Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using "other" as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. Thank you very much, Roberto Greiner -- ----------------------------------------------------- Marcos Roberto Greiner The optimists believe we are in the best of worlds The pessimists are afraid that this is true Murphy -----------------------------------------------------
On Fri 27 Jul 2007, Roberto Greiner wrote:
Hi,
I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using "other" as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network:
Monowall pfSense (3Com) Total Control PopTop (in Linux)
What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes.
As you have already found the docs you know the answer. The 3Com is obviously type "tc". If its not on the list it's "other". However, if you write a patch to support the devices you mention, we would be happy to include it in FreeRADIUS. Cheers -- Peter Nixon http://peternixon.net/
Hi I have freeradius launched and working great on my server, for ADSL authentication, with one NAS, but I am trying to use the same radius with another RAS configured on another DSP, I'm getting always this message: RADIUS, Accounting Request With no reply from my server, even though, in the same time, everything is working great with the other DSP, and if I make radtest locally, I can get on my radius (using radiusd -x) the access request and the reply. I tried to do the same configuration with the other DSP, ignoring the postgresql Flags, and still getting the request but no reply from my side. Any idea?? Thanks Best regards, Elie Hani
Peter Nixon wrote:
On Fri 27 Jul 2007, Roberto Greiner wrote:
Hi,
I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using "other" as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network:
Monowall pfSense (3Com) Total Control PopTop (in Linux)
What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes.
As you have already found the docs you know the answer. The 3Com is obviously type "tc". If its not on the list it's "other".
However, if you write a patch to support the devices you mention, we would be happy to include it in FreeRADIUS.
Cheers
I've re-checked the available options, and found that there is one nas type for the Total Control, besides 'tc': "usrhiper". But there are a few errors in the documentation speaking about it (http://www.freeradius.org/radiusd/doc/Simultaneous-Use). The first is the name itself. The page says "usrhyper", when the correct is "usrhiper", with "i" instead of "y". The second is that it says that for that option, the naspasswd file is not used, which is partially correct. It can use naspasswd, and in that case the login name declared must be SNMP, or it will fail. For the other two devices (monowall and poptop), I don't know how to proceed yet, since neither of them returns connected user information through SNMP :-( Thanks, Roberto -- ----------------------------------------------------- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
On 7/27/07, Roberto Greiner <mrgreiner@gmail.com> wrote:
Hi,
I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using "other" as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network:
Monowall pfSense (3Com) Total Control PopTop (in Linux)
What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes.
Thank you very much,
Roberto Greiner
--
Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the "diable concurrent logins" option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves
YvesDM wrote:
Hi Robert,
As for m0n0wall (and I guess pfsense too), you can also use the "diable concurrent logins" option in the CP setup. This way there will never be simultaneous use from the same nas.
Kind Regards, Yves
Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto -- ----------------------------------------------------- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
On 7/30/07, Roberto Greiner <mrgreiner@gmail.com> wrote:
YvesDM wrote:
Hi Robert,
As for m0n0wall (and I guess pfsense too), you can also use the "diable concurrent logins" option in the CP setup. This way there will never be simultaneous use from the same nas.
Kind Regards, Yves
Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active.
Anyway, thank you very much,
Roberto
Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the "re-authenticate every minute" option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves
YvesDM wrote:
On 7/30/07, *Roberto Greiner* <mrgreiner@gmail.com <mailto:mrgreiner@gmail.com>> wrote:
YvesDM wrote: > Hi Robert, > > > As for m0n0wall (and I guess pfsense too), you can also use the > "diable concurrent logins" option in the CP setup. > This way there will never be simultaneous use from the same nas. > > Kind Regards, > Yves > Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active.
Anyway, thank you very much,
Roberto
Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the "re-authenticate every minute" option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute.
Kind regards, Yves
Yes, I saw that option, but my monowall server has a peak usage of over 200 simultaneous users. Enabling that would put some strain on freeradius (don't need to say, I know it would take it easily), but mostly on monowall. With 200 users we already had to make some modification to make it stay stable. That strain would probably kill it. :-( Thanks anyway, Roberto -- ----------------------------------------------------- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
participants (4)
-
Elie Hani -
Peter Nixon -
Roberto Greiner -
YvesDM