Help with Simultaneous Login on Freeradius+Ldap

listasmw at netconsult.inf.br listasmw at netconsult.inf.br
Fri Dec 15 18:23:31 CET 2006


Hi,



	we are using FreeRadius 1.1.3 on Fedora Core 6 and the RLM_LDAP module,
we're needing control simultaneous logins, eg. the ldap user "John" can
authenticate only one time.

	When are monitoring the ldap users logins, they can log successfully in
ldap, but we can't see or monitoring the users login in radutmp log file
is empty with 0kb, when we execute the radwho command, it is empty but is
opening.

could you help me please?

Regards,

Maicon Wendhausen

Freeradius Files


Logs File:

[root at firedap3 radius]# ls -la
total 24
drwx------  3 radiusd radiusd 4096 Dec 14 18:21 .
drwxr-xr-x 10 root    root    4096 Dec 14 19:06 ..
drwx------  3 radiusd radiusd 4096 Dec 14 19:55 radacct
-rw-------  1 radiusd root    5357 Dec 14 20:03 radius.log
-rw-r--r--  1 radiusd root       0 Dec 14 18:21 radutmp
-rw-r--r--  1 radiusd root       0 Dec 14 18:21 radwtmp
[root at firedap3 radius]#


Log do Radius in Debug mode
rad_recv: Access-Request packet from host 10.69.70.210:32771, id=87,
length=63
        User-Name = "user6"
        User-Password = "user6"
        NAS-IP-Address = 10.69.70.210
        Service-Type = Authenticate-Only
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "user6", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  modcall[authorize]: module "digest" returns noop for request 2
    users: Matched entry DEFAULT at line 222
  modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user6
radius_xlat:  '(uid=user6)'
radius_xlat:  'dc=nct,dc=com,dc=br'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nct,dc=com,dc=br, with filter (uid=user6)
rlm_ldap: Added password {SSHA}f21M8OjksIKSJ1zUEii6JWKu43tWPRFgsBeiQg== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user user6 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "user6" with password "user6"
rlm_ldap: user DN: uid=user6,dc=nct,dc=com,dc=br
rlm_ldap: (re)connect to 10.69.70.25:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: bind as uid=user6,dc=nct,dc=com,dc=br/user6 to 10.69.70.25:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user user6 authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 2
modcall: leaving group LDAP (returns ok) for request 2
  Processing the session section of radiusd.conf
modcall: entering group session for request 2
radius_xlat:  '/var/log/radius/radutmp'
radius_xlat:  'user6'
  modcall[session]: module "radutmp" returns ok for request 2
modcall: leaving group session (returns ok) for request 2
Login OK: [user6] (from client firepass port 0)
Sending Access-Accept of id 87 to 10.69.70.210 port 32771
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...


users file
#......
DEFAULT Simultaneous-Use := 1
        Fall-Through = 1

clients.conf file
.... default configuration.....

client 10.69.70.210 {
       secret          = teste
       shortname       = firepass
}

radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes

log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no

usercollide = no
lower_user = no
lower_pass = no

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

$INCLUDE  ${confdir}/clients.conf

snmp    = no
$INCLUDE  ${confdir}/snmp.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        radutmp {
                filename = ${logdir}/radutmp
##              username = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                username = %{User-Name}
                case_sensitive = "yes"
                check_with_nas = "yes"
                perm = "0644"
                callerid = "no"
        }

        pap {
                encryption_scheme = crypt
        }

        chap {
                authtype = CHAP
        }

#$INCLUDE ${confdir}/eap.conf

        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = no
        }

        ldap {
                server="10.69.70.25"
                identity="uid=gged,dc=nct,dc=com,dc=br"
                password=ged
                basedn="dc=nct,dc=com,dc=br"
                filter = (uid=%{Stripped-User-Name:-%{User-Name}})
##              filter= (uid=gged,dc=nct,dc=com,dc=br)
                password_attribute = userPassword
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_cache_timeout = 150
                ldap_cache_size = 0
                ldap_connections_number = 1
                timeout = 3
                timelimit = 5
                net_timeout = 1
                compare_check_items = no

        }

        realm suffix {
                format = suffix
                delimiter = "@"
        }

        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = yes
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }

        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }

        acct_unique {
                #key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
                key = "User-Name, Acct-Session-Id, NAS-IP-Address"
        }

        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }

        attr_filter {
                attrsfile = ${confdir}/attrs
        }

        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }

        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

        expr {
        }

        digest {
        }

        exec {
                wait = yes
                input_pairs = request
        }

        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }

        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}

instantiate {
        exec
        expr
#       daily
}

authorize {
        #preprocess
#       auth_log
#       attr_filter
        chap
        mschap
        suffix
        digest
#       ntdomain
        #eap
        #  Read the 'users' file
        files
        ldap
#       daily
#       checkval
}
authenticate {
        Auth-Type PAP {
                pap
                ldap
        }
        Auth-Type CHAP {
                chap
                ldap
        }
        Auth-Type MS-CHAP {
                mschap
                ldap
        }
        Auth-Type LDAP  {
                ldap
        }
}
preacct {
        preprocess
        acct_unique
        suffix
        #  Read the 'acct_users' file
        #files
}

accounting {
        detail
#       daily

        #
        #  For Simultaneous-Use tracking.
        #
        radutmp
#       sradutmp
#       main_pool
}

session {
        radutmp
#       sql
}
post-auth {
}
pre-proxy {
}
post-proxy {
}




More information about the Freeradius-Users mailing list