Problems with Simultaneous-Use
jck-freeradius at southwestern.edu
jck-freeradius at southwestern.edu
Fri Jul 29 22:14:17 CEST 2005
Hello,
I am having problems with Simultaneous-Use and checkrad. I know that
checkrad is not running because:
grep debug /usr/local/sbin/checkrad
# Config: $debug is the file you want to put debug messages in
#$debug = "";
$debug = "$logdir/checkrad.log";
and:
--
tail -F /var/log/radius/checkrad.log
Fri Jul 29 12:57:30 2005 checkrad
Usage: checkrad nas_type nas_ip nas_port login session_id
--
(nothing new is showing up in the checkrad log file, except for when I
run it by hand)
I have both the Perl SNMP modules installed, along with NET-SNMP (and
the correct syntax for NET used in the checkrad script, even though
it should be using the perl modules first).
I am able to manually use snmpwalk /fine/.
Here is how my SQL table looks:
mysql> select * from radgroupcheck;
+----+------------+------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+------------+------------------+----+-------+
| 1 | pirate | Simultaneous-Use | := | 2 |
| 2 | pirate-stu | Simultaneous-Use | := | 2 |
| 3 | pirate-stf | Simultaneous-Use | := | 2 |
| 4 | pirate-fac | Simultaneous-Use | := | 2 |
| 5 | pirate-its | Simultaneous-Use | := | 1 |
+----+------------+------------------+----+-------+
Here are the related sections from my radiusd.conf file:
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
# callerid = "yes"
}
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
sql
}
And here is my sql.conf file:
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use checking
# - will be performed by this module instance
# simul_verify_query - query to return details of current connections for verification
# - Leave blank or commented out to disable verification step
# - Note that the returned field order should not be changed.
#######################################################################
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
Here is how my radacct table looks:
mysql> select * from radacct order by RadAcctId desc limit 1;
+-----------+---------------+------------------+----------+-------+---------------+-----------+-----------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+
| RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay |
+-----------+---------------+------------------+----------+-------+---------------+-----------+-----------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+
| 281 | 0000019F | c91763dbcdfe02cb | johnk | | 192.168.0.49 | 558 | Wireless-802.11 | 2005-07-29 15:03:06 | 0000-00-00 00:00:00 | 0 | RADIUS | | | 0 | 0 | 0014.691e.e9c0 | 000e.35b5.eb8f | | Framed-User | | | 0 | 0 |
+-----------+---------------+------------------+----------+-------+---------------+-----------+-----------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+---------------
hecate:/etc/raddb # tail naspasswd
# WARNING: Always make sure that this file has the "-r------" permission.
# And, don't set the passwords on your other systems to the same
# passwords that can be found below.
#
#
#203.172.90.118 !root TufFseCrET
#203.172.42.152 !root ToTaLCnTl
192.168.0.49
hecate:/etc/raddb # grep 192.168 -A 3 clients.conf
client 192.168.0.49 {
secret = xXxXxXxX
shortname = Aironet1100-johnk
nastype = cisco
The proper accounting configuration lines have been included in my
Cisco AP conf.
My username is part of the pirate-its group; 1 connection allowed. What
I find interesting is that if I connect once:
radwho
Login Name What TTY When From Location
johnk John Koen shell S534 Fri 14:57 192.168.0
...then if I open a second connection (from another machine, at the
same time as the first connection):
radwho
Login Name What TTY When From Location
johnk John Koen shell S535 Fri 14:58 192.168.0
Notice that radutmp seems to forget about the first connection,
and only remember the newest (connection number 2) connection. On
this 2nd connection attempt I should be Rejected instead
of Accepted. I see nothing in the checkrad log of checkrad running.
What else can I try?
--johnk
More information about the Freeradius-Users
mailing list