Checkrad / Simultaneous-Use clarification please

Craig Campbell craig at ccraft.ca
Thu Sep 10 13:08:56 CEST 2009 

From: "Alan DeKok" <aland at deployingradius.com>
>"If you want to check the stripped user name... then use it."

How can I control this?  I am assuming you are referring to proxy.con realm 
configuration?

"Why you ask?"

The 'powers that be' have declared that the same userid may log in via 
multiple realms (access technologies) up to a certain connection limit.
So user at realm1 and user at realm2 count as 2 connections for user.  In their 
original form, radius would view them as two distinct userids.

I need the form 'user at realm' for authentication right after the 
simultaneous-use check.

How, specifically, can I get the Simultaneous-Use function to use the 
Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the 
remainder of the processing?  (I have seen references to variable in some 
cases having a form of %{prefix:User-Name} but am unclear of how/where  that 
can/should be used.

I have searched the internet, the docs available, and some of the source 
code in attempting to understand freeradius, only posting questions when I 
am truly puzzled.  Indications of "how" to do (or NOT do) something are most 
appreciated.  This is a significant upgrade effort, and I'm ok with 
re-designing how things are achieved, if I can determine WHAT the 'best way' 
should be.  I have NO control over the rules that apply to users and 
accounts in the real world.  (I especially love when they CONTRADICT! - 
Marketing...)

Thanks,
-craig

----- Original Message ----- 
From: "Alan DeKok" <aland at deployingradius.com>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, September 10, 2009 4:16 AM
Subject: Re: Checkrad / Simultaneous-Use clarification please


> Craig Campbell wrote:
>> We currently have users that log in both with and without realms.
>
>  Well... then you have to manage that.
>
>> In radutmp we log the stripped username (i.e. no realm component).
>
>  Why?
>
>> Since the radutmp data has no realm  part for the username, how do I get
>> the Simultaneous-Use code to check the username without the realm
>> component? Currently the realm portion is carried through until the
>> accounting processing (for radutmp).
>
>  I don't understand.  You give radutmp a stripped user name, but you
> don't give the session checking a stripped user name?
>
>  If you want to check the stripped user name... then use it.
>
>> If I understand correctly, fred at comfort will pass Sinultaneous-Use
>> because radutmp is logging these as just "fred".
>
>  Yes.  Because you told it to treat them as different users.
>
>  If you want the simultaneous checking to check the stripped user name,
> then strip the user name...
>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> __________ Information from ESET Smart Security, version of virus 
> signature database 4412 (20090909) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
> 


__________ Information from ESET Smart Security, version of virus signature database 4412 (20090909) __________

The message was checked by ESET Smart Security.

http://www.eset.com

More information about the Freeradius-Users mailing list