Simultaneous-Use unreliable for 'other' NAS-type
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Jul 8 00:05:41 CEST 2019
> On Jul 7, 2019, at 3:10 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jul 7, 2019, at 8:49 PM, Taymour Gabr via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> this doesn't answer my question though of how/if checkrad works for
>> simultaneous-use set to anything other than 1.
>
> Checkrad is run once for every user session. But that means it has to check *each* user session.
>
>> Also, could you please expand on what you consider to be 'modern'
>> NASes? 2 years-old, 5 years-old, 10?
>
> Realistically, 10 years. Checkrad is ~20 years old, and hasn't been updated in a very long time.
>
>> We are looking to replace our crappy HP controller. Unfortunately HP
>> was taken over by Aruba, and their controllers don't support HP Access
>> points. So we are trying to go with the latest HP controller, and I
>> would like to make sure that simultaneous-use will be covered.
>
> At this point, the NASes should work better. Checkrad is less useful.
The majority of installations that use simultaneous use checks, just run a script against the database periodically, looking at the last time an interim was received, and closing out sessions where at least two interims have been missed. I added 'acctupdatetime' to the majority of the default schemas a few years back to encourage more people to do that, over using the old SNMP based methods. For this to work you do need to enable interim updates on the controller (set it to something like 5 mins if your servers can handle it).
If you wanted to contribute something useful, I know some databases have cronlike functionality. It'd be good to include a cronlike job to close out stale sessions in the default schemas.
Just as an aside - there's also been some internal discussion about creating an rlm_snmp to allow async queries against NAS. If that work gets completed, then we'd likely ditch checkrad in favour of integrated runtime checks. When the I/O is async you don't really care about blocking the request trying to talk to an unreachable NAS, you just need to set appropriate timeouts.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190707/621bd23b/attachment.sig>
More information about the Freeradius-Users
mailing list