Two Simultaneous-Use on Same NAS Port

tnt at kalik.net tnt at kalik.net
Wed Mar 25 20:00:43 CET 2009


>I'm trying to limit a single username to logon 2 times on the same NAS
>Port/NAS Port ID.
>
>Our test environment consists of a single FreeRadius Server (Version
>2.1.5/4), MySQL Server 5.0.45, and a Cisco 7200VXR with IOS
>12.2(31)SB13.
>
>
>The main issue now is that a single user name with Simultaneous-Use set
>too 2 is able to login an unlimited number of times on the same NAS
>Port/NAS Port ID.  However, if the same user logon through a different
>NAS Port/NAS Port ID, Simultaneous-Use checks work as expected.  Please,
>note the following radwho and radiusd -X outputs.
>
>
>radwho -R Output after first user logged in:
>
>User-Name = "test1"
>Acct-Session-Id = "00003377"
>NAS-IP-Address = X.X.X.X
>NAS-Port = 2097152
>Service-Type = Framed-User
>Framed-Protocol = PPP
>Framed-IP-Address = X.X.X.X
>
>
>radwho -R Output after second user logged in:
>
>User-Name = "test1"
>Acct-Session-Id = "00003378"
>NAS-IP-Address = X.X.X.X
>NAS-Port = 2097152
>Service-Type = Framed-User
>Framed-Protocol = PPP
>Framed-IP-Address = X.X.X.X
>Acct-Session-Time = 72
>
>
>**Note the lack of the first user identified by Acct-Session-ID
>00003377.
>

Yes. When radius server recieves a second accounting Start packet with
same Nas-IP-Address/NAS-Port it will "conclude" that the Stop packet
for the first session is missing and will log out first session. In
short - sending same NAS-Port for multiple sessions breaks accounting.
Don't do that. You can try adjusting raddb/modules/acct_unique but I
don't see anything you can use instead of NAS-Port.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list