de 2003 14:59 To: [EMAIL PROTECTED] Subject: RE: Simultaneous use of two DBs Well, I'm sure there are some migration utilities but I can't stop using DB2 (management's decision).. I can't use DB2 for start/stop packet logging (that's another issue that can't be solved) So I have to use DB2 for authentication purposes and I have to use postgresql (or any other lightweight DB) for logging purposes.. Any more suggestions? :) Thanks Ali -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim McCracken Sent: Thursday, July 17, 2003 16:51 To: [EMAIL PROTECTED] Subject: RE: Simultaneous use of two DBs I don't know for sure about DB2 and Postgres but databases I am familiar with (Oracle, SqlServer, MySql) have the ability to export and import tables via csv files. That would let you move the data. There are also some commercial utilities to let you do it, and there are ODBC drivers available for most databases as well. Depending on the referential integrity that is implemented and the features of your particular database, the order that you import them may be important. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ali Gunduz Sent: Thursday, July 17, 2003 8:25 AM To: [EMAIL PROTECTED] Subject: Simultaneous use of two DBs Hi, I want to log start/stop packets in postgresql and use DB2 for authentication information. All my user information resides in DB2.. I cannot migrate it to postgresql. I couldn't figure out how I could do this in sql.conf.. Anyone has any suggestions or documents about this? Thanks Ali Gunduz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco snmp simultaneous use
I found the source of my problem but I don't how to fix it:
in radiusd.conf
session {
# radutmp
sql
}
If I set it to radutmp, it works, simultaneous-use works.
If I set to sql, simultaneous-use does not work. Authentication passes all
the time.
Can anyone tell me what I am doing wrong. note that I am using postgres as a
database.
Hi,
I trying to set up simultaneaous use with freeradius 0.9 pre-release and
snmp.
Here is my config:
naslist:
1.2.3.4 ciscoshortnamecisco
naspasswd:
1.2.3.4 SNMPsnmppassword
Also inserted:
INSERT INTO radgroupcheck (GroupName, Attribute, op, Value)
values(dialup, Simultaneous-Use, :=, 1);
(Of course I have a group dialin)
when I run checkrad manually, I see in /var/log/freeradius/checkrad.log:
snmpget: /usr/bin/snmpget -r 1 -t 5 1.2.3.4 snmppassword
.iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.66
user at port S66: user
Returning 1 (double detected)
However when I run it with freeradius -x, it seems checkrad is not
beeing
executed because I see not log in checkrad.log.
With SQL, Simultaneous-Use works fine but I want to use it snmp wich is
more
reliable.
I am going, I tried everything with no success. The weird thing is that I
made it work about a month ago with version 0.81
Is there a bug or is it me ?
Thanks in advance for your help
Mohsen CHIRARA
---
Ce mail ne contient pas de virus. This mail is virus free
Scanné par Escan Checked by Escan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco snmp simultaneous use
Hi, I trying to set up simultaneaous use with freeradius 0.9 pre-release and snmp. Here is my config: naslist: 1.2.3.4 ciscoshortnamecisco naspasswd: 1.2.3.4 SNMPsnmppassword Also inserted: INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values(dialup, Simultaneous-Use, :=, 1); (Of course I have a group dialin) when I run checkrad manually, I see in /var/log/freeradius/checkrad.log: snmpget: /usr/bin/snmpget -r 1 -t 5 1.2.3.4 snmppassword .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.66 user at port S66: user Returning 1 (double detected) However when I run it with freeradius -x, it seems checkrad is not beeing executed because I see not log in checkrad.log. With SQL, Simultaneous-Use works fine but I want to use it snmp wich is more reliable. I am going, I tried everything with no success. The weird thing is that I made it work about a month ago with version 0.81 Is there a bug or is it me ? Thanks in advance for your help Mohsen CHIRARA --- Ce mail ne contient pas de virus. This mail is virus free Scanné par Escan Checked by Escan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use reply-message
Dear list, I am using (v0.8.1) simultaneous-use attribute with Bay RAC 8000 without problems. Users also get and see the You are already logged in - access denied message through NAS-Prompt when they are trying to connect beyond the limit. To make life easier for hot-line staff, we should have it in native language.I don't know if somebody ever needed it.I looked for the this reply message in radiusd.conf,radcheck,could not see.. Reply-Message := \r\nYou are already logged in - access denied\r\n\n Where is this reply message defined, so that admins can change/add it? Regards, Gunce Gunce Ciftci Middle East Technical University Computer Center [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use reply-message
On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote:
Dear list,
I am using (v0.8.1)
simultaneous-use attribute with Bay RAC 8000 without problems.
Users also get and see the You are already logged in - access denied
message through NAS-Prompt when they are trying to connect beyond the
limit. To make life easier for hot-line staff, we should have it in
native language.
Are you sure your NAS won't go crazy because of non-ascii characters?
Don't you expect charset problems?
I don't know if somebody ever needed it.I looked for
the this reply message in radiusd.conf,radcheck,could not see..
It's hard-coded currently, so you can edit the sources and then recompile
radius.
Dear developers, how about customizable messages? Something like this in
radiusd.conf:
messages {
multiple_login = You are already logged in %{Simultaneous-Use} times\r\n
timespan_violation = You are calling outside allowed timespan\r\n
...
}
I probably could work on that, but I need some guidelines:
1. Should it be a set of static variables, or searchable list like
dictionary?
2. Should it be per-module configuration, or global?
3. Where to put these parameters in config?
4. Recommended naming conventions?
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use reply-message
Alexander,
Users' native language is Turkish which uses Latin alphabet
so,luckily, ascii characters will do good.
And yes it would be nice to have customizable messages :)
Thanks,
Gunce
On Fri, 20 Jun 2003, Alexander M. Pravking wrote:
On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote:
Dear list,
I am using (v0.8.1)
simultaneous-use attribute with Bay RAC 8000 without problems.
Users also get and see the You are already logged in - access denied
message through NAS-Prompt when they are trying to connect beyond the
limit. To make life easier for hot-line staff, we should have it in
native language.
Are you sure your NAS won't go crazy because of non-ascii characters?
Don't you expect charset problems?
I don't know if somebody ever needed it.I looked for
the this reply message in radiusd.conf,radcheck,could not see..
It's hard-coded currently, so you can edit the sources and then recompile
radius.
Dear developers, how about customizable messages? Something like this in
radiusd.conf:
messages {
multiple_login = You are already logged in %{Simultaneous-Use} times\r\n
timespan_violation = You are calling outside allowed timespan\r\n
...
}
I probably could work on that, but I need some guidelines:
1. Should it be a set of static variables, or searchable list like
dictionary?
2. Should it be per-module configuration, or global?
3. Where to put these parameters in config?
4. Recommended naming conventions?
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1 and then dials in again and gets a modem on arc 2, will they be denied access if the Simultaneous-Use is set to 1. Or will it only check if they are attempting to connect to the same arc as the original connection? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
If configured correctly the Simultaneous-Use =1 parameter will limit simultaneous logins into THAT RADIUS server to 1. If you have 1 or fifty NAS devices pointed at the same RADIUS server with Simultaneous-Use = 1 set for a user, that user will only be allowed to login once no matter which NAS they dial into. Jeff Sullivan wrote: Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1 and then dials in again and gets a modem on arc 2, will they be denied access if the Simultaneous-Use is set to 1. Or will it only check if they are attempting to connect to the same arc as the original connection? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Colubris Simultaneous-Use (concurrent sessions)
Hello, does anybody know how to get radcheck to work with a Colubris NAS ? I need to enforce the Simultaneous-Use check. The NAS does support SNMP but I don't see any reference to this product in the supported devices list from radcheck. Maybe somebody knows how to get this to work? :) Navid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Hello Here's what I have done I inserted (dialup, Simultaneous-Use, :=, 1) into radgroupcheck. And I uncommented simul_count_query and simul_verify_query on sql.conf. After I done that I when I looked at the radius.log.And it seemed that it's catching multiple logins. But it turns out that radius is denying dialup users,even though login is not multiple login. When I looked at simul_count_query,it looked like this query just count the number of records that have AcctStopTime is 0 for a certain user. So I searched our radacct table and found almost 12 records that have 0 as AcctStopTime.(Most of them are dial-up customers). And It looked like most of dial-up customers have at least one records with 0 as AcctStopTime. So I want to know is that . The reason why dial-up customers couldn't login when I uncommented simul_count_query and simul_verify_query is because dial-up users have records with 0 as AcctStopTime and the way simul_count_query works? Am I correct? If not can someone help me out? Thanks in advance Simon _ Simon Son New Zealand Online Tech Ltd. Level2 , 10 Northcroft St Takapuna Auckland Ph:09-488-9001 Fax:09-489-8324 Mobile:021-267-2697 _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
Ross Reed [EMAIL PROTECTED] wrote: We are currently doing national dialup(freeradius 0.8.1 w/ mysql for auth/acct) , but with no access to the national NAS's. Since radwho seems to be flaky at times (radutmp seems to get dupes in it) Is there anyone out there doing Simultaneous-Use another way? A modified checkrad script that does DB queries perhaps? That's pretty much what radutmp does. Running checkrad against a DB instead of using radutmp won't make ANY difference. If the accounting packets the server receives have dupes other weirdness, there's NOTHING you can do to the server to fix those packets. You can't invent information you don't have. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Previnting Simultaneous-Use
Simultaneous-Use := 1 must be in the radcheck or radgroupcheck tables, not the radreply or radgroupreply tables. Ed From: Travis Best [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Previnting Simultaneous-Use Date: Fri, 21 Mar 2003 16:02:10 -0500 I am authencitaing via a mysql database in the radreply table i have 123 username Simultaneous-Use := 1 and have sql chosen is the radiusd.conf under session but users are still able to doubble login is there something that i am missing? I had this feature working when i was using the users file instead of mysql does anyone have any ideas??? -- Travis M. Best Systems Administrator SunQwest Internet Services 1040 Walnut St Sunbury, PA 17801 Phone: 866-344-9509 Direct: 570-279-1746 -- This message has been scanned for viruses and dangerous content by SunQwest MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use + MySQL + NTRadPing
I am sending accounting (start/stop). But what happens is the same username will be recorded multiple times in the MySQL database with a new AcctStartTime for each entry. I can do this multiple times with the Accounting Start packet sent from NTRadPing Then, when I send a stop packet, all of the records for that username will be ended with the same AcctStopTime entered into the MySQL database, and every entry for that username has been stopped. Ed From: Scott Bartlett [EMAIL PROTECTED] To: Ed H [EMAIL PROTECTED] Subject: RE: Simultaneous-Use + MySQL + NTRadPing Date: Tue, 18 Mar 2003 18:50:29 - Ed, Are you just authorising with NTRadPing, or also sending accounting (start/stops)? I think you'll be needing the latter to make simultaneous work (as the accounting start/stops show when the user is logged in, not the authorisation itself). SB -Original Message- From: Ed H [mailto:[EMAIL PROTECTED] Posted At: Tuesday, March 18, 2003 1:21 AM Posted To: FreeRadius Conversation: Simultaneous-Use + MySQL + NTRadPing Subject: Simultaneous-Use + MySQL + NTRadPing Hello, I am using MySQL with FreeRadius 0.8.1, and RedHat 8.2, and testing with NTRadPing. I also have SNMP_Session and BER installed. I have put Simultaneous-Use := 1 into my radgroupcheck table. However, I can still login the same user multiple times and it shows up into the radacct table. Is it possible to test the Simultaneous-Use attribute with NTRadPing or am I wasting my time since it is not a true NAS and SNMP won't be able to detect if the user is logged in? Ed _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of BTA Ltd. _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use + MySQL + NTRadPing
Ed H [EMAIL PROTECTED] wrote: I am sending accounting (start/stop). But what happens is the same username will be recorded multiple times in the MySQL database with a new AcctStartTime for each entry. I can do this multiple times with the Accounting Start packet sent from NTRadPing I presume you're using the same NAS-Port. The MySQL DB records packets. It doesn't remove old sessions when new ones come in. The 'radutmp' module does that. Then, when I send a stop packet, all of the records for that username will be ended with the same AcctStopTime entered into the MySQL database, and every entry for that username has been stopped. Yes, if they're all using the same NAS NAS-Port. With the radutmp module, any new accounting start packet for the same port means that the previous entry for that port is erased. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use + MySQL + NTRadPing
Hello, I am using MySQL with FreeRadius 0.8.1, and RedHat 8.2, and testing with NTRadPing. I also have SNMP_Session and BER installed. I have put Simultaneous-Use := 1 into my radgroupcheck table. However, I can still login the same user multiple times and it shows up into the radacct table. Is it possible to test the Simultaneous-Use attribute with NTRadPing or am I wasting my time since it is not a true NAS and SNMP won't be able to detect if the user is logged in? Ed _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous use stops working.
Okay, this is really bizarre. After awhile, Simultaneous-Use just stops working and lets people log on more than once. (I haven't figured out how long awhile is at the moment. Definitely overnight, possibly a couple of hours.) At that point, it seems to stop running checkrad -- at least, there's not the usual delay while checkrad checks if someone is logged on: authorization happens almost instantly. Restarting the server makes it work again. Has anyone seen this before, or have any ideas where I might check for what's going on? K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stale logins/sessions or Simultaneous-Use behavior
Is there any way (don't you love it when emails start out that way...) to have freeradius arbitrarily kill a session (record a session stop time and forget about it) when another session is started with the same username? For example: User joefoo logs in at 13:05:00 user joefoo logs in again at 13:20:00 the server allows the second joefoo to authenticate and gain access but terminates the first joefoo session and gives it a stop time of 13:20:00. This functionality is useful in an environment where one doesn't always get the accounting stop packets but is sure that a duplicate login wont actually happen because all of an upstream radius server/proxy. I know that checkrad is supposed to verify if the session is there or not but I don't have access to the NAS servers and cannot directly verify the login. It may be useful to add an option to Simultaneous-Use where the module would allow up to the number of sessions specified (eg 5) but upon the 6th login would kill the oldest of the 5 previous sessions. Thanks, Josh Kleensang Vice President, Engineering Lunar Gravity Networks 402-898-GRAV x 101 http://www.lunargravity.com BEGIN:VCARD VERSION:2.1 N:Kleensang;Joshua FN:Joshua Kleensang ORG:Lunar Gravity TITLE:Vice President, Engineering TEL;WORK;VOICE:(402) 898-4728 ADR;WORK:;;2437 South 130th Circle;Omaha;Nebraska;68144;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:2437 South 130th Circle=0D=0AOmaha, Nebraska 68144=0D=0AUnited States of Ame= rica EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020423T192545Z END:VCARD
Re: Simultaneous use stops working.
On Fri, 14 Mar 2003, Kristina Pfaff-Harris wrote: Okay, this is really bizarre. After awhile, Simultaneous-Use just stops working and lets people log on more than once. (I haven't figured out how long awhile is at the moment. Definitely overnight, possibly a couple of hours.) At that point, it seems to stop running checkrad -- at least, there's not the usual delay while checkrad checks if someone is logged on: authorization happens almost instantly. Restarting the server makes it work again. Possible hint: it occurs to me that if the server can't check the database (I'm using sql for sessions), it will possibly never actually run checkrad? Our MySQL server is pretty loaded, so I'm wondering if maybe the server just can't connect to check the users online db. Can anyone tell me where to look for a timeout of this kind? (rlm_sql_mysql? Somewhere else?) Or am I totally off-base here? :-) Thanks for any hints. K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stale logins/sessions or Simultaneous-Use behavior
Josh Kleensang [EMAIL PROTECTED] wrote: Is there any way (don't you love it when emails start out that way...) to have freeradius arbitrarily kill a session (record a session stop time and forget about it) when another session is started with the same username? Write an external script to do that. It can be run from the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use works not properly
I'm using mysql authentication scheme. As shown in documentation i'm set in radgroupcheck table such row: groupname | parameter| op | value| - test|Simultaneous-Use| := | 1 | But I still have double, tripple login connections. Somebody meets this problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use works not properly
At 03:54 PM 3/11/2003 +0500, Eric wrote: I'm using mysql authentication scheme. As shown in documentation i'm set in radgroupcheck table such row: groupname | parameter | op| value| - test|Simultaneous-Use | := | 1 | But I still have double, tripple login connections. Somebody meets this problem. What does the server tell you when you run it in debug mode? Have you enabled everything else that is needed for this to work? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple, quick question re: simultaneous-use
If checkrad is run, and returns that the user is *not* online, does it automatically zap them from radutmp? Thanks, Justin Wheeler [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple, quick question re: simultaneous-use
Justin Wheeler [EMAIL PROTECTED] wrote: If checkrad is run, and returns that the user is *not* online, does it automatically zap them from radutmp? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem from virtual ISP
Hello,
I am trying to get our radius servers to authenticate a virtual ISP request.
When we have the Simultaneous-Use attribute in radcheck it ALWAYS fails with
a Multiple login error, no matter how may Simultaneous-Use I give it. It
always says there are more logins then the number I have. I have debugging
on the radcheck script and it returns that there is no one logged in.
Things work fine for all our own dial equipment, ascends, cicsos,
portmaster, TNTs, etc.
First here is the debug from when connecting from them: Next will be the
debug from when connecting from out test Ascend. (we have a custom module
that appends the domain name to a username if they don't supply it based off
of the IP address of the NAS, ignore that stuff)
rad_recv: Access-Request packet from host 170.147.113.49:58771, id=46,
length=114
User-Name = [EMAIL PROTECTED]
User-Password = icgtest
NAS-IP-Address = 170.147.113.13
NAS-Port = 16930
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 2143799633
Calling-Station-Id = 7034816192
NAS-Port-Type = Async
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Looking up realm trueband.net for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm trueband.net
modcall[authorize]: module suffix returns noop
modcall: entering group group
radius_xlat: Running registered xlat function of module atdomain for string
'%n'
rlm_sql: sql_domain_xlat
radius_xlat: '[EMAIL PROTECTED]'
sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql1): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql1): Reserving sql socket id: 14
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql1): Released sql socket id: 14
modcall[authorize]: module sql1 returns ok
modcall: group group returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '1045785600''
radius_xlat: Running registered xlat function of module atdomain for string
'%n'
rlm_sql: sql_domain_xlat
radius_xlat: '[EMAIL PROTECTED]'
sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '1045785600''
sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime -
GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '1045785600'}'
radius_xlat: Running registered xlat function of module sql1 for string
'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '1045785600''
rlm_sql (sql1): - sql_xlat
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '1045785600''
rlm_sql (sql1): Reserving sql socket id: 13
rlm_sql (sql1): - sql_xlat finished
rlm_sql (sql1): Released sql socket id: 13
radius_xlat: '18'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=36000,
counter=18
rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED],
Type=Session-Timeout, value=28800
modcall[authorize]: module dailycounter returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1044057600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '1044057600''
radius_xlat: Running registered xlat function of module atdomain for string
'%n'
rlm_sql: sql_domain_xlat
radius_xlat: '[EMAIL PROTECTED
Simultaneous-Use + Ascend maxen
Well, this is quite bizarre. I have Ascend Maxen, Livingston Portmaster III's, and a couple of Ciscoes as dialup servers. With Simultaneous-Use set to 1, if I dial into a Max when the account is already logged on, I get dropped to the internal ascend% prompt. I know this is likely an Ascend wierdness rather than a Freeradius weirdness, but was wondering if any other folks with Maxen have noticed this, and if so, what you did about it? Or, if you didn't notice it, and you are using MySQL auth, can you tell me how your Simultaneous-Use flag is set? I have no Simultaneous-Use settings in the database, and in the users file, I have: DEFAULT Simultaneous-Use +=1 Fall-Through = Yes I'm using the += op and not := because I wanted to be able to set Simultaneous-Use to different values for individual users, and += was the only way that it seemed to work so that it would only put the Simultaneous-Use value in if the user didn't have one. (Crossing my fingers that someone has seen this...:-)) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use and I'm dumb.
I've set a test user with a Simultaneous-Use value of 1. The server is automatically disallowing any attempt to duplicate usage, but it's basing its result SOLELY on radutmp. It doesn't use checkrad. Logs show nothing. No attempt, no failure, nothing. checkrad exists as configured in the radiusd.conf file. I have replaced checkrad with a perl script I wrote that just outputs a line of garbage to a temp file just to see if it's running. Of course, that script works fine when I run it myself. my naslist has the nas that the first connection is connected to in it, and it is listed as livingston. Any ideas? Regards, Justin Wheeler -- Computer programmer (n): Red-eyed mammal capable of communicating with electronics and inanimate equipment. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and I'm dumb.
On Thu, 20 Feb 2003, Justin Wheeler wrote: my naslist has the nas that the first connection is connected to in it, and it is listed as livingston. In clients.conf, do you have nastype = livingston for that nas entry? Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use type question.
Justin Wheeler [EMAIL PROTECTED] wrote: Instead of spending all that time with the checklogin.pl script, I'm wondering if there's any issue with finding duplicate logins via the following: A user attempts to login -- but there's already a record of login for that user. I grab that IP address that it says they're on, and see if anyone with a newer session is on it. If there is no one newer on that session, I ping the address to see if it's alive. If I get a response, I disallow access. If I don't, I allow access. Sure. Try implementing it with the 'perl' module. Customers who block pings are few and far between and would get caught rather quickly by my dupe login script, and as such, would be dealt with a one-by-one basis, and is not a concern. Am I missing anything? Not really. There are a few issues, but they're not that different from the existing methods. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use type question.
Am I missing anything? IMHO, I wouldn't introduce the combined latency and fallability of ICMP request/response packet processing and SNMP query/response handling into the authentication/authorization process. It seems vulnerable to failure and lacking in scalability. ICMP packets dropped or delayed somewhere between the host running your script and the end-user would be problematic, as would dropped or delayed SNMP query responses. Just my two cents... -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] Network Engineer II Onvoy Inc. 300 North Highway 169 Minneapolis, MN 55441 _ List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius ramutmp/radwho suffix simultaneous use issues...
Background: I have used cistron radius for several years and recently decided to implement a new authentication/accounting server. I hope to take advantage of the new features of freeradius while keeping most of my custom scripts reports the same as with the old radius server. I have installed freeradius 0.8.1 on a new Redhat 7.3 server and it appears to be authenticating users properly. I am authenticating via unix passwd/shadow files and have restricted simultaneous use to one. Detail logging is enabled and I have enabled suffix stripping so that users are authenticated if they include the @domainname.com to their login username. Issues: * If a user is logged in with their login name (no suffix) and attempts to login with their login+suffix at the same time, they are authenticated. This provides them the ability to have 2 simultaneous connections. Do I have something set wrong in the configuration or is this by design? * When I run radwho, the Login column includes the suffix for those users logged in using their suffix. Is there a way to strip the suffix from the report so that it is not displayed in the radwho results? * Is there an easy way to widen the column widths in the radwho report? * Is there a way to display the NAS shortname in the 'From' column in the radwho report. The * Can I change the 'detailfile = .' line in the radius.conf file to save to a NAS_shortname directory instead of the Client-IP-Address? If so, what variable name would I use to reference the NAS_shortname? Thanks, D Friend This message has originated from, or was processed through, one of the VITALink servers. This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Email processed by this server is subject to monitoring. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ramutmp/radwho suffix simultaneous use issues...
Doug Friend [EMAIL PROTECTED] wrote:
Issues:
* If a user is logged in with their login name (no suffix) and attempts
to login with their login+suffix at the same time, they are
authenticated. This provides them the ability to have 2 simultaneous
connections. Do I have something set wrong in the configuration or is
this by design?
It's certainly not by design.
There's an undocumented configuration option for the radutmp
module. Add this in the 'radutmp' section:
radutmp {
...
username = %{Stripped-User-Name:-%{User-Name}}
...
}
Restart the server, and the suffixes should be stripped.
The only issue is that Simultaneous-Use may not work properly, due
to the mixup between 'user@domain' and 'users'.
* When I run radwho, the Login column includes the suffix for those
users logged in using their suffix. Is there a way to strip the suffix
from the report so that it is not displayed in the radwho results?
The above config will do that.
* Is there a way to display the NAS shortname in the 'From' column in
the radwho report.
Not right now.
* Can I change the 'detailfile = .' line in the radius.conf file to
save to a NAS_shortname directory instead of the Client-IP-Address? If
so, what variable name would I use to reference the NAS_shortname?
No, sorry.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: understanding MIBs (simultaneous use with cisco's)
On Wednesday, December 11, 2002, at 03:42 PM, Dan wrote: Well I got our AS5200s simultaneous use to work finally. congratulations Now the problem is the cisco 7500 we have for DSL. checkrad (running full debug mode on radius) shows no response The world is not perfect. :-))) What cause this no response?? An SNMP query?? it looks like the MIBs are wrong. so in this case I have two questions: 1. how do I find the correct MIBs? (yes, I could run SNMPwalk, but I have no idea what I'm doing with that) Follow the OID tree and hopefully you find via that the correct MIB module. 2. once I do have them, how do I put them into checkrad without wrecking the other cisco stuff (since they are both cisco) Why would such a box need the MIB modules?? I beleive you want to place the MIB module somewhere on your manager so your tools can do the translation on this side (not agent side). Specifics of how depends on your tools. I may (or may not) actually have a MIB string for the 7500, I don't undestand what this stuff means, so I don't know what to do with it You need to have a MIB module in order to know what a variable retrieved from an SNMP agent means. while on the topic of MIBs, can anyone tell me what this means or what it could be used for: 1.3.6.1.4.1.9.10.19.1.1.4.0:public@usernas2 The prefix '1.3.6.1.4.1' means enterprises. You could have found this easily yourselves by looking into RFCs that specify the MIB module language (SMI) or most books on the subject. After that you have an enterprise specific OID which is 10. That you can find in http://www.iana.org/assignments/enterprise-numbers 10 NSC John Lyman [EMAIL PROTECTED] That seems to be NSC. No clue who or which company this is, but you can try the email address that is the contact person. Possibly out of date. Via him you could maybe get the MIB module definitions or ask where you got the device from. Then the part '19.1.1.4.0' seems to specify some scalar variable in this domain. 'public' is the community '@usernas' I guess the hostname. I think this is the MIB for the IP pool on an AS500, which means it could be used to keep track of how many users are online. No clue. Hope this helps, Harrie -- Author of MOD-SNMP, enabling SNMP management of Apache HTTP server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding MIBs (simultaneous use with cisco's)
Well I got our AS5200s simultaneous use to work finally. Now the problem is the cisco 7500 we have for DSL. checkrad (running full debug mode on radius) shows no response it looks like the MIBs are wrong. so in this case I have two questions: 1. how do I find the correct MIBs? (yes, I could run SNMPwalk, but I have no idea what I'm doing with that) 2. once I do have them, how do I put them into checkrad without wrecking the other cisco stuff (since they are both cisco) I may (or may not) actually have a MIB string for the 7500, I don't undestand what this stuff means, so I don't know what to do with it while on the topic of MIBs, can anyone tell me what this means or what it could be used for: 1.3.6.1.4.1.9.10.19.1.1.4.0:public@usernas2 I think this is the MIB for the IP pool on an AS500, which means it could be used to keep track of how many users are online. Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous use control
I'm trying to use FreeRADIUS simultaneous use control. All requests are
proxied to another RADIUS server. However, I wanted FreeRADIUS to control
this.
From debug (radiusd -X) it looks to me that FreeRADIUS sends the request to
the other server before checking.
It worked once but I had to remove the configuration. Now I can't make it
work again...
I've posted the files which I think are relevant. If something is important
from radiusd.conf (which is too big for a polite post) please let me know. I
have not huntgroups or realms (outside the proxy.conf file) defined.
I've included also a debugged session of one of these cases. Ok, you'll see
that the destination RADIUS server did block the simultaneous login, but I
need FreeRADIUS to do that (because it does it better when it works).
I could really use some help here. Thanks
--
Luiz Lima
Image Link Internet
http://www.imagelink.com.br
/etc/raddb/users
===
DEFAULT Auth-Type := System, Simultaneous-Use := 1
Fall-Through = 1
===
/etc/raddb/proxy.conf
===
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 60
default_fallback = no
}
realm NULL {
type= radius
authhost= 10.0.0.1:1645
accthost= 10.0.0.1:1646
secret = mypassword
}
===
/etc/raddb/attrs
===
DEFAULT
Port-Limit := 1
===
debug
===
rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195,
length=70
NAS-IP-Address = 200.216.95.212
NAS-Port = 1342767363
NAS-Port-Type = Virtual
User-Name = user-login-here
Password = \\K\\;\014\373\276h\267\361\225\201\376;A\204
rad_lowerpair: User-Name now 'user-login-here'
rad_lowerpair: Password now 'user-password-here'
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module attr_filter returns noop
rlm_realm: Looking up realm NULL for User-Name = user-login-here
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = user-login-here
rlm_realm: Proxying request from user user-login-here to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated
users: Matched DEFAULT at 1
modcall[authorize]: module files returns ok
modcall: group authorize returns updated
Sending Access-Request of id 1 to 10.0.0.1:1645
User-Name = user-login-here
NAS-IP-Address = 200.216.95.212
NAS-Port = 1342767363
NAS-Port-Type = Virtual
Password = }w\237\342\203\265\020\242\301q}\320\303\271RR
Proxy-State = 195
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 10.0.0.1:1645, id=1, length=61
Proxy-State = 0x313935
Reply-Message = Simultaneous login limit exceeded!
rad_lowerpair: Stripped-User-Name now 'user-login-here'
rad_lowerpair: Password now 'user-password-here'
Login incorrect (Home Server says so): [user-login-here/user-password-here]
(from client 200-216-4-170 port 1342767363)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195,
length=70
Sending Access-Reject of id 195 to 200.216.4.170:1645
Reply-Message = Simultaneous login limit exceeded!
===
radwho -r
===
user-login-here,user-login-here,PPP,S1342767363,Fri
11:37,200.216.95.212,200.149.171.85
===
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hello,
I am trying to use Simultaneous-Use for group users through mysql with
freeradius-snapshot-20021101.
radiusd.conf:
==
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
# radutmp
sql
}
sql.conf:
==
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1}
WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
radgroupcheck:
==
GroupName Attribute op Value
ppp-simul Simultaneous-Use:=3D1
I've also used op=:=
And now users from another groups (not ppp-simul) hasn't access too:
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := \r\nYou are already logged in - access denied\r\n\n
I think GroupName wasn't checked. Why?
rad_recv: Access-Request packet from host XXX.XX.XX.XX:1026, id=250, length=82
User-Name = ppgip
User-Password = XXX
NAS-IP-Address = XXX.XX.XX.XX
NAS-Port = 11
NAS-Port-Type = Async
Connect-Info = 14400
Framed-Protocol = PPP
Service-Type = Framed-User
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
radius_xlat: 'ppgip'
sql_set_user: escaped user -- 'ppgip'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'ppgip' ORDER BY id'
rlm_sql: Reserving sql socket id: 2
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'ppgip' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 2
modcall[authorize]: module sql returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module noresetcounter returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module dailycounter returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module monthlycounter returns noop
users: Matched DEFAULT at 12
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
modcall: entering group session
radius_xlat: 'ppgip'
sql_set_user: escaped user -- 'ppgip'
radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ppgip' AND
AcctStopTime = 0'
rlm_sql: Reserving sql socket id: 1
radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE
UserName='ppgip' AND AcctStopTime = 0'
rlm_sql: Released sql socket id: 1
modcall[session]: module sql returns ok
modcall: group session returns ok
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := \r\nYou are already logged in - access denied\r\n\n
Finished request 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: Simultaneous-Use
For one, development questions should be discussed on the
freeradius-devel list. The -users list is more for general QA about
configuring and running the server.
This was the reason of my posting. There was numerous postings about
'simultaneous works ok and it is simple to configure...' So I described
my real problem hoping that maybe somebody already has a solution (for
this concrete situation -- callback).
What kind of response did you expect?
Simple: the solution or no, there is no solutions at this time. But
I've gotyou know what I've got. ;)
I agree that maybe I've chosen wrong form for my question. And at this point
I thing that we can stop our non-productive flg.
At now I'm trying to find the solution. On success I'll post it to
-devel list.
A bit about docs. I think that minor comment is needed in
Simultaneous-Use at line 32: You need to set the correct type in the
file /etc/raddb/naslist must become You need to set the correct type in the
file /etc/raddb/naslist (${sysconfdir}/raddb/clients.conf for newest
versions)...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[4]: Simultaneous-Use
[EMAIL PROTECTED] wrote:
What kind of response did you expect?
Simple: the solution or no, there is no solutions at this time. But
I've gotyou know what I've got. ;)
You've got the documentation and source code sitting in front of
you. The documentation DOES say there is no solution at this time.
A bit about docs. I think that minor comment is needed in
Simultaneous-Use at line 32: You need to set the correct type in the
file /etc/raddb/naslist must become You need to set the correct type in the
file /etc/raddb/naslist (${sysconfdir}/raddb/clients.conf for newest
versions)...
I'll fix that, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Hi! Accordingly to 'doc/Simultaneous-Use' this feature works in this way: if someone tries to ask for authentication, radiusd first search radutmp file (or 'sql') and (only) if there is an open session for that user server uses checkrad script to query NAS. Record in radutmp appears only after client performs 'Accounting Start' request (please, correct me if it is not). And now imagine situation: I'm using callback feature at NAS. In my case it is pppd+radus_plugin+cbcpS. It works in this way: auth user-callback-reauth user-acct start-...-acct stop The 'callback' phase takes some time and at this point there is no radutmp record yet (in contrast at NAS there is such record). Imagine that during 'callback' someone another tries to login with the same account. So radiusd will not check NAS for twice login and will successfully authenticate the user. So we have simultaneous use (consequences of such behaviour is another story). I don't know how another NAS'es behave in the similar situation but mine works as described. So I have a choice -- to patch radiusd or to delegate check for simultaneous use completely to NAS (which is less flexible). Any suggestions? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
[EMAIL PROTECTED] wrote: The 'callback' phase takes some time and at this point there is no radutmp record yet (in contrast at NAS there is such record). Imagine that during 'callback' someone another tries to login with the same account. So radiusd will not check NAS for twice login and will successfully authenticate the user. So we have simultaneous use (consequences of such behaviour is another story). Yes... this is what section 5 of the Simultaneous-Use document says. I don't understand why you're telling us what we already know. It would have been sufficient to simply reference the document. So I have a choice -- to patch radiusd or to delegate check for simultaneous use completely to NAS (which is less flexible). The options are addressed in the documentation (did you read it?) We already know all of this. It's already in the documentation. If you're going to simply re-post the docs, I don't see why you're wasting your time. I'm interested in seeing *solutions*, or *patches* to the server, not re-posts of the documentation. Any suggestions? Will you submit a patch? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Simultaneous-Use
Yes... this is what section 5 of the Simultaneous-Use document says. I don't understand why you're telling us what we already know. It would have been sufficient to simply reference the document. Yes...my post was _only_ (another) real-world example about what section 5 says. Do you think that if it is not interesting to 'us' it is not interesting at all? The options are addressed in the documentation (did you read it?) Yes... We already know all of this. It's already in the documentation. If you're going to simply re-post the docs, I don't see why you're wasting your time. If my messages so irritate, I'll not send them any more. I'm interested in seeing *solutions*, or *patches* to the server, not re-posts of the documentation. Will you submit a patch? If I'll decide to solve the problem on the radius side. But at now I'm not sure that you're interested in my solutions. Alan DeKok. With best wishes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Simultaneous-Use
[EMAIL PROTECTED] wrote: Yes...my post was _only_ (another) real-world example about what section 5 says. Do you think that if it is not interesting to 'us' it is not interesting at all? I'm not sure what you mean. For one, development questions should be discussed on the freeradius-devel list. The -users list is more for general QA about configuring and running the server. As for interesting questions, I think that problems discussed in the documentation are interesting ONLY in their solutions. There's no need to discuss known problems on the list, as the documentation already does that. We already know all of this. It's already in the documentation. If you're going to simply re-post the docs, I don't see why you're wasting your time. If my messages so irritate, I'll not send them any more. Please send *new* problems, or solutions to *old* problems to the -devel list. But there's no need for *anyone* to post bits of the documentation on the list, and say I agree, that happens!. I don't see how it adds anything to our knowledge. I'm interested in seeing *solutions*, or *patches* to the server, not re-posts of the documentation. Will you submit a patch? If I'll decide to solve the problem on the radius side. But at now I'm not sure that you're interested in my solutions. I have REPEATEDLY said I'm interested in solutions, so you are intentionally misunderstanding me. That's annoying, and it's not productive. What I'm NOT interested in are complaints that the server is broken. Yes, we already know Simultaneous-Use has problems. So? You're upset that I asked you for solutions, and you're threatening to go away, come up with a solution, and then punish me by not sharing it. That's a classic case of... it should be obvious. What confuses me is the *point* of your original message on the subject. You referenced the documentation about Simultaneous-Use, and then said and in this example, it doesn't work. I'm wondering why you sent the message. You didn't offer a solution, and you didn't say anything new, on top of what was already in the documentation. What kind of response did you expect? A horde of me, too! messages? If you want to send messages to the list about problems you've read about in the documentation, that's your concern. But I don't see why you would waste your time doing so. And I don't see how re-posting bits from the documentation will help solve the problems it talks about. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hi all, I have setup three freeradius servers v0.7.1 - two authorization, authentication - one accounting the two servers for authentication are working with files. the accouting server is working with mysql. The NASes are using BOTH servers (load-balancing). The feature Simultaneous-Use uses the radwtmp file. But the accounting do not go on those servers, so I cant do the check. I have done a little perl script which uses the accouting information to detect duplicate session and I would like to implement it. how can I tell the radius server to exec my script to check for Simultaneous-Use at connection ? usage: myscript.pl username Simultaneous-Use limit response: integer 0 or 1 (as 1 means Simultaneous-Use limit reached and 0 means Simultaneous-Use limit not reached) Regards, P. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous use works beautifully
Joshua Corbin [EMAIL PROTECTED] wrote: I got Simultaneous-Use working with a MySQL setup and though I would tell you all how I got it to work in case anyone has any questions: That's good to hear. Just make sure that checkrad works with your setup; I had to change my SNMP read community, shouldn't that be in the naslist file instead of hacking perl? It can go into the 'clients.conf' data structure. We can make the change in the next version... INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values(dialup, Simultaneous-Use, :=3D, 1); Not ten minutes after adding that, we had users calling as to why they could no longer abuse their accounts ;) heh And it saves you money! As a note, I agree with Alan totally, the schema should be Attr, op, Val, not Attr, Val, op; And also maybe you should make op NOTNULL?=20 Just a thought ;-) Submit a patch for the schema to do 'op NOTNULL'. I know next to nothing about SQL, so I'm wary of doing it myself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous use works beautifully
Hi all !, Joshua, I tried that, it works OK !. Thank you, Jorge. JC Greetings, JC I got Simultaneous-Use working with a MySQL setup and though I would JC tell you all how I got it to work in case anyone has any questions: JC Read http://www.freeradius.org/radiusd/doc/Simultaneous-Use JC I setup the naslist/naspasswd files, then all I had to do was: JC Just make sure that checkrad works with your setup; I had to change my JC SNMP read community, shouldn't that be in the naslist file instead of JC hacking perl? JC INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) JC values(dialup, Simultaneous-Use, :=, 1); JC Not ten minutes after adding that, we had users calling as to why they JC could no longer abuse their accounts ;) heh JC As a note, I agree with Alan totally, the schema should be Attr, op, JC Val, not Attr, Val, op; And also maybe you should make op NOTNULL? JC Just a thought ;-) JC Regards, JC Joshua Corbin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Simultaneous Use
Ok I will try an out of the blue help attempt. First of all , I like
radutmp, it might be slower, but it is a well defined interface
without the MYSQL -ANYSQL layer of complexity added to it.
in other words ADD radutmp in the session section.
next add the entries in naslist and naspassword for all your nases, DO
NOT assume that any of the programs will have gracefull defaults.
I write some code and I know I am lazy
then enable debug inside checkrad so you can view your log file . To do
this locate the line that reads $debug=0 , and change it to $debug=1
last but not least do not forget to add a line like the following in
your users file
DEFAULTService-Type == Framed-User, Simultaneous-Use := 1
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP,
Framed-MTU = 1500
If none of the above helps .. go back to step 1
Jorge Minassian wrote:
Hi again, I need to have some solution about this, Chris can you
helpme ?, any one on the list please ?
Thank you very much.
JM Chris,
JM thank for your answer,
JM I put radius on debug mode, then called nas (Total Control
JM w/HiperArc) as a user that where connected, but I don't see any error
JM and the request have not been rejected.
JM Below is the result of debug mode.
JM After that you have again radiusd.conf.
JM Thank for your help !
JM Jorge.
Hi all !,
I am having some trouble about simultaneous connnection.
I can not see where would be the error on configuration, if any, and did
not get nothing browsing docs, faqs, etc, that were applicable to my config.
Can some one give some idea about this ?.
What error messages did you receive, and what is the output from running
'radiusd -X' ( debug mode ) telling you?
-Chris
JM - Results from radiusd -X
JM Starting - reading configuration files ...
JM reread_config: reading radiusd.conf
JM Config: including file: /etc/raddb/proxy.conf
JM Config: including file: /etc/raddb/clients.conf
JM Config: including file: /etc/raddb/snmp.conf
JM Config: including file: /etc/raddb/sql.conf
JM main: prefix = /usr
JM main: localstatedir = /usr/var
JM main: logdir = /var/log/radius
JM main: libdir = /usr/lib
JM main: radacctdir = /var/log/radius/radacct
JM main: hostname_lookups = no
JM read_config_files: reading dictionary
JM read_config_files: reading clients
JM read_config_files: reading realms
JM read_config_files: reading naslist
JM main: max_request_time = 30
JM main: cleanup_delay = 5
JM main: max_requests = 1024
JM main: delete_blocked_requests = 0
JM main: port = 0
JM main: allow_core_dumps = no
JM main: log_stripped_names = yes
JM main: log_auth = yes
JM main: log_auth_badpass = yes
JM main: log_auth_goodpass = no
JM main: pidfile = /var/run/radius/radiusd.pid
JM main: user = radius
JM main: group = radius
JM main: usercollide = no
JM main: lower_user = no
JM main: lower_pass = no
JM main: nospace_user = no
JM main: nospace_pass = no
JM main: proxy_requests = yes
JM proxy: retry_delay = 5
JM proxy: retry_count = 3
JM proxy: synchronous = no
JM proxy: default_fallback = yes
JM proxy: dead_time = 120
JM security: max_attributes = 200
JM security: reject_delay = 1
JM main: debug_level = 0
JM read_config_files: entering modules setup
JM Module: Library search path is /usr/lib
JM Module: Loaded preprocess
JM preprocess: huntgroups = /etc/raddb/huntgroups
JM preprocess: hints = /etc/raddb/hints
JM preprocess: with_ascend_hack = no
JM preprocess: ascend_channels_per_line = 23
JM preprocess: with_ntdomain_hack = no
JM preprocess: with_specialix_jetstream_hack = no
JM preprocess: with_cisco_vsa_hack = no
JM Module: Instantiated preprocess (preprocess)
JM Module: Loaded realm
JM realm: format = suffix
JM realm: delimiter =
JM Module: Instantiated realm (suffix)
JM Module: Loaded SQL
JM sql: driver = rlm_sql_mysql
JM sql: server = localhost
JM sql: port =
JM sql: login = digitalcoop
JM sql: password = digitalcoop
JM sql: radius_db = digitalcoop
JM sql: acct_table = radacct
JM sql: acct_table2 = radacct
JM sql: authcheck_table = radcheck
JM sql: authreply_table = radreply
JM sql: groupcheck_table = radgroupcheck
JM sql: groupreply_table = radgroupreply
JM sql: usergroup_table = usergroup
JM sql: nas_table = nas
JM sql: dict_table = dictionary
JM sql: sqltrace = no
JM sql: sqltracefile = /var/log/radius/sqltrace.sql
JM sql: deletestalesessions = yes
JM sql: num_sql_socks = 5
JM sql: sql_user_name = %{User-Name}
JM sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
JM '%{SQL-User-Name}' ORDER BY id
JM sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
JM '%{SQL-User-Name}' ORDER BY id
JM sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.A
JM ttribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck
Please, help: Simultaneous-Use
Hi all !, Would some one give me some help about using simutaneous-use feature ?. I can not get this work at all ... Thank you, Jorge. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Simultaneous Use
Hi again, I need to have some solution about this, Chris can you
helpme ?, any one on the list please ?
Thank you very much.
JM Chris,
JM thank for your answer,
JM I put radius on debug mode, then called nas (Total Control
JM w/HiperArc) as a user that where connected, but I don't see any error
JM and the request have not been rejected.
JM Below is the result of debug mode.
JM After that you have again radiusd.conf.
JM Thank for your help !
JM Jorge.
Hi all !,
I am having some trouble about simultaneous connnection.
I can not see where would be the error on configuration, if any, and did
not get nothing browsing docs, faqs, etc, that were applicable to my config.
Can some one give some idea about this ?.
What error messages did you receive, and what is the output from running
'radiusd -X' ( debug mode ) telling you?
-Chris
JM - Results from radiusd -X
JM Starting - reading configuration files ...
JM reread_config: reading radiusd.conf
JM Config: including file: /etc/raddb/proxy.conf
JM Config: including file: /etc/raddb/clients.conf
JM Config: including file: /etc/raddb/snmp.conf
JM Config: including file: /etc/raddb/sql.conf
JM main: prefix = /usr
JM main: localstatedir = /usr/var
JM main: logdir = /var/log/radius
JM main: libdir = /usr/lib
JM main: radacctdir = /var/log/radius/radacct
JM main: hostname_lookups = no
JM read_config_files: reading dictionary
JM read_config_files: reading clients
JM read_config_files: reading realms
JM read_config_files: reading naslist
JM main: max_request_time = 30
JM main: cleanup_delay = 5
JM main: max_requests = 1024
JM main: delete_blocked_requests = 0
JM main: port = 0
JM main: allow_core_dumps = no
JM main: log_stripped_names = yes
JM main: log_auth = yes
JM main: log_auth_badpass = yes
JM main: log_auth_goodpass = no
JM main: pidfile = /var/run/radius/radiusd.pid
JM main: user = radius
JM main: group = radius
JM main: usercollide = no
JM main: lower_user = no
JM main: lower_pass = no
JM main: nospace_user = no
JM main: nospace_pass = no
JM main: proxy_requests = yes
JM proxy: retry_delay = 5
JM proxy: retry_count = 3
JM proxy: synchronous = no
JM proxy: default_fallback = yes
JM proxy: dead_time = 120
JM security: max_attributes = 200
JM security: reject_delay = 1
JM main: debug_level = 0
JM read_config_files: entering modules setup
JM Module: Library search path is /usr/lib
JM Module: Loaded preprocess
JM preprocess: huntgroups = /etc/raddb/huntgroups
JM preprocess: hints = /etc/raddb/hints
JM preprocess: with_ascend_hack = no
JM preprocess: ascend_channels_per_line = 23
JM preprocess: with_ntdomain_hack = no
JM preprocess: with_specialix_jetstream_hack = no
JM preprocess: with_cisco_vsa_hack = no
JM Module: Instantiated preprocess (preprocess)
JM Module: Loaded realm
JM realm: format = suffix
JM realm: delimiter =
JM Module: Instantiated realm (suffix)
JM Module: Loaded SQL
JM sql: driver = rlm_sql_mysql
JM sql: server = localhost
JM sql: port =
JM sql: login = digitalcoop
JM sql: password = digitalcoop
JM sql: radius_db = digitalcoop
JM sql: acct_table = radacct
JM sql: acct_table2 = radacct
JM sql: authcheck_table = radcheck
JM sql: authreply_table = radreply
JM sql: groupcheck_table = radgroupcheck
JM sql: groupreply_table = radgroupreply
JM sql: usergroup_table = usergroup
JM sql: nas_table = nas
JM sql: dict_table = dictionary
JM sql: sqltrace = no
JM sql: sqltracefile = /var/log/radius/sqltrace.sql
JM sql: deletestalesessions = yes
JM sql: num_sql_socks = 5
JM sql: sql_user_name = %{User-Name}
JM sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username =
JM '%{SQL-User-Name}' ORDER BY id
JM sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username =
JM '%{SQL-User-Name}' ORDER BY id
JM sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.A
JM ttribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username
JM = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id
JM sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.A
JM ttribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username
JM = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id
JM sql: authenticate_query = SELECT Value,Attribute FROM radcheck WHERE UserName =
'%{User-Name}' AND
JM ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY
JM Attribute DESC
JM sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp
JM ('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay
JM = %{Acct-Delay-Time}
Fwd: Re: Simultaneous Use
Chris,
thank for your answer,
I put radius on debug mode, then called nas (Total Control
w/HiperArc) as a user that where connected, but I don't see any error
and the request have not been rejected.
Below is the result of debug mode.
After that you have again radiusd.conf.
Thank for your help !
Jorge.
Hi all !,
I am having some trouble about simultaneous connnection.
I can not see where would be the error on configuration, if any, and did
not get nothing browsing docs, faqs, etc, that were applicable to my config.
Can some one give some idea about this ?.
What error messages did you receive, and what is the output from running
'radiusd -X' ( debug mode ) telling you?
-Chris
- Results from radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /usr/var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radius/radiusd.pid
main: user = radius
main: group = radius
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter =
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = digitalcoop
sql: password = digitalcoop
sql: radius_db = digitalcoop
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username =
'%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username =
'%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.A
ttribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username
= '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.A
ttribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username
= '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id
sql: authenticate_query = SELECT Value,Attribute FROM radcheck WHERE UserName =
'%{User-Name}' AND
( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY
Attribute DESC
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp
('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}',
AcctStopDelay
= %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress=
'%{NAS-IP-Address}
' AND AcctStartTime = '%S'
sql: accounting_update_query = UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE A
cctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress= '%{NAS-IP-Ad
dress}' AND AcctStopTime = 0
sql: accounting_start_query = INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserNam
e, Realm,
Simultaneous Use
Hi all !,
I am having some trouble about simultaneous connnection.
I can not see where would be the error on configuration, if any, and did
not get nothing browsing docs, faqs, etc, that were applicable to my config.
Can some one give some idea about this ?.
My radiusd.conf is like what is detailed below.
Thank you very much,
Jorge.
radiusd.conf:
#-
prefix = /usr/local/freeradius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
realm suffix {
format = suffix
delimiter =
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
}
$INCLUDE ${confdir}/sql.conf
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
authorize {
preprocess
suffix
sql
}
authenticate {
sql
}
preacct {
preprocess
suffix
}
accounting {
sql
}
session {
sql
}
#
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Use
At 09:07 AM 10/17/2002 -0300, Jorge Minassian wrote: Hi all !, I am having some trouble about simultaneous connnection. I can not see where would be the error on configuration, if any, and did not get nothing browsing docs, faqs, etc, that were applicable to my config. Can some one give some idea about this ?. What error messages did you receive, and what is the output from running 'radiusd -X' ( debug mode ) telling you? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Use
I am using a bastardized approach to rlm_sql I am using a customized query to use the data in a vpopmail table for radius auth. I have about everything commented out in sql.conf, except for the bare necessities to lookup names... I am unable to make the attributes in the users file take affect, like Simultaneous-Use :=1 Here's what I have in users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Simultaneous-Use := 1, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, Port-Limit = 1 If one is using the sql module and not performing any accounting through sql, then why would they have to limit usage through it? In short, I can do everything outside of the SQL module, except for this! Michael Funk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Use
Funk, Michael [EMAIL PROTECTED] wrote: I am unable to make the attributes in the users file take affect, like Simultaneous-Use :=1 Here's what I have in users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Simultaneous-Use := 1, Run it in debugging mode, and read the error message it will produce. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Use
At 01:34 PM 9/12/2002 -0400, you wrote: I am using a bastardized approach to rlm_sql I am using a customized query to use the data in a vpopmail table for radius auth. I have about everything commented out in sql.conf, except for the bare necessities to lookup names... I am unable to make the attributes in the users file take affect, like Simultaneous-Use :=1 Here's what I have in users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Simultaneous-Use := 1, Simultaneous use is a check item, similar to how you are using Service-Type in this example. You may want to try it as a check-item as opposed to an AV-Pair. Chris Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, Port-Limit = 1 If one is using the sql module and not performing any accounting through sql, then why would they have to limit usage through it? In short, I can do everything outside of the SQL module, except for this! Michael Funk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Christopher Brotsos ([EMAIL PROTECTED]) Development Engineering StarNet/MegaPOP: http://www.megapop.net WX is wireless : http://www.starnetwx.net This message is sent in confidence to the addressees. It may contain privileged, proprietary, or confidential information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous Use
Forgive me, but I left something out. My radius boxes are at the end of a proxy So, I get all of my requests to my servers by proxy. I'm being told by other sources that you must have SNMP access to the NAS in order for Simultaneous-Use and Port-Limit to work. How would I be able to work around this limitation by using the accounting flat files, not accounting tables, to check for an open session and deny a new request? -Original Message- From: Chris Brotsos [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: Re: Simultaneous Use At 01:34 PM 9/12/2002 -0400, you wrote: I am using a bastardized approach to rlm_sql I am using a customized query to use the data in a vpopmail table for radius auth. I have about everything commented out in sql.conf, except for the bare necessities to lookup names... I am unable to make the attributes in the users file take affect, like Simultaneous-Use :=1 Here's what I have in users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Simultaneous-Use := 1, Simultaneous use is a check item, similar to how you are using Service-Type in this example. You may want to try it as a check-item as opposed to an AV-Pair. Chris Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, Port-Limit = 1 If one is using the sql module and not performing any accounting through sql, then why would they have to limit usage through it? In short, I can do everything outside of the SQL module, except for this! Michael Funk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Christopher Brotsos ([EMAIL PROTECTED]) Development Engineering StarNet/MegaPOP: http://www.megapop.net WX is wireless : http://www.starnetwx.net This message is sent in confidence to the addressees. It may contain privileged, proprietary, or confidential information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous Use
The problem with doing this at all is that you'll need to be constantly keeping an eye out for stale sessions, else you'll be locking your users out on a (probably) regualar basis... On Fri, 2002-09-13 at 06:20, Funk, Michael wrote: Forgive me, but I left something out. My radius boxes are at the end of a proxy So, I get all of my requests to my servers by proxy. I'm being told by other sources that you must have SNMP access to the NAS in order for Simultaneous-Use and Port-Limit to work. How would I be able to work around this limitation by using the accounting flat files, not accounting tables, to check for an open session and deny a new request? -Original Message- From: Chris Brotsos [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: Re: Simultaneous Use At 01:34 PM 9/12/2002 -0400, you wrote: I am using a bastardized approach to rlm_sql I am using a customized query to use the data in a vpopmail table for radius auth. I have about everything commented out in sql.conf, except for the bare necessities to lookup names... I am unable to make the attributes in the users file take affect, like Simultaneous-Use :=1 Here's what I have in users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Simultaneous-Use := 1, Simultaneous use is a check item, similar to how you are using Service-Type in this example. You may want to try it as a check-item as opposed to an AV-Pair. Chris Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, Port-Limit = 1 If one is using the sql module and not performing any accounting through sql, then why would they have to limit usage through it? In short, I can do everything outside of the SQL module, except for this! Michael Funk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Christopher Brotsos ([EMAIL PROTECTED]) Development Engineering StarNet/MegaPOP: http://www.megapop.net WX is wireless : http://www.starnetwx.net This message is sent in confidence to the addressees. It may contain privileged, proprietary, or confidential information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Cheers, Mattticq : 117539757 Network and Tech Doodwww : http://www.pulse.nq4u.net [EMAIL PROTECTED] jabber: [EMAIL PROTECTED] What's got four legs and an arm? A happy Pit Bull... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous Use
Forgive me, but I left something out. My radius boxes are at the end of a proxy So, I get all of my requests to my servers by proxy. I'm being told by other sources that you must have SNMP access to the NAS in order for Simultaneous-Use and Port-Limit to work. How would I be able to work around this limitation by using the accounting flat files, not accounting tables, to check for an open session and deny a new request? -Original Message- From: Chris Brotsos [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: Re: Simultaneous Use At 01:34 PM 9/12/2002 -0400, you wrote: I am using a bastardized approach to rlm_sql I am using a customized query to use the data in a vpopmail table for radius auth. I have about everything commented out in sql.conf, except for the bare necessities to lookup names... I am unable to make the attributes in the users file take affect, like Simultaneous-Use :=1 Here's what I have in users DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Simultaneous-Use := 1, Simultaneous use is a check item, similar to how you are using Service-Type in this example. You may want to try it as a check-item as opposed to an AV-Pair. Chris Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, Port-Limit = 1 If one is using the sql module and not performing any accounting through sql, then why would they have to limit usage through it? In short, I can do everything outside of the SQL module, except for this! Michael Funk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Christopher Brotsos ([EMAIL PROTECTED]) Development Engineering StarNet/MegaPOP: http://www.megapop.net WX is wireless : http://www.starnetwx.net This message is sent in confidence to the addressees. It may contain privileged, proprietary, or confidential information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Use
Funk, Michael [EMAIL PROTECTED] wrote: I'm being told by other sources that you must have SNMP access to the NAS in order for Simultaneous-Use and Port-Limit to work. No. Port-Limit is an attribute that the RADIUS server sends to the NAS. If the NAS ignores it, there's nothing that the RADIUS server can do. Simultaneous-Use is a FreeRADIUS configuration item, which tells FreeRADIUS to reject the user (even if their password is OK), if they've logged in more than N time. FreeRADIUS uses a 'radutmp' file to keep track of which users are currently logged in where. (This can be done via SQL in the CVS head, too.) However, due to network problems, accounting packets may be lost. So the radutmp file may not be correct and up to date. Therefore, FreeRADIUS uses checkrad to do snmp/finger/telnet/whatever queries to the NAS, to see if the user is still logged on. You can run the server without using Checkrad. But it means that when accounting packets are lost, the user MAY be accepted, even though they are already logged in, and the user MAY be rejected, even if they've already logged out. There is nothing you can do to the RADIUS server to fix this problem, other than run checkrad. How would I be able to work around this limitation by using the accounting flat files, not accounting tables, to check for an open session and deny a new request? You can *mostly* work around it, simply by not using checkrad. However, that solution won't be perfect. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql.c and sql.c fixes for Simultaneous-Use
Thank you, it works like a charm now! Sorry for the wasted effort yesterday with the patches to sql.c, etc. Chris Kalin - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 26, 2002 8:00 PM Subject: Re: rlm_sql.c and sql.c fixes for Simultaneous-Use On Mon, 26 Aug 2002, Chris A. Kalin wrote: OK, I'll buy that. :) The problem is when it calls rad_check_ts, _that_ function seems to be checking a radutmp file - whether or not I'm using radutmp or not for session checking - and several variables come back undefined, and hence checkrad still doesn't get fired up. So between the two, this seemed a more expedient solution to my particular problem (I'm only using sql, not radutmp). I'll dig over in rad_check_ts and go from there. Thanks for the help, at least eliminating sql_check_ts from this makes the troubleshooting a little more obvious. Chris Kalin rad_check_ts will just call checkrad. Please do a cvs update and check if it works better now. rad_check_ts should now be called with the proper arguments in rlm_sql_checksimul. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql.c and sql.c fixes for Simultaneous-Use
I've discovered a few little quirks in rlm_sql.c and sql.c that prevent Simultaneous-Use from starting radcheck in a standard FreeRADIUS install. Without these fixes, Simultaneous-Use will still work in a trust the SQL server context, but it's unable to verify the information using radcheck - which can bite people if RADIUS Stop packets have been dropped, etc. It's a 3 KB context patch or a 1 KB diff file. May I post it here or is there a more appropriate venue? Thanks, Chris Kalin Netwurx, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql.c and sql.c fixes for Simultaneous-Use
At 03:51 PM 8/26/2002 -0500, Chris A. Kalin wrote: I've discovered a few little quirks in rlm_sql.c and sql.c that prevent Simultaneous-Use from starting radcheck in a standard FreeRADIUS install. Without these fixes, Simultaneous-Use will still work in a trust the SQL server context, but it's unable to verify the information using radcheck - which can bite people if RADIUS Stop packets have been dropped, etc. It's a 3 KB context patch or a 1 KB diff file. May I post it here or is there a more appropriate venue? Post the patch on a webpage, and post the link here. We'll take a look at it and review it. If it fits the development criteria, we'll incorporate it. Thanks! -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql.c and sql.c fixes for Simultaneous-Use
Chris Parker wrote: At 03:51 PM 8/26/2002 -0500, Chris A. Kalin wrote: I've discovered a few little quirks in rlm_sql.c and sql.c that prevent Simultaneous-Use from starting radcheck in a standard FreeRADIUS install. Without these fixes, Simultaneous-Use will still work in a trust the SQL server context, but it's unable to verify the information using radcheck - which can bite people if RADIUS Stop packets have been dropped, etc. It's a 3 KB context patch or a 1 KB diff file. May I post it here or is there a more appropriate venue? Post the patch on a webpage, and post the link here. We'll take a look at it and review it. If it fits the development criteria, we'll incorporate it. OK, the diff is at http://www.netwurx.net/~cak/patch-sql.diff and the context diff is at http://www.netwurx.net/~cak/patch-sql.context . Should be simple enough to understand without much comment. It's against last night's CVS snapshot. Chris Kalin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql.c and sql.c fixes for Simultaneous-Use
Chris A. Kalin [EMAIL PROTECTED] wrote: Should be simple enough to understand without much comment. It's against last night's CVS snapshot. OK... but you changed it so that it doesn't call rad_check_ts() any more, and instead calls sql_check_ts(). This is wrong. The issue is that SQL may not know that the user is logged in twice, but another module may know. So hard-coding the SQL module to only check the SQL functions, is wrong. The sql_check_ts() function should be deleted. See: http://lists.cistron.nl/pipermail/freeradius-devel/2002-August/003376.html Coincidentally enough, also from today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql.c and sql.c fixes for Simultaneous-Use
OK, I'll buy that. :) The problem is when it calls rad_check_ts, _that_ function seems to be checking a radutmp file - whether or not I'm using radutmp or not for session checking - and several variables come back undefined, and hence checkrad still doesn't get fired up. So between the two, this seemed a more expedient solution to my particular problem (I'm only using sql, not radutmp). I'll dig over in rad_check_ts and go from there. Thanks for the help, at least eliminating sql_check_ts from this makes the troubleshooting a little more obvious. Chris Kalin - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 26, 2002 4:50 PM Subject: Re: rlm_sql.c and sql.c fixes for Simultaneous-Use Chris A. Kalin [EMAIL PROTECTED] wrote: Should be simple enough to understand without much comment. It's against last night's CVS snapshot. OK... but you changed it so that it doesn't call rad_check_ts() any more, and instead calls sql_check_ts(). This is wrong. The issue is that SQL may not know that the user is logged in twice, but another module may know. So hard-coding the SQL module to only check the SQL functions, is wrong. The sql_check_ts() function should be deleted. See: http://lists.cistron.nl/pipermail/freeradius-devel/2002-August/003376.html Coincidentally enough, also from today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL and simultaneous use check
I successfully configured freeradius 0.6 to authenticate against MySQL
server and also to add accounting information to the database.
I want to add simultaneous access check so I uncommented
simul_count_query in sql.conf and added sql into session{} section of
radiusd.conf.
From the radiusd log I see that the query is defined, but never used. What
am I missing?
Thank you very much
Niccolo Rigacci
Italy
This is the relevand part of radiusd.conf
-
accounting {
detail
sql
radutmp
}
session {
sql
}
This is the radiusd log
-
sql: simul_count_query = SELECT COUNT(*) FROM radacct WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0^M
sql: simul_verify_query = SELECT RadAcctId, AcctSessionId,
UserName, NASIPAddress, NASPortId, FramedIPAddress,
CalledStationId FROM radacct WHERE UserN
sql: simul_zap_query = DELETE FROM radacct WHERE
RadAcctId = '%s'^M
...
...
query: INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime, AcctStopTime,
rlm_sql: Released sql socket id: 3
modcall[accounting]: module sql returns ok
...
No other sql query are attempted.
Those are the modules called by radiusd:
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module chap returns ok
modcall[authorize]: module suffix returns noop
modcall[authorize]: module files returns notfound
modcall[authorize]: module sql returns ok
modcall[authenticate]: module chap returns ok
modcall[preacct]: module preprocess returns noop
modcall[preacct]: module suffix returns noop
modcall[preacct]: module files returns ok
modcall[accounting]: module detail returns ok
modcall[accounting]: module sql returns ok
modcall[accounting]: module radutmp returns ok
modcall[preacct]: module preprocess returns noop
modcall[preacct]: module suffix returns noop
modcall[preacct]: module files returns ok
modcall[accounting]: module detail returns ok
modcall[accounting]: module sql returns ok
modcall[accounting]: module radutmp returns ok
Niccolo Rigacci [EMAIL PROTECTED]
Tex.NET s.r.l.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and simultaneous use check
[EMAIL PROTECTED] wrote:
I want to add simultaneous access check so I uncommented
simul_count_query in sql.conf and added sql into session{} section of
radiusd.conf.
From the radiusd log I see that the query is defined, but never used. What
am I missing?
Are you using the 'Simultaneous-Use' attribute anywhere for that
user? If not, then the server will never do session checking.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: MySQL and simultaneous use check
[EMAIL PROTECTED] wrote:
I want to add simultaneous access check so I uncommented
simul_count_query in sql.conf and added sql into session{} section
of
radiusd.conf.
From the radiusd log I see that the query is defined, but never used.
What
am I missing?
Are you using the 'Simultaneous-Use' attribute anywhere for that
user? If not, then the server will never do session checking.
This is my /etc/raddb/users file, I think that Simultaneous-Use is defined
when radiusd fall through sql module. From the log I see that the module
files is run before module sql. Or my be I had to set the attribute into
the database?
DEFAULT Simultaneous-Use = 1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Idle-Limit = 900,
Fall-Through = Yes
Thanks for the very prompt reply!
Niccolo Rigacci
Italy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL and simultaneous use check
-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')
sql: accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0
sql: accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0
sql: accounting_stop_query_alt = INSERT into radacct (RadAcctId,
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('',
'%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '0',
'%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')
sql: connect_failure_retry_delay = 60
sql: simul_count_query =
sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CalledStationId FROM radacct WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
sql: simul_zap_query = DELETE FROM radacct WHERE RadAcctId = '%s'
rlm_sql: Driver rlm_sql_mysql loaded and linked
rlm_sql: Attempting to connect to icradius@localhost:/radius
rlm_sql: starting 0
rlm_sql: Attempting to connect #0
rlm_sql: Starting connect to MySQL server for #0
rlm_sql: Connected new DB handle, #0
rlm_sql: starting 1
rlm_sql: Attempting to connect #1
rlm_sql: Starting connect to MySQL server for #1
rlm_sql: Connected new DB handle, #1
rlm_sql: starting 2
rlm_sql: Attempting to connect #2
rlm_sql: Starting connect to MySQL server for #2
rlm_sql: Connected new DB handle, #2
rlm_sql: starting 3
rlm_sql: Attempting to connect #3
rlm_sql: Starting connect to MySQL server for #3
rlm_sql: Connected new DB handle, #3
rlm_sql: starting 4
rlm_sql: Attempting to connect #4
rlm_sql: Starting connect to MySQL server for #4
rlm_sql: Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = yes
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Segmentation Fault
root@telem-tac:/usr/local/sbin #
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 30, 2002 8:57 AM
To: [EMAIL PROTECTED]
Subject: Re: MySQL and simultaneous use check
[EMAIL PROTECTED] wrote:
I want to add simultaneous access check so I uncommented
simul_count_query in sql.conf and added sql into
session{} section of
radiusd.conf.
From the radiusd log I see that the query is defined, but
never used. What
am I missing?
Are you using the 'Simultaneous-Use' attribute anywhere for that
user? If not, then the server will never do session checking.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
