Is it possible to set Simultaneous-Use without any SQL/LDAP database ?
Hello, Reading this mailing list late messages (from last October up to now), I noticed most if not all, questions related to Simultaneous-Use setting mentioned some sort of database. 1. Is it possible to set a value for Simultaneous-Use parameter and still define authorized users with a simple file or is it required to use some sort of database (*) ? My target implementation is Debian Stretch with Freeradius 3.0.12. With it, I defined what I call users in a file /etc/freeradius/3.0/mods-config/files/authorize with entries such as : 999_9999 Cleartext-Password := "mysuperpassword" 2. If possible, can set this Simultaneous-Use within this authorize file or shall I use an other file (I'm thinking of /etc/freeradius/3.0/mods-config/files/accounting ? Setting either a value that applies to all or to a specific entry would be fine for me. (*) I'm far from opposing to hold user data in a database but I'm working on controlling guest access to a WiFi network. I suspect I still have several things to learn about the way a WiFi access point and a Radius server interact. So I conviced myself using plain config files is an appropriate first step. Best regards
On Jan 22, 2019, at 12:38 PM, Olivier <oza.4h07@gmail.com> wrote:
Reading this mailing list late messages (from last October up to now), I noticed most if not all, questions related to Simultaneous-Use setting mentioned some sort of database.
The database is for tracking user sessions. Without a database, you can't track user sessions. FreeRADIUS implements a simple database in rlm_radutmp. But it's not recommended. It's simple, and has minimal functionality. If you have 5K users, radutmp is fine. If you have more, use a real database.
1. Is it possible to set a value for Simultaneous-Use parameter and still define authorized users with a simple file or is it required to use some sort of database (*) ?
You don't need a database to *define* users. You need a database to *track* users. You can put users and passwords into LDAP, and then use SQL to store session data. Or, put users into the "files" module, and use "radutmp" to store session data.
My target implementation is Debian Stretch with Freeradius 3.0.12. With it, I defined what I call users in a file /etc/freeradius/3.0/mods-config/files/authorize with entries such as : 999_9999 Cleartext-Password := "mysuperpassword"
2. If possible, can set this Simultaneous-Use within this authorize file
That's what the documentation says to do.
or shall I use an other file (I'm thinking of /etc/freeradius/3.0/mods-config/files/accounting ?
That's for accounting... not authorization. Alan DeKok.
Le mar. 22 janv. 2019 à 18:47, Alan DeKok <aland@deployingradius.com> a écrit :
On Jan 22, 2019, at 12:38 PM, Olivier <oza.4h07@gmail.com> wrote:
Reading this mailing list late messages (from last October up to now), I noticed most if not all, questions related to Simultaneous-Use setting mentioned some sort of database.
The database is for tracking user sessions. Without a database, you can't track user sessions.
FreeRADIUS implements a simple database in rlm_radutmp. But it's not recommended. It's simple, and has minimal functionality.
If you have 5K users, radutmp is fine.
I have up to 200 users, at most. I'm glad to read radutmp is fine for this scale.
If you have more, use a real database.
1. Is it possible to set a value for Simultaneous-Use parameter and still define authorized users with a simple file or is it required to use some sort of database (*) ?
You don't need a database to *define* users. You need a database to *track* users.
You can put users and passwords into LDAP, and then use SQL to store session data. Or, put users into the "files" module, and use "radutmp" to store session data.
My target implementation is Debian Stretch with Freeradius 3.0.12. With it, I defined what I call users in a file /etc/freeradius/3.0/mods-config/files/authorize with entries such as : 999_9999 Cleartext-Password := "mysuperpassword"
2. If possible, can set this Simultaneous-Use within this authorize file
That's what the documentation says to do.
Ok thanks. DEFAULT Simultaneous-Use := 1 Fall-Through = Yes 999_9999 Cleartext-Password := "123456789" Simultaneous-Use := 2 999_8888 Cleartext-Password := "123456789" Is the above /etc/freeradius/3.0/mods-config/files/authorize content setting what I'm after: - allowing 2 simultaneous connections for user 999_9999 - and 1 connection for anybody else If negative what I shall change in it ? (I prefer to ask here as I don't trust yet my capabilty to correctly interpret my further testings)
or shall I use an other file (I'm thinking of /etc/freeradius/3.0/mods-config/files/accounting ?
That's for accounting... not authorization.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On Wed, Jan 23, 2019 at 06:34:21PM +0100, Olivier wrote:
If you have 5K users, radutmp is fine.
I have up to 200 users, at most. I'm glad to read radutmp is fine for this scale.
Another thing to consider: radutmp depends on the "NAS-Port" parameter of accounting packets to be unique per user per NAS/AP, because the tuple of (NAS-Port, NAS-Id) seems to be the primary key for radutmp. I'm using unifi APs where NAS-Port is always 0. radutmp doesn't work there without a hack (Alan DeKoK suggested setting the NAS-Port to a hash of the user name if it is 0 using unlang). Cheers, HC
@Hans-Christian: Thank you very much for your comment as I'm targeting Unifi AP myself. (I've you contribution in another thread and will reply there) For me there are many reasons why a system backed with a correctly configured Freeradius backend wouldn't behave as expected: - you can have wrong exepectations in the first place, - you can configuration or implementation issues in each involved component. That is the reason why I prefer beby step and focus here on one single question: "is my Freeradius instance correctly set ?". DEFAULT Simultaneous-Use := 1 Fall-Through = Yes 999_9999 Cleartext-Password := "123456789"
From memory or previous experience, would you say the above content to be perfectly correct for limiting one connection per login or did you use something different to configure this Simultaneous-Use parameter ? (at the moment, being able to override default Simultaneous-Use is not a priority)
Thanks in advance Le mer. 23 janv. 2019 à 19:32, Hans-Christian Esperer <hc@hcesperer.org> a écrit :
Hi,
On Wed, Jan 23, 2019 at 06:34:21PM +0100, Olivier wrote:
If you have 5K users, radutmp is fine.
I have up to 200 users, at most. I'm glad to read radutmp is fine for this scale.
Another thing to consider:
radutmp depends on the "NAS-Port" parameter of accounting packets to be unique per user per NAS/AP, because the tuple of (NAS-Port, NAS-Id) seems to be the primary key for radutmp.
I'm using unifi APs where NAS-Port is always 0. radutmp doesn't work there without a hack (Alan DeKoK suggested setting the NAS-Port to a hash of the user name if it is 0 using unlang).
Cheers, HC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Hans-Christian Esperer -
Olivier