Help with Simultaneous Login on Freeradius+Ldap
listasmw at netconsult.inf.br
listasmw at netconsult.inf.br
Fri Dec 15 18:26:27 CET 2006
Hi,
we are using FreeRadius 1.1.3 on Fedora Core 6 and the RLM_LDAP
module,
we're needing control simultaneous logins, eg. the ldap user "John" can
authenticate only one time.
When are monitoring the ldap users logins, they can log
successfully in
ldap, but we can't see or monitoring the users login in radutmp log file
is empty with 0kb, when we execute the radwho command, it is empty but is
opening.
could you help me please?
Regards,
Maicon Wendhausen
Freeradius Files
Logs File:
[root at firedap3 radius]# ls -la
total 24
drwx------ 3 radiusd radiusd 4096 Dec 14 18:21 .
drwxr-xr-x 10 root root 4096 Dec 14 19:06 ..
drwx------ 3 radiusd radiusd 4096 Dec 14 19:55 radacct
-rw------- 1 radiusd root 5357 Dec 14 20:03 radius.log
-rw-r--r-- 1 radiusd root 0 Dec 14 18:21 radutmp
-rw-r--r-- 1 radiusd root 0 Dec 14 18:21 radwtmp
[root at firedap3 radius]#
Log do Radius in Debug mode
rad_recv: Access-Request packet from host 10.69.70.210:32771, id=87,
length=63
User-Name = "user6"
User-Password = "user6"
NAS-IP-Address = 10.69.70.210
Service-Type = Authenticate-Only
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "user6", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
modcall[authorize]: module "digest" returns noop for request 2
users: Matched entry DEFAULT at line 222
modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user6
radius_xlat: '(uid=user6)'
radius_xlat: 'dc=nct,dc=com,dc=br'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nct,dc=com,dc=br, with filter (uid=user6)
rlm_ldap: Added password {SSHA}f21M8OjksIKSJ1zUEii6JWKu43tWPRFgsBeiQg== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user user6 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "user6" with password "user6"
rlm_ldap: user DN: uid=user6,dc=nct,dc=com,dc=br
rlm_ldap: (re)connect to 10.69.70.25:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: bind as uid=user6,dc=nct,dc=com,dc=br/user6 to 10.69.70.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user user6 authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 2
modcall: leaving group LDAP (returns ok) for request 2
Processing the session section of radiusd.conf
modcall: entering group session for request 2
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'user6'
modcall[session]: module "radutmp" returns ok for request 2
modcall: leaving group session (returns ok) for request 2
Login OK: [user6] (from client firepass port 0)
Sending Access-Accept of id 87 to 10.69.70.210 port 32771
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
users file
#......
DEFAULT Simultaneous-Use := 1
Fall-Through = 1
clients.conf file
.... default configuration.....
client 10.69.70.210 {
secret = teste
shortname = firepass
}
radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
radutmp {
filename = ${logdir}/radutmp
## username = "(uid=%{Stripped-User-Name:-%{User-Name}})"
username = %{User-Name}
case_sensitive = "yes"
check_with_nas = "yes"
perm = "0644"
callerid = "no"
}
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
#$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = no
}
ldap {
server="10.69.70.25"
identity="uid=gged,dc=nct,dc=com,dc=br"
password=ged
basedn="dc=nct,dc=com,dc=br"
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
## filter= (uid=gged,dc=nct,dc=com,dc=br)
password_attribute = userPassword
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_cache_timeout = 150
ldap_cache_size = 0
ldap_connections_number = 1
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
#key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
key = "User-Name, Acct-Session-Id, NAS-IP-Address"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
# daily
}
authorize {
#preprocess
# auth_log
# attr_filter
chap
mschap
suffix
digest
# ntdomain
#eap
# Read the 'users' file
files
ldap
# daily
# checkval
}
authenticate {
Auth-Type PAP {
pap
ldap
}
Auth-Type CHAP {
chap
ldap
}
Auth-Type MS-CHAP {
mschap
ldap
}
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
# Read the 'acct_users' file
#files
}
accounting {
detail
# daily
#
# For Simultaneous-Use tracking.
#
radutmp
# sradutmp
# main_pool
}
session {
radutmp
# sql
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
More information about the Freeradius-Devel
mailing list