Umm You are authenticating them , so you see their inner username and thus what ever they have in their outerid is of no consequence. Let them use whatever in their outerid as it's the innerid that matters and what you use for policies For simultaneous use checks the server, by default, will be using accounting info , this you need to send info back to the NAS that can be used in the accounting sessions and policy designed around But you say this is a free network... What is wrong with a user having a phone and a laptop? It's pretty common these days for a user to have 2 (or more!) devices *and* user experience/expectations is to be able to use them all (in fact, they may have to, doing eg something on their phone but then having to get their laptop out to complete the task ) alan On Fri, 2 Nov 2018, 17:50 Alan DeKok <aland@deployingradius.com wrote:
On Nov 2, 2018, at 1:32 PM, Selahattin Cilek <selahattin_cilek@hotmail.com> wrote:
So Is the MySQL stored procedure approach is my best option? Is there not a way to check the inner identity against the outer identity?
Yes. See raddb/policy.d/filter
Or, run the server in debug mode as suggested everywhere... you will see it compare inner to outer identity.
I do care because: 1. The Unifi APs that are employed on the site sometimes allow multiple access from laptops to the network despite that fact that "Simultaneous-Use" is set to "1" for every user in the database and I suspect that is somehow connected with the cursed anonymous identity.
Don't *suspect*. Run the server in debug mode, and *learn*.
Trying random things to "fix" a problem is just a waste of time. You need to *understand* what it's doing, and how the configuration works. That lets you come up with a solution.
To illustrate, some users can first log in on their Android phones and then leave the laptop open, which tries to log in again and again and some time later, somehow, are connected to the network. As if that is not enough, I receive no accounting packets for the laptop.
Simultaneous-Use need accounting packets...
If you go to the Wiki and search for "Simultaneous-Use", you'll see a FAQ entry which says this.
There is one particular user that confessed to once having downloaded 150GBs a night from his laptop. He does that almost every night. My goal is to distribute the connectivity and fairly as possible.
Then fix the NAS so that it sends accounting packets.
No amount of poking FreeRADIUS will magically have it know what the users doing. Especially if the NAS isn't sending accounting packets.
2. The Unifi APs do not know what is going on the FreeRADIUS server and send back accounting packages that contain lines like "User-Name: anonymous" or "User-Name: some_garbage"; that is why I use the "Class" attribute to circumvent this problem.
Which is why the default config sends the *inner* username in the Access-Accept. The NAS is *supposed* to use this User-Name in all accounting packets.
If you use Class, you can just set "Class" to the inner User-Name.
Or even better, reject *all* users where the outer User-Name is not the same as the outer User-Name,
Again, running the server in debug mode and *reading* the output will tell you exactly how to do this.
I do not want to have to circumvent anything. I want everything to be correct and in place. 3. This is a public and *FREE* network. The users do not have the luxury of remaining anonymous. If they want to remain anonymous, they can buy one of those LTE packages.
99% of what you want to do is documented either in the Wiki or is visible in the debug output.
It just takes *reading* the debug output. And not trying random things. That's a waste of time.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html