Trying to restrict simultaneous-use
Alan DeKok
aland at deployingradius.com
Sat Mar 5 17:33:31 CET 2016
On Mar 5, 2016, at 11:23 AM, Michael Martinez <mwtzzz at gmail.com> wrote:
>
> I'm doing some tests from localhost to restrict simultaneous-use.
>
> * I have a user defined in the users file with Simultaneous-Use := 1.
> * I have the following file which I feed to radclient to initiate an
> accounting session for this user:
That's good.
> * In sites-enabled/default I have uncommented "radutmp" and
> "sradumtp" in accounting{} and I have uncommented radutmp in session{}
> (yes I know sql is faster but this is just for testing)
OK.
> The debug file shows:
> (2) # Executing section session from file
> /usr/local/freeradius/etc/raddb/sites-enabled/default
> (2) session {
> (2) radutmp: EXPAND /usr/local/freeradius/var/log/radius/radutmp
> (2) radutmp: --> /usr/local/freeradius/var/log/radius/radutmp
> (2) radutmp: EXPAND %{User-Name}
> (2) radutmp: --> spackle
> checkrad: No NAS type, or type "other" not checking
> (2) [radutmp] = fail
> (2) } # session = fail
>
>
> radutmp is failing but it still sends an Access-Accept. Any thoughts?
Because it's fail-safe. It can't do session checking, so it allows the user in.
Fix the test so that the NAS is marked as a real NAS, and so checkrad can check it.
Or, edit the "session" section so that it returns "ok" if "radutmp" returns "fail". See "man unlang" for documentation on module return codes.
Alan DeKok.
More information about the Freeradius-Users
mailing list