Simultaneous -use is working fine on all my stand alone wireless access points. But now there are 100 of these WAPs are under the cisco WLC it does not seem to work. Just wondering what people are doing with WLC and simualtaneous -use. One way I could do is set globally in the WLC i.e 4 connection for everyone no matter what -- but in my case we needed to separate student and staff. Thanks, K On 04/20/2015 06:28 PM, Khapare Joshi wrote:
well, I have done this way and it seem to work. Why it did not work before - I don't know.
Added in /etc/raddb/ldap.attr checkItem affiliation eduPersonPrimaryAffiliation
In /etc/raddb/dictonary
ATTRIBUTE affiliation 3004 string
enabled ldap module in /etc/raddb/site-enabled/default
then in /etc/raddb/stie-enable/inner-tunnel update request { affiliation := "%{ldap:ldap:///dc=example,dc=IcomeduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}" }
if (affiliation == "student") { update control { Simultaneous-Use := 1 } }
if (affiliation == "staff") { update control { Simultaneous-Use := 3 } }
This works as it should be. But why this did not work before I have no clue. the 4th attempt actually get rejected
In radius -X, I can see this has been rejected
[ldap] - ldap_xlat expand: ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name} -> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=testsim [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter uid=testsim [ldap] Adding attribute eduPersonPrimaryAffiliation, value: staff [ldap] ldap_release_conn: Release Id: 0 [ldap] - ldap_xlat end expand: %{ldap:ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}} -> staff ++} # update request = noop ++? if (affiliation == "student") ? Evaluating (affiliation == "student") -> FALSE ++? if (affiliation == "student") -> FALSE ++? if (affiliation == "staff") ? Evaluating (affiliation == "staff") -> TRUE ++? if (affiliation == "staff") -> TRUE ++if (affiliation == "staff") { +++update control { +++} # update control = noop ++} # if (affiliation == "staff") = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'testsim' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 14 rlm_sql (sql): Released sql socket id: 14 ++[sql] = ok +} # group session = ok Multiple logins (max 3) : [testsim@example.com] (from client nas1.example.com port 7705 cli 2064.3261.6d2d via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> testsim@example.com attr_filter: Matched entry DEFAULT at line 11
It still says +++} # update control = noop
but works :)
On Wed, Apr 8, 2015 at 3:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77@gmail.com> wrote:
I did mistake on regex thing because I was also testing same with affiliation and had this lines before I turn to test gid thing. sorry for this If you can't keep track of what you're doing, you will never solve the problem.
This did not work either. Probably for the same reason. You want one thing from the server, and you've configured it to do something else.
I checked both debug output, the first one (DEFAULT Simultaneous-Use := 1 Fall-Through = 1) actually executes session but i don't see these lines when i perform test with gidnumber check statement. So read the debug output to see why.
++? if (gidnumber < 200) (Attribute gidnumber was not found) Doesn't that tell you anything?
You've configured the LDAP module to add the attribute to the CHECK items, and you're then looking for it in the REQUEST items.
This is all documented, and it's all available in the debug output.
I get the feeling that 3/4 of my posts here are just convincing people to READ the messages that they post to the list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html