Hi, I am trying to prevent simultaneous logins on my freeradius server, I need to do it with MYSQL, I have enabled simul_count query, and enabled sql for session and accounting. Now, the tricky part is that my server is also my firewall and all requests are comming to the same nick which is listed on my clients.conf file, the nas type is other and therefore the check is ignored. When I setup as type cisco it get no response from SNMP session, and the wiki suggest that SNMP is not working with version 2.1.10 unless some modification is done. Can I keep sql accounting and radutmp for session? will this work ok? Thanks Franz
On Mon, May 9, 2011 at 5:38 AM, Franz <flamana@gmail.com> wrote:
Hi, I am trying to prevent simultaneous logins on my freeradius server, I need to do it with MYSQL, I have enabled simul_count query, and enabled sql for session and accounting.
Seems reasonable
Now, the tricky part is that my server is also my firewall and all requests are comming to the same nick which is listed on my clients.conf file, the nas type is other and therefore the check is ignored. When I setup as type cisco it get no response from SNMP session, and the wiki suggest that SNMP is not working with version 2.1.10 unless some modification is done.
I have no idea what you're talking about. You can have sql to manage accounting and session (using the acccounting data), which should be independent of NAS type, without the need for SNMP or any external command/utility. Look at simul_count_query and simul_verify_query. Sometimes it's easier to: - uncomment simul_count_query - adjust it according your needs (for example, we use acctstoptime to store when an accounting packet arrives, including acct-start and acct-interim, so in our case we can't use "AND acctstoptime IS NULL" part). - comment-out simul_verify_query -- Fajar
What I meant on the second part is that i am using localhost on clients.conf, so now when i am just checking session with sql simul_count_query, and as soon as the request is received by server it says the user is already logged in, even is is not logged in: checkrad: No NAS type, or type "other" not checking rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok expand: good -> good Multiple logins (max 1) [MPP attempt]: [C8P7G6/C8P7G6] (from client localhost port 7 cli 192.168.0.7) good Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} On Mon, May 9, 2011 at 1:23 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Mon, May 9, 2011 at 5:38 AM, Franz <flamana@gmail.com> wrote:
Hi, I am trying to prevent simultaneous logins on my freeradius server, I need to do it with MYSQL, I have enabled simul_count query, and enabled sql for session and accounting.
Seems reasonable
Now, the tricky part is that my server is also my firewall and all requests are comming to the same nick which is listed on my clients.conf file, the nas type is other and therefore the check is ignored. When I setup as type cisco it get no response from SNMP session, and the wiki suggest that SNMP is not working with version 2.1.10 unless some modification is done.
I have no idea what you're talking about.
You can have sql to manage accounting and session (using the acccounting data), which should be independent of NAS type, without the need for SNMP or any external command/utility. Look at simul_count_query and simul_verify_query. Sometimes it's easier to: - uncomment simul_count_query - adjust it according your needs (for example, we use acctstoptime to store when an accounting packet arrives, including acct-start and acct-interim, so in our case we can't use "AND acctstoptime IS NULL" part). - comment-out simul_verify_query
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, May 9, 2011 at 12:46 PM, Franz <flamana@gmail.com> wrote:
What I meant on the second part is that i am using localhost on clients.conf,
Please don't top-post.
so now when i am just checking session with sql simul_count_query, and as soon as the request is received by server it says the user is already logged in, even is is not logged in: checkrad: No NAS type, or type "other" not checking
if you only store session on sql, you don't need checkrad. You can just comment-out radutmp from session sectoin.
rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok expand: good -> good Multiple logins (max 1) [MPP attempt]: [C8P7G6/C8P7G6] (from client localhost port 7 cli 192.168.0.7) good Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...}
You can try executing the query manually and see if the query is doing the right thing. Also, the query is customizable, so if you know that all acct entries from localhost are dummy entries you can just modify the query to exclude them. -- Fajar
The query is ok for my purpose, when I execute it it returns 1 when a session is active and 0 when no session is available. However when i uncomment the simul query, all logins are terminated by User-Error afer 10 seconds and not Session-Timeout after x time as it's supposed to be, if a commented the simul query, all work ok again. Do I need a specific configuration in authorize section? On Mon, May 9, 2011 at 2:49 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Mon, May 9, 2011 at 12:46 PM, Franz <flamana@gmail.com> wrote:
What I meant on the second part is that i am using localhost on clients.conf,
Please don't top-post.
so now when i am just checking session with sql simul_count_query, and as soon as the request is received by server it says the user is already logged in, even is is not logged in: checkrad: No NAS type, or type "other" not checking
if you only store session on sql, you don't need checkrad. You can just comment-out radutmp from session sectoin.
rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok expand: good -> good Multiple logins (max 1) [MPP attempt]: [C8P7G6/C8P7G6] (from client localhost port 7 cli 192.168.0.7) good Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...}
You can try executing the query manually and see if the query is doing the right thing. Also, the query is customizable, so if you know that all acct entries from localhost are dummy entries you can just modify the query to exclude them.
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I got it working by changing the query to count if the MAC requesting access is different than the one that got access cranted. Another question I had was if a user is allowed access only for let say 5 hours a Day, if he is connected just for 1 hour and decides to connect 3 hours later, I think the counter will have count 4 hours, is there a way to make the counter just pick up where it left off? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Simultaneous-logins-tp4380660p438182... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Fajar A. Nugraha -
Franz -
qbik