simultaneous use, checkrad, and MPP attempts
Hello, Thanks everyone for the great product that I've relying on for the past several years. I am now seeing a problem I hope someone can help with. I'm using Freeradius-0.9.3 on FreeBSD 5.2.1-REALEASE. We have Freeradius doing strictly dialup authentication. Some of the NAS's querying the radius server are our equipment. Some of the NAS's are equipment we lease from another company and have no access to. We have been successfully using simultaneous checking while using all of our own equipment. However, since leasing equipment we have been getting the following entries in radius.log: Tue Nov 8 23:26:09 2005 : Auth: Multiple logins (max 1) [MPP attempt]: [user1] (from client pa-230-radius0 port 2287 cli async) Tue Nov 8 23:27:17 2005 : Auth: Multiple logins (max 1) [MPP attempt]: [user2] (from client pa-230-radius0 port 2703 cli async) Tue Nov 8 23:32:38 2005 : Auth: Multiple logins (max 1) [MPP attempt]: [user3] (from client pa-230-radius0 port 3699 cli async) The proxy'ing radius servers and NAS's of the other company from whom we lease equipment are unavailable to checkrad. By default shouldn't it be allowing these people on? I looked at the code and it seemed as though it should. I set the nastype to other in clients.conf for these entries and I still see MPP attempts. Finally, I looked at the source of checkrad. I modified the line for "other" nastypes to always return 0, which should be interpreted as no multiple login. The numbers you see to the left are line numbers: 1351 } elsif ($ARGV[0] eq 'other') { 1352 $ret = 0; 1353 } else { Any idea why this isn't behaving how I expect? Is there a more appropriate way I can ensure that users connecting via NAS's and proxy'ing radius servers we lease will never be rejected because of multiple logins? And what is the difference between MPP attempt and regular multiple login? Thank you very much for your time. Chris Carver
Christopher Carver <ccarver@pennswoods.net> wrote:
The proxy'ing radius servers and NAS's of the other company from whom we lease equipment are unavailable to checkrad. By default shouldn't it be allowing these people on?
It depends what you want. The current behavior is to disallow logins, as you found out. It should really be configurable.
Any idea why this isn't behaving how I expect? Is there a more appropriate way I can ensure that users connecting via NAS's and proxy'ing radius servers we lease will never be rejected because of multiple logins?
No, juest edit the code. Alan DeKok.
On Wednesday 09 November 2005 00:35, Christopher Carver wrote:
The proxy'ing radius servers and NAS's of the other company from whom we lease equipment are unavailable to checkrad. By default shouldn't it be allowing these people on? I looked at the code and it seemed as though it should. I set the nastype to other in clients.conf for these entries and I still see MPP attempts. Finally, I looked at the source of checkrad. I modified the line for "other" nastypes to always return 0, which should be interpreted as no multiple login. The numbers you see to the left are line numbers
Chris, Look at the code again. In session.c, the rad_check_ts function is what calls checkrad. If the nastype is empty or "other", checkrad is _never_ called, and the function returns 1 (meaning the user is logged in). We did this simult use bypass by using a nastype called visp, which returns 0 in checkrad. See freeradius bug#166 for a checkrad patch we've been using here which cleans up the code a bit and makes it easier to add new types. Any comments/problems can be posted to the bug. -Kevin
participants (3)
-
Alan DeKok -
Christopher Carver -
Kevin Bonner