semulteneius-use with cisco nas
hi, i continue configuring simulteneous-use with cisco NAS. My configs: mysql> select * from radcheck; +----+------------------------------+--------------------+----+------------------------------+ | id | username | attribute | op | value | +----+------------------------------+--------------------+----+------------------------------+ | 11 | user | Cleartext-Password | := | user | | 3 | test@wimax.com | Cleartext-Password | := | test | | 15 | KeepAliveUserNameAndPassword | Cleartext-Password | := | KeepAliveUserNameAndPassword | | 5 | test1@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 14 | test1@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data; | | 13 | test@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data; | +----+------------------------------+--------------------+----+------------------------------+ clients: client 10.169.33.11/24 { # require_message_authenticator = no secret = "12345" nastype = "cisco" login = snmp password = public } snmpget works: freebsd# snmpget -v2c -c public 10.169.33.11 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (147940948) 17 days, 2:56:49.48 debug: rad_recv: Access-Request packet from host 10.169.33.11 port 1645, id=104, length=159 User-Name = "user" Framed-MTU = 1400 Called-Station-Id = "0013.1a08.9340" Calling-Station-Id = "001b.7770.9159" Service-Type = Login-User Message-Authenticator = 0x2e82883f159c894bdd80b8ec62351994 EAP-Message = 0x020b001d19001703010012b37fc2616cb987f684d4f8af1145e855c165 NAS-Port-Type = Wireless-802.11 NAS-Port = 13431 State = 0x526a475d5a615e1a09ba39034fe381ca NAS-IP-Address = 10.169.33.11 NAS-Identifier = "ap" Thu Dec 8 17:26:25 2011 : Info: (36) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (36) group authorize { Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authorize {...} Thu Dec 8 17:26:25 2011 : Info: (36) [preprocess] = ok Thu Dec 8 17:26:25 2011 : Info: (36) [chap] = noop Thu Dec 8 17:26:25 2011 : Info: (36) [mschap] = noop Thu Dec 8 17:26:25 2011 : Info: (36) [digest] = noop Thu Dec 8 17:26:25 2011 : Info: (36) suffix : No '@' in User-Name = "user", looking up realm NULL Thu Dec 8 17:26:25 2011 : Info: (36) suffix : No such realm "NULL" Thu Dec 8 17:26:25 2011 : Info: (36) [suffix] = noop Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP packet type response id 11 length 29 Thu Dec 8 17:26:25 2011 : Info: (36) eap : Continuing tunnel setup. Thu Dec 8 17:26:25 2011 : Info: (36) [eap] = ok Thu Dec 8 17:26:25 2011 : Info: (36) Found Auth-Type = ? Thu Dec 8 17:26:25 2011 : Info: (36) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (36) group authenticate { Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authenticate {...} Thu Dec 8 17:26:25 2011 : Info: (36) eap : Request found, released from the list Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP/peap Thu Dec 8 17:26:25 2011 : Info: (36) eap : processing type peap Thu Dec 8 17:26:25 2011 : Info: (36) peap : processing EAP-TLS Thu Dec 8 17:26:25 2011 : Info: (36) peap : eaptls_verify returned 7 Thu Dec 8 17:26:25 2011 : Info: (36) peap : Done initial handshake Thu Dec 8 17:26:25 2011 : Info: (36) peap : eaptls_process returned 7 Thu Dec 8 17:26:25 2011 : Info: (36) peap : FR_TLS_OK Thu Dec 8 17:26:25 2011 : Info: (36) peap : Session established. Decoding tunneled attributes. Thu Dec 8 17:26:25 2011 : Info: (36) peap : Peap state phase2 Thu Dec 8 17:26:25 2011 : Info: (36) peap : EAP type mschapv2 Thu Dec 8 17:26:25 2011 : Info: (36) peap : Got tunneled request EAP-Message = 0x020b00061a03 server { Thu Dec 8 17:26:25 2011 : Info: (36) peap : Setting User-Name to user Sending tunneled request EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user" State = 0xcb00ddfeca0bc7c30919b7db84ca14bd Framed-MTU = 1400 Called-Station-Id = "0013.1a08.9340" Calling-Station-Id = "001b.7770.9159" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 13431 NAS-IP-Address = 10.169.33.11 NAS-Identifier = "ap" server inner-tunnel { Thu Dec 8 17:26:25 2011 : Info: (36) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Thu Dec 8 17:26:25 2011 : Info: (36) group authorize { Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authorize {...} Thu Dec 8 17:26:25 2011 : Info: (36) [chap] = noop Thu Dec 8 17:26:25 2011 : Info: (36) [mschap] = noop Thu Dec 8 17:26:25 2011 : Info: (36) suffix : No '@' in User-Name = "user", looking up realm NULL Thu Dec 8 17:26:25 2011 : Info: (36) suffix : No such realm "NULL" Thu Dec 8 17:26:25 2011 : Info: (36) [suffix] = noop Thu Dec 8 17:26:25 2011 : Info: (36) update control { Thu Dec 8 17:26:25 2011 : Info: (36) } # update control = noop Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP packet type response id 11 length 6 Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP-MSCHAPV2 success, returning short-circuit ok Thu Dec 8 17:26:25 2011 : Info: (36) [eap] = ok Thu Dec 8 17:26:25 2011 : Info: (36) Found Auth-Type = ? Thu Dec 8 17:26:25 2011 : Info: (36) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Thu Dec 8 17:26:25 2011 : Info: (36) group authenticate { Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authenticate {...} Thu Dec 8 17:26:25 2011 : Info: (36) eap : Request found, released from the list Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP/mschapv2 Thu Dec 8 17:26:25 2011 : Info: (36) eap : processing type mschapv2 Thu Dec 8 17:26:25 2011 : Info: (36) eap : Freeing handler Thu Dec 8 17:26:25 2011 : Info: (36) [eap] = ok Thu Dec 8 17:26:25 2011 : Auth: (36) Login OK: [user/<via Auth-Type = ?>] (from client 10.169.33.11/24 port 13431 cli 001b.7770.9159 via TLS tunnel) Thu Dec 8 17:26:25 2011 : Info: (36) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Thu Dec 8 17:26:25 2011 : Info: (36) group post-auth { Thu Dec 8 17:26:25 2011 : Info: (36) - entering group post-auth {...} Thu Dec 8 17:26:25 2011 : Info: (36) sql : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (36) sql : sql_set_user escaped user --> 'user' Thu Dec 8 17:26:25 2011 : Info: (36) sql : expand: %{User-Password} -> Thu Dec 8 17:26:25 2011 : Info: (36) sql : ... expanding second conditional Thu Dec 8 17:26:25 2011 : Info: (36) sql : expand: %{Chap-Password} -> Thu Dec 8 17:26:25 2011 : Info: (36) sql : expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user', '', 'Access-Accept', '2011-12-08 17:26:25') Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user', '', 'Access-Accept', '2011-12-08 17:26:25') Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql): Reserved connection (12) Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql): Released connection (12) Thu Dec 8 17:26:25 2011 : Info: (36) [sql] = ok Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : Processing sql_log_postauth Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : expand: %{%{User-Name}:-DEFAULT} -> user Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : sql_set_user escaped user --> 'user' Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : ... expanding second conditional Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : expand: Chap-Password -> Chap-Password Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('user', 'Chap-Password', 'Access-Accept', '2011-12-08 17:26:25'); Thu Dec 8 17:26:25 2011 : Info: (36) sql_log : expand: /usr/local/var/log/radius/radacct/sql-relay -> /usr/local/var/log/radius/radacct/sql-relay Thu Dec 8 17:26:25 2011 : Info: (36) [sql_log] = ok } # server inner-tunnel Thu Dec 8 17:26:25 2011 : Info: (36) peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x4b950af2af95357660e7b7cd0d70c4ee MS-MPPE-Recv-Key = 0xe041e091013829024563e0c64a2a8b3e EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user" Thu Dec 8 17:26:25 2011 : Info: (36) peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x4b950af2af95357660e7b7cd0d70c4ee MS-MPPE-Recv-Key = 0xe041e091013829024563e0c64a2a8b3e EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user" Thu Dec 8 17:26:25 2011 : Info: (36) peap : Tunneled authentication was successful. Thu Dec 8 17:26:25 2011 : Info: (36) peap : SUCCESS Thu Dec 8 17:26:25 2011 : Info: (36) peap : Saving tunneled attributes for later Thu Dec 8 17:26:25 2011 : Info: (36) [eap] = handled Sending Access-Challenge of id 104 to 10.169.33.11 port 1645 EAP-Message = 0x010c00261900170301001b6149c2683fad2144473d4eb64a84d8bb311c1da55a06ac23ef2f1c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x526a475d5b665e1a09ba39034fe381ca Thu Dec 8 17:26:25 2011 : Info: (36) Finished request 36. rad_recv: Access-Request packet from host 10.169.33.11 port 1645, id=105, length=168 User-Name = "user" Framed-MTU = 1400 Called-Station-Id = "0013.1a08.9340" Calling-Station-Id = "001b.7770.9159" Service-Type = Login-User Message-Authenticator = 0xf57cb17ca4c07354856cdc1443089a6a EAP-Message = 0x020c00261900170301001befdfaf794c7809b50b1718d07d1b237ae93b9c5c6c9a330aa0202c NAS-Port-Type = Wireless-802.11 NAS-Port = 13431 State = 0x526a475d5b665e1a09ba39034fe381ca NAS-IP-Address = 10.169.33.11 NAS-Identifier = "ap" Thu Dec 8 17:26:25 2011 : Info: (37) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (37) group authorize { Thu Dec 8 17:26:25 2011 : Info: (37) - entering group authorize {...} Thu Dec 8 17:26:25 2011 : Info: (37) [preprocess] = ok Thu Dec 8 17:26:25 2011 : Info: (37) [chap] = noop Thu Dec 8 17:26:25 2011 : Info: (37) [mschap] = noop Thu Dec 8 17:26:25 2011 : Info: (37) [digest] = noop Thu Dec 8 17:26:25 2011 : Info: (37) suffix : No '@' in User-Name = "user", looking up realm NULL Thu Dec 8 17:26:25 2011 : Info: (37) suffix : No such realm "NULL" Thu Dec 8 17:26:25 2011 : Info: (37) [suffix] = noop Thu Dec 8 17:26:25 2011 : Info: (37) eap : EAP packet type response id 12 length 38 Thu Dec 8 17:26:25 2011 : Info: (37) eap : Continuing tunnel setup. Thu Dec 8 17:26:25 2011 : Info: (37) [eap] = ok Thu Dec 8 17:26:25 2011 : Info: (37) Found Auth-Type = ? Thu Dec 8 17:26:25 2011 : Info: (37) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (37) group authenticate { Thu Dec 8 17:26:25 2011 : Info: (37) - entering group authenticate {...} Thu Dec 8 17:26:25 2011 : Info: (37) eap : Request found, released from the list Thu Dec 8 17:26:25 2011 : Info: (37) eap : EAP/peap Thu Dec 8 17:26:25 2011 : Info: (37) eap : processing type peap Thu Dec 8 17:26:25 2011 : Info: (37) peap : processing EAP-TLS Thu Dec 8 17:26:25 2011 : Info: (37) peap : eaptls_verify returned 7 Thu Dec 8 17:26:25 2011 : Info: (37) peap : Done initial handshake Thu Dec 8 17:26:25 2011 : Info: (37) peap : eaptls_process returned 7 Thu Dec 8 17:26:25 2011 : Info: (37) peap : FR_TLS_OK Thu Dec 8 17:26:25 2011 : Info: (37) peap : Session established. Decoding tunneled attributes. Thu Dec 8 17:26:25 2011 : Info: (37) peap : Peap state send tlv success Thu Dec 8 17:26:25 2011 : Info: (37) peap : Received EAP-TLV response. Thu Dec 8 17:26:25 2011 : Info: (37) peap : Success Thu Dec 8 17:26:25 2011 : Info: (37) peap : Using saved attributes from the original Access-Accept User-Name = "user" Thu Dec 8 17:26:25 2011 : Info: (37) eap : Freeing handler Thu Dec 8 17:26:25 2011 : Info: (37) [eap] = ok Thu Dec 8 17:26:25 2011 : Auth: (37) Login OK: [user/<via Auth-Type = ?>] (from client 10.169.33.11/24 port 13431 cli 001b.7770.9159) Thu Dec 8 17:26:25 2011 : Info: (37) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (37) group post-auth { Thu Dec 8 17:26:25 2011 : Info: (37) - entering group post-auth {...} Thu Dec 8 17:26:25 2011 : Info: (37) sql : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (37) sql : sql_set_user escaped user --> 'user' Thu Dec 8 17:26:25 2011 : Info: (37) sql : expand: %{User-Password} -> Thu Dec 8 17:26:25 2011 : Info: (37) sql : ... expanding second conditional Thu Dec 8 17:26:25 2011 : Info: (37) sql : expand: %{Chap-Password} -> Thu Dec 8 17:26:25 2011 : Info: (37) sql : expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user', '', 'Access-Accept', '2011-12-08 17:26:25') Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user', '', 'Access-Accept', '2011-12-08 17:26:25') Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql): Reserved connection (12) Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql): Released connection (12) Thu Dec 8 17:26:25 2011 : Info: (37) [sql] = ok Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : Processing sql_log_postauth Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : expand: %{%{User-Name}:-DEFAULT} -> user Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : sql_set_user escaped user --> 'user' Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : ... expanding second conditional Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : expand: Chap-Password -> Chap-Password Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('user', 'Chap-Password', 'Access-Accept', '2011-12-08 17:26:25'); Thu Dec 8 17:26:25 2011 : Info: (37) sql_log : expand: /usr/local/var/log/radius/radacct/sql-relay -> /usr/local/var/log/radius/radacct/sql-relay Thu Dec 8 17:26:25 2011 : Info: (37) [sql_log] = ok Thu Dec 8 17:26:25 2011 : Info: (37) [exec] = noop Thu Dec 8 17:26:25 2011 : Info: (37) policy remove_reply_message_if_eap { Thu Dec 8 17:26:25 2011 : Info: (37) - entering policy remove_reply_message_if_eap {...} Thu Dec 8 17:26:25 2011 : Info: (37) ? if (reply:EAP-Message && reply:Reply-Message) Thu Dec 8 17:26:25 2011 : Info: (37) ? Evaluating (reply:EAP-Message ) -> TRUE Thu Dec 8 17:26:25 2011 : Info: (37) ? Evaluating (reply:Reply-Message) -> FALSE Thu Dec 8 17:26:25 2011 : Info: (37) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE Thu Dec 8 17:26:25 2011 : Info: (37) else else { Thu Dec 8 17:26:25 2011 : Info: (37) - entering else else {...} Thu Dec 8 17:26:25 2011 : Info: (37) [noop] = noop Thu Dec 8 17:26:25 2011 : Info: (37) - else else returns noop Thu Dec 8 17:26:25 2011 : Info: (37) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 105 to 10.169.33.11 port 1645 User-Name = "user" MS-MPPE-Recv-Key = 0xb6ad8feb9e726faf3476818bb97ba4617babe493ae3317f8f51d5fe7560d676b MS-MPPE-Send-Key = 0x1b7714f349209231ebf5846bdb4b41398434d9e013c6ea05b162b9a8220eef32 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Thu Dec 8 17:26:25 2011 : Info: (37) Finished request 37. rad_recv: Accounting-Request packet from host 10.169.33.11 port 1646, id=172, length=224 Acct-Session-Id = "000033C8" Called-Station-Id = "0013.1a08.9340" Calling-Station-Id = "001b.7770.9159" Cisco-AVPair = "ssid=HAYATT" Cisco-AVPair = "vlan-id=55" Cisco-AVPair = "nas-location=unspecified" User-Name = "user" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "13431" NAS-Port = 13431 Service-Type = Framed-User NAS-IP-Address = 10.169.33.11 Acct-Delay-Time = 0 Thu Dec 8 17:26:25 2011 : Info: (38) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (38) group preacct { Thu Dec 8 17:26:25 2011 : Info: (38) - entering group preacct {...} Thu Dec 8 17:26:25 2011 : Info: (38) [preprocess] = ok Thu Dec 8 17:26:25 2011 : Info: (38) policy acct_unique { Thu Dec 8 17:26:25 2011 : Info: (38) - entering policy acct_unique {...} Thu Dec 8 17:26:25 2011 : Info: (38) ? if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) Thu Dec 8 17:26:25 2011 : Info: (38) expand: %{string:Class} -> Thu Dec 8 17:26:25 2011 : Info: (38) ? Evaluating ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE Thu Dec 8 17:26:25 2011 : Info: (38) ? if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE Thu Dec 8 17:26:25 2011 : Info: (38) else else { Thu Dec 8 17:26:25 2011 : Info: (38) - entering else else {...} Thu Dec 8 17:26:25 2011 : Info: (38) update request { Thu Dec 8 17:26:25 2011 : Info: (38) expand: %{User-Name}%{Acct-Session-ID}%{NAS-IP-Address}%{NAS-Port-ID:}%{NAS-Port} -> user000033C810.169.33.1113431 Thu Dec 8 17:26:25 2011 : Info: (38) expand: %{md5:%{User-Name}%{Acct-Session-ID}%{NAS-IP-Address}%{NAS-Port-ID:}%{NAS-Port}} -> df4dee5fb72121b17bd275a4d64782c6 Thu Dec 8 17:26:25 2011 : Info: (38) } # update request = ok Thu Dec 8 17:26:25 2011 : Info: (38) - else else returns ok Thu Dec 8 17:26:25 2011 : Info: (38) - policy acct_unique returns ok Thu Dec 8 17:26:25 2011 : Info: (38) suffix : No '@' in User-Name = "user", looking up realm NULL Thu Dec 8 17:26:25 2011 : Info: (38) suffix : No such realm "NULL" Thu Dec 8 17:26:25 2011 : Info: (38) [suffix] = noop Thu Dec 8 17:26:25 2011 : Info: (38) [files] = noop Thu Dec 8 17:26:25 2011 : Info: (38) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default Thu Dec 8 17:26:25 2011 : Info: (38) group accounting { Thu Dec 8 17:26:25 2011 : Info: (38) - entering group accounting {...} Thu Dec 8 17:26:25 2011 : Info: (38) detail : expand: %{Packet-Src-IP-Address} -> 10.169.33.11 Thu Dec 8 17:26:25 2011 : Info: (38) detail : expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.169.33.11/detail-20111208 Thu Dec 8 17:26:25 2011 : Info: (38) detail : /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.169.33.11/detail-20111208 Thu Dec 8 17:26:25 2011 : Info: (38) detail : expand: %t -> Thu Dec 8 17:26:25 2011 Thu Dec 8 17:26:25 2011 : Info: (38) [detail] = ok Thu Dec 8 17:26:25 2011 : Info: (38) [unix] = ok Thu Dec 8 17:26:25 2011 : Info: (38) radutmp : expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp Thu Dec 8 17:26:25 2011 : Info: (38) radutmp : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (38) [radutmp] = ok Thu Dec 8 17:26:25 2011 : Info: (38) sql : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (38) sql : sql_set_user escaped user --> 'user' Thu Dec 8 17:26:25 2011 : Info: (38) sql : expand: %{Acct-Delay-Time} -> 0 Thu Dec 8 17:26:25 2011 : Info: (38) sql : expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('000033C8', 'df4dee5fb72121b17bd275a4d64782c6', 'user', '', '10.169.33.11', '13431', 'Wireless-802.11', '2011-12-08 17:26:25', NULL, '0', 'RADIUS', '', '', '0', '0', '0013.1a08.9340', '001b.7770.9159', '', 'Framed-User', '', '', '0', '0', '') Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql): Reserved connection (12) Thu Dec 8 17:26:25 2011 : Debug: rlm_sql (sql): Released connection (12) Thu Dec 8 17:26:25 2011 : Info: (38) [sql] = ok Thu Dec 8 17:26:25 2011 : Info: (38) sql_log : Processing sql_log_accounting Thu Dec 8 17:26:25 2011 : Info: (38) sql_log : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (38) sql_log : expand: %{%{User-Name}:-DEFAULT} -> user Thu Dec 8 17:26:25 2011 : Info: (38) sql_log : sql_set_user escaped user --> 'user' Thu Dec 8 17:26:25 2011 : Info: (38) sql_log : expand: INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', '%{Framed-IP-Address}', '%S', '0', '0', ''); -> INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('000033C8', 'user', '10.169.33.11', '', '2011-12-08 17:26:25', '0', '0', ''); Thu Dec 8 17:26:25 2011 : Info: (38) sql_log : expand: /usr/local/var/log/radius/radacct/sql-relay -> /usr/local/var/log/radius/radacct/sql-relay Thu Dec 8 17:26:25 2011 : Info: (38) [sql_log] = ok Thu Dec 8 17:26:25 2011 : Info: (38) [exec] = noop Thu Dec 8 17:26:25 2011 : Info: (38) attr_filter.accounting_response : expand: %{User-Name} -> user Thu Dec 8 17:26:25 2011 : Info: (38) attr_filter.accounting_response : Matched entry DEFAULT at line 12 Thu Dec 8 17:26:25 2011 : Info: (38) [attr_filter.accounting_response] = updated Sending Accounting-Response of id 172 to 10.169.33.11 port 1646 Thu Dec 8 17:26:25 2011 : Info: (38) Finished request 38. Thu Dec 8 17:26:26 2011 : Debug: Waking up in 0.2 seconds. Thu Dec 8 17:26:26 2011 : Info: (38) Cleaning up request packet ID 172 with timestamp +765 Thu Dec 8 17:26:26 2011 : Debug: Waking up in 3.9 seconds. Thu Dec 8 17:26:30 2011 : Info: (27) Cleaning up request packet ID 95 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (28) Cleaning up request packet ID 96 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (29) Cleaning up request packet ID 97 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (30) Cleaning up request packet ID 98 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (31) Cleaning up request packet ID 99 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (32) Cleaning up request packet ID 100 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (33) Cleaning up request packet ID 101 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (34) Cleaning up request packet ID 102 with timestamp +765 Thu Dec 8 17:26:30 2011 : Debug: Waking up in 0.3 seconds. Thu Dec 8 17:26:30 2011 : Info: (35) Cleaning up request packet ID 103 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: (36) Cleaning up request packet ID 104 with timestamp +765 Thu Dec 8 17:26:30 2011 : Debug: Waking up in 0.2 seconds. Thu Dec 8 17:26:30 2011 : Info: (37) Cleaning up request packet ID 105 with timestamp +765 Thu Dec 8 17:26:30 2011 : Info: Ready to process requests. freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 what can be an issue? thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... Sent from the FreeRadius - User mailing list archive at Nabble.com.
tolik_shavlovsky@mail.ru wrote:
what can be an issue?
As I said a few days ago: Simultaneous-Use checks are done if the server receives accounting packets, AND a user session is still open, AND that user tries to log in a second time from a different location. The debug log makes it clear that those conditions are NOT met. Alan DeKok.
Alan, i am really not experienced with freeradius and mysql. I made everything with your website. I kindly ask you for help. i made test in the following manner: 1. connect 1st laptop via Ap (NAS) with user/user 2. connect second laptop simult-use feature should block second one, as i understood. from your previuos emailing i understood that acounting is send if we use database, so I configured authentication from mysql. in the debug i see Accounting-Request packet and Accounting-Response. can you describe what is not met?? thanks for help. 09 декабря 2011, 19:50 от "Alan DeKok-2 [via FreeRadius]" <ml-node+s1045715n5062175h16@n5.nabble.com>: [hidden email] wrote:
what can be an issue?
As I said a few days ago: Simultaneous-Use checks are done if the server receives accounting packets, AND a user session is still open, AND that user tries to log in a second time from a different location. The debug log makes it clear that those conditions are NOT met. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------------------------------------------------------------------- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... To unsubscribe from semulteneius-use with cisco nas, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... Sent from the FreeRadius - User mailing list archive at Nabble.com.
tolik_shavlovsky@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything with your website. I kindly ask you for help.
i made test in the following manner: 1. connect 1st laptop via Ap (NAS) with user/user 2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for Simultaneous-Use to work. Go check it against the debug output. Run "radwho" after the first login to see if FreeRADIUS has recorded that the user has logged in. If that information isn't recorded, Simultaneous-Use won't work. Don't blame FreeRADIUS. Blame the NAS which is sending useless data. Alan DeKok.
Hi, this is my radwho output for 1st user (last string for 12-12-2011): freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 user user shell >999 Mon 10:45 10.169.33.11 this is seen from NAS, i cannot add file with prntscrs, but use session is active in NAS. then, i connect 2nd user via same NAS: freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 user user shell >999 Mon 10:45 10.169.33.11 user user shell >999 Mon 10:50 10.169.33.11 this is seen from NAS, also. so, first user is recorded. I also wanted to add configuration files, but it is not allowed by maillist policy. part of clients.conf: freebsd# cat clients.conf client 10.169.33.11/24 { # require_message_authenticator = no secret = "12345" nastype = "cisco" login = snmp password = public } freeradius server connects via snmp to NAs, i checked with snmpget. so, what can be wrong in my configuration? BR, Anatolii 10 декабря 2011, 05:52 от Alan DeKok <aland@deployingradius.com>:
tolik_shavlovsky@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything with your website. I kindly ask you for help.
i made test in the following manner: 1. connect 1st laptop via Ap (NAS) with user/user 2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for Simultaneous-Use to work.
Go check it against the debug output. Run "radwho" after the first login to see if FreeRADIUS has recorded that the user has logged in.
If that information isn't recorded, Simultaneous-Use won't work. Don't blame FreeRADIUS. Blame the NAS which is sending useless data.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also, I can add that i checked with sniffter and didn't see that freeradius connects to NAS via snmp. 12 декабря 2011, 13:25 от Толик Шавловский<tolik_shavlovsky@mail.ru>:
Hi,
this is my radwho output for 1st user (last string for 12-12-2011): eradius freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 user user shell >999 Mon 10:45 10.169.33.11
this is seen from NAS, i cannot add file with prntscrs, but use session is active in NAS.
then, i connect 2nd user via same NAS: freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 user user shell >999 Mon 10:45 10.169.33.11 user user shell >999 Mon 10:50 10.169.33.11
this is seen from NAS, also. so, first user is recorded.
I also wanted to add configuration files, but it is not allowed by maillist policy.
part of clients.conf: freebsd# cat clients.conf client 10.169.33.11/24 { # require_message_authenticator = no secret = "12345" nastype = "cisco" login = snmp password = public }
freeradius server connects via snmp to NAs, i checked with snmpget.
so, what can be wrong in my configuration?
BR, Anatolii
10 декабря 2011, 05:52 от Alan DeKok <aland@deployingradius.com>:
tolik_shavlovsky@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything with your website. I kindly ask you for help.
i made test in the following manner: 1. connect 1st laptop via Ap (NAS) with user/user 2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for Simultaneous-Use to work.
Go check it against the debug output. Run "radwho" after the first login to see if FreeRADIUS has recorded that the user has logged in.
If that information isn't recorded, Simultaneous-Use won't work. Don't blame FreeRADIUS. Blame the NAS which is sending useless data.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear all, can u help me with the problem?? 12 декабря 2011, 13:32 от Толик Шавловский<tolik_shavlovsky@mail.ru>:
Also, I can add that i checked with sniffter and didn't see that freeradius connects to NAS via snmp.
12 декабря 2011, 13:25 от Толик Шавловский<tolik_shavlovsky@mail.ru>:
Hi,
this is my radwho output for 1st user (last string for 12-12-2011): eradius freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 user user shell >999 Mon 10:45 10.169.33.11
this is seen from NAS, i cannot add file with prntscrs, but use session is active in NAS.
then, i connect 2nd user via same NAS: freebsd# radwho Login Name What TTY When From Location user user shell >999 Thu 14:38 10.169.33.11 user user shell >999 Thu 15:03 10.169.33.11 user user shell >999 Thu 17:25 10.169.33.11 user user shell >999 Thu 17:26 10.169.33.11 user user shell >999 Mon 10:45 10.169.33.11 user user shell >999 Mon 10:50 10.169.33.11
this is seen from NAS, also. so, first user is recorded.
I also wanted to add configuration files, but it is not allowed by maillist policy.
part of clients.conf: freebsd# cat clients.conf client 10.169.33.11/24 { # require_message_authenticator = no secret = "12345" nastype = "cisco" login = snmp password = public }
freeradius server connects via snmp to NAs, i checked with snmpget.
so, what can be wrong in my configuration?
BR, Anatolii
10 декабря 2011, 05:52 от Alan DeKok <aland@deployingradius.com>:
tolik_shavlovsky@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything with your website. I kindly ask you for help.
i made test in the following manner: 1. connect 1st laptop via Ap (NAS) with user/user 2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for Simultaneous-Use to work.
Go check it against the debug output. Run "radwho" after the first login to see if FreeRADIUS has recorded that the user has logged in.
If that information isn't recorded, Simultaneous-Use won't work. Don't blame FreeRADIUS. Blame the NAS which is sending useless data.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2011/12/12 Толик Шавловский <tolik_shavlovsky@mail.ru>:
Dear all,
can u help me with the problem??
(Hmmm ,,, I thought I wrote about this many times already?) There are two ways to have simultaneous limit working. First one, radutmp (+ checkrad). I've never used this. You might find more info in the docs and source code though. Did you read doc/Simultaneous-Use? Second one, use SQL: - enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql/*/dialup.conf First method does NOT need sql for accounting. Likewise, second method does NOT need checkrad or any kind of access (snmp or whatever) to the NAS. Looks like you're mixing both. -- Fajar
Hi Fajar, i made everything from: - enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql /*/ dialup.conf but it doesn't work(( 13 декабря 2011, 09:09 от "Fajar A. Nugraha-2 [via FreeRadius]" <ml-node+s1045715n5070360h51@n5.nabble.com>: 2011/12/12 Толик Шавловский <[hidden email]>:
Dear all,
can u help me with the problem??
(Hmmm ,,, I thought I wrote about this many times already?) There are two ways to have simultaneous limit working. First one, radutmp (+ checkrad). I've never used this. You might find more info in the docs and source code though. Did you read doc/Simultaneous-Use? Second one, use SQL: - enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql /*/ dialup.conf First method does NOT need sql for accounting. Likewise, second method does NOT need checkrad or any kind of access (snmp or whatever) to the NAS. Looks like you're mixing both. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------------------------------------------------------------------- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... To unsubscribe from semulteneius-use with cisco nas, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Wed, Dec 14, 2011 at 3:34 PM, tolik_shavlovsky@mail.ru <tolik_shavlovsky@mail.ru> wrote:
Hi Fajar,
i made everything from:
- enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql /*/ dialup.conf
but it doesn't work((
What does the debug log say? DId you still have Simultaneous-Use := 1 in radcheck for that user? Your last debug log doesn't mention anything about sql in session section. It should have something like this: # Executing section session from file /etc/freeradius/sites-enabled/default +- entering group session {...} [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' [sql] expand: SELECT COUNT(*) #FROM radacct #WHERE username = '%{SQL-User-Name}' #AND acctstoptime IS NULL -> SELECT COUNT(*) #FROM radacct #WHERE username = 'testuser' #AND acctstoptime IS NULL ... and so on -- Fajar
Dear Fajar, here is the debug: ================= rad_recv: Access-Request packet from host 10.169.33.11 port 1645, id=242, length=168 User-Name = "user" Framed-MTU = 1400 Called-Station-Id = "0013.1a08.9340" Calling-Station-Id = "001b.7770.9159" Service-Type = Login-User Message-Authenticator = 0x1b9f8a18ab599eb355a6b95009ad3876 EAP-Message = 0x020c00261900170301001bb38d66eaaca02000d41d031c3b819c732c2073d8ae808cdf61d43a NAS-Port-Type = Wireless-802.11 NAS-Port = 13495 State = 0xc9003ff4c00c263b902065cf0bcf43fd NAS-IP-Address = 10.169.33.11 NAS-Identifier = "ap" (49) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (49) group authorize { (49) - entering group authorize {...} (49) [preprocess] = ok (49) [chap] = noop (49) [mschap] = noop (49) [digest] = noop (49) suffix : No '@' in User-Name = "user", looking up realm NULL (49) suffix : No such realm "NULL" (49) [suffix] = noop (49) eap : EAP packet type response id 12 length 38 (49) eap : Continuing tunnel setup. (49) [eap] = ok (49) Found Auth-Type = ? (49) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (49) group authenticate { (49) - entering group authenticate {...} (49) eap : Request found, released from the list (49) eap : EAP/peap (49) eap : processing type peap (49) peap : processing EAP-TLS (49) peap : eaptls_verify returned 7 (49) peap : Done initial handshake (49) peap : eaptls_process returned 7 (49) peap : FR_TLS_OK (49) peap : Session established. Decoding tunneled attributes. (49) peap : Peap state send tlv success (49) peap : Received EAP-TLV response. (49) peap : Success (49) peap : Using saved attributes from the original Access-Accept User-Name = "user" (49) eap : Freeing handler (49) [eap] = ok (49) Login OK: [user/<via Auth-Type = ?>] (from client 10.169.33.11/24 port 13495 cli 001b.7770.9159) (49) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (49) group post-auth { (49) - entering group post-auth {...} (49) sql : expand: %{User-Name} -> user (49) sql : sql_set_user escaped user --> 'user' (49) sql : expand: %{User-Password} -> (49) sql : ... expanding second conditional (49) sql : expand: %{Chap-Password} -> (49) sql : expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user', '', 'Access-Accept', '2011-12-14 10:59:49') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user', '', 'Access-Accept', '2011-12-14 10:59:49') rlm_sql (sql): Reserved connection (12) rlm_sql (sql): Released connection (12) (49) [sql] = ok (49) sql_log : Processing sql_log_postauth (49) sql_log : expand: %{User-Name} -> user (49) sql_log : expand: %{%{User-Name}:-DEFAULT} -> user (49) sql_log : sql_set_user escaped user --> 'user' (49) sql_log : WARNING: Deprecated conditional expansion ":-". See "man unlang" for details (49) sql_log : ... expanding second conditional (49) sql_log : expand: Chap-Password -> Chap-Password (49) sql_log : expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('user', 'Chap-Password', 'Access-Accept', '2011-12-14 10:59:49'); (49) sql_log : expand: /usr/local/var/log/radius/radacct/sql-relay -> /usr/local/var/log/radius/radacct/sql-relay (49) [sql_log] = ok (49) [exec] = noop (49) policy remove_reply_message_if_eap { (49) - entering policy remove_reply_message_if_eap {...} (49) ? if (reply:EAP-Message && reply:Reply-Message) (49) ? Evaluating (reply:EAP-Message ) -> TRUE (49) ? Evaluating (reply:Reply-Message) -> FALSE (49) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (49) else else { (49) - entering else else {...} (49) [noop] = noop (49) - else else returns noop (49) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 242 to 10.169.33.11 port 1645 User-Name = "user" MS-MPPE-Recv-Key = 0xffb3f4f01af8ea5b71cfe309205a5436aad8c57caf0cf40d6b37fbd193df34f6 MS-MPPE-Send-Key = 0x500ebf88f7a74a9095d357c31ac48010e62b655ebd53573d2d418a1e1332c732 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 (49) Finished request 49. Waking up in 0.1 seconds. rad_recv: Accounting-Request packet from host 10.169.33.11 port 1646, id=204, length=224 Acct-Session-Id = "00003414" Called-Station-Id = "0013.1a08.9340" Calling-Station-Id = "001b.7770.9159" Cisco-AVPair = "ssid=HAYATT" Cisco-AVPair = "vlan-id=55" Cisco-AVPair = "nas-location=unspecified" User-Name = "user" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "13495" NAS-Port = 13495 Service-Type = Framed-User NAS-IP-Address = 10.169.33.11 Acct-Delay-Time = 0 (50) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default (50) group preacct { (50) - entering group preacct {...} (50) [preprocess] = ok (50) policy acct_unique { (50) - entering policy acct_unique {...} (50) ? if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) (50) expand: %{string:Class} -> (50) ? Evaluating ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (50) ? if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (50) else else { (50) - entering else else {...} (50) update request { (50) expand: %{User-Name}%{Acct-Session-ID}%{NAS-IP-Address}%{NAS-Port-ID:}%{NAS-Port} -> user0000341410.169.33.1113495 (50) expand: %{md5:%{User-Name}%{Acct-Session-ID}%{NAS-IP-Address}%{NAS-Port-ID:}%{NAS-Port}} -> 15f0e8167a1f7da83d358d77ecdc4f3e (50) } # update request = ok (50) - else else returns ok (50) - policy acct_unique returns ok (50) suffix : No '@' in User-Name = "user", looking up realm NULL (50) suffix : No such realm "NULL" (50) [suffix] = noop (50) [files] = noop (50) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default (50) group accounting { (50) - entering group accounting {...} (50) detail : expand: %{Packet-Src-IP-Address} -> 10.169.33.11 (50) detail : expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.169.33.11/detail-20111214 (50) detail : /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.169.33.11/detail-20111214 (50) detail : expand: %t -> Wed Dec 14 10:59:49 2011 (50) [detail] = ok (50) [unix] = ok (50) radutmp : expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp (50) radutmp : expand: %{User-Name} -> user (50) [radutmp] = ok (50) sql : expand: %{User-Name} -> user (50) sql : sql_set_user escaped user --> 'user' (50) sql : expand: %{Acct-Delay-Time} -> 0 (50) sql : expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause,servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('00003414', '15f0e8167a1f7da83d358d77ecdc4f3e', 'user', '', '10.169.33.11', '13495', 'Wireless-802.11', '2011-12-14 10:59:49', NULL, '0', 'RADIUS', '', '', '0', '0', '0013.1a08.9340', '001b.7770.9159', '', 'Framed-User', '', '', '0', '0', '') rlm_sql (sql): Reserved connection (12) rlm_sql (sql): Released connection (12) (50) [sql] = ok (50) sql_log : Processing sql_log_accounting (50) sql_log : expand: %{User-Name} -> user (50) sql_log : expand: %{%{User-Name}:-DEFAULT} -> user (50) sql_log : sql_set_user escaped user --> 'user' (50) sql_log : expand: INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', '%{Framed-IP-Address}', '%S', '0', '0', ''); -> INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('00003414', 'user', '10.169.33.11', '', '2011-12-14 10:59:49', '0', '0', ''); (50) sql_log : expand: /usr/local/var/log/radius/radacct/sql-relay -> /usr/local/var/log/radius/radacct/sql-relay (50) [sql_log] = ok (50) [exec] = noop (50) attr_filter.accounting_response : expand: %{User-Name} -> user (50) attr_filter.accounting_response : Matched entry DEFAULT at line 12 (50) [attr_filter.accounting_response] = updated Sending Accounting-Response of id 204 to 10.169.33.11 port 1646 (50) Finished request 50. (50) Cleaning up request packet ID 204 with timestamp +1745 Waking up in 4.4 seconds. (39) Cleaning up request packet ID 232 with timestamp +1745 (40) Cleaning up request packet ID 233 with timestamp +1745 (41) Cleaning up request packet ID 234 with timestamp +1745 (42) Cleaning up request packet ID 235 with timestamp +1745 (43) Cleaning up request packet ID 236 with timestamp +1745 (44) Cleaning up request packet ID 237 with timestamp +1745 (45) Cleaning up request packet ID 238 with timestamp +1745 (46) Cleaning up request packet ID 239 with timestamp +1745 (47) Cleaning up request packet ID 240 with timestamp +1745 (48) Cleaning up request packet ID 241 with timestamp +1745 (49) Cleaning up request packet ID 242 with timestamp +1745 Ready to process requests. ==================================== SQL doesn't SELECT COUNT(*) from radacct. Is this a problem of sql configuration? 14 декабря 2011, 12:47 от "Fajar A. Nugraha" <list@fajar.net>:
On Wed, Dec 14, 2011 at 3:34 PM, tolik_shavlovsky@mail.ru <tolik_shavlovsky@mail.ru> wrote:
Hi Fajar,
i made everything from:
- enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql /*/ dialup.conf
but it doesn't work((
What does the debug log say? DId you still have Simultaneous-Use := 1 in radcheck for that user?
Your last debug log doesn't mention anything about sql in session section. It should have something like this:
# Executing section session from file /etc/freeradius/sites-enabled/default +- entering group session {...} [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' [sql] expand: SELECT COUNT(*) #FROM radacct #WHERE username = '%{SQL-User-Name}' #AND acctstoptime IS NULL -> SELECT COUNT(*) #FROM radacct #WHERE username = 'testuser' #AND acctstoptime IS NULL
... and so on
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2011/12/14 Толик Шавловский <tolik_shavlovsky@mail.ru>:
Dear Fajar,
here is the debug:
Why on earth did you cut down the log? As Alan said, you need the output of 'radius -X' - to show what happens when 1 client connects and then tries to connect simultaneously. Your log only show ONE user connecting. And even from that limited log, something is wrong as you don't have any lines that say +- entering group session {...} Did you REALLY do what I said earlier? DId you REALLY have "sql" in "session" section? Some of which can be seen from the complete debug log. But you've cut the beginning. -- Fajar
Толик Шавловский wrote:
SQL doesn't SELECT COUNT(*) from radacct. Is this a problem of sql configuration?
You have been told many, many, times what is necessary for accounting data to be put into SQL. *Weeks* later, you still don't understand. We cannot help you if you refuse to read the response on this list. Stop posting questions. NOW. Instead, go through the list archives, and read all of the responses again. Double-check that you are following instructions. Double-check that you understand what's is going on, and what *needs* to be going on. I'm not saying this for your benefit. You've already made it clear you have no intention of following instructions on this list. I'm saying this so that everyone *else* understands why you will end up being unsubscribed. Alan DeKok.
tolik_shavlovsky@mail.ru wrote:
i made everything from: - enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql /*/ dialup.conf
but it doesn't work((
The problem is you. I replied *twice* with a description of the requirements for Simultaneous-Use to work. I described what needs to happen. Both times you didn't reply. You MUST (1) understand the process, (2) follow the process, checking the packets && data at each stage. You're not doing that. Instead, you're focussed on configuration. No amount of editing the configuration files will magically make it work. The configuration files are just one step out of many. You are fixated on the configuration files, and are ignoring ALL OF THE OTHER STEPS. I've been on this list for 10 years, and have seen problems like yours many, many, times. My best guess is that in your fanatical dedication to staring at the configuration files, you missed something critical. Until you understand that, everyone here is wasting their time by helping you. If you keep wasting peoples time, I will unsubscribe you. Sorry, but after 10 years of this kind of behavior, list etiquette has now become "follow instructions or go away" Alan DeKok.
Alan, sorry for wasting your time. I said that i am new in FR and I understand that problem is ME. I just asked to indicate what exact is wrong, I supposed that maillist was created for such purposes. Again sorry, for waisting your time. 14 декабря 2011, 13:05 от "Alan DeKok-2 [via FreeRadius]" <ml-node+s1045715n5073936h7@n5.nabble.com>: [hidden email] wrote:
i made everything from: - enable sql in accounting section of sites-available/default - enable sql in session section of sites-available/default (and sites-available/inner-tunnel, if you use EAP) - uncomment simul_count_query in sql /*/ dialup.conf
but it doesn't work((
The problem is you. I replied *twice* with a description of the requirements for Simultaneous-Use to work. I described what needs to happen. Both times you didn't reply. You MUST (1) understand the process, (2) follow the process, checking the packets && data at each stage. You're not doing that. Instead, you're focussed on configuration. No amount of editing the configuration files will magically make it work. The configuration files are just one step out of many. You are fixated on the configuration files, and are ignoring ALL OF THE OTHER STEPS. I've been on this list for 10 years, and have seen problems like yours many, many, times. My best guess is that in your fanatical dedication to staring at the configuration files, you missed something critical. Until you understand that, everyone here is wasting their time by helping you. If you keep wasting peoples time, I will unsubscribe you. Sorry, but after 10 years of this kind of behavior, list etiquette has now become "follow instructions or go away" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------------------------------------------------------------------- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... To unsubscribe from semulteneius-use with cisco nas, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp50... Sent from the FreeRadius - User mailing list archive at Nabble.com.
tolik_shavlovsky@mail.ru wrote:
I just asked to indicate what exact is wrong, I supposed that maillist was created for such purposes.
The whole point of asking questions is to read the responses. You have not been doing that. The point of mailing lists is to help people who want help. You want to ask questions. You seem to not want any help. Alan DeKok.
I'm not sure why the Simultaneus-use is so hard to setup... 1. turn on sql inside accounting section 2. turn on sql inside session section 3. be sure that NAS works properly (sending Interim-Updates) 4. insert Simultaneus-Use := X (where X is number you want to allow) inside radcheck table.. http://www.serveradminblog.com/2011/12/freeradius-install-howto-4-populating... On 12/14/2011 10:27 AM, Alan DeKok wrote:
tolik_shavlovsky@mail.ru wrote:
I just asked to indicate what exact is wrong, I supposed that maillist was created for such purposes. The whole point of asking questions is to read the responses. You have not been doing that.
The point of mailing lists is to help people who want help.
You want to ask questions. You seem to not want any help.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Fajar A. Nugraha -
Marinko Tarlać -
tolik_shavlovsky@mail.ru -
Толик Шавловский