freeradius + mssql Multiple logins (max 1)
satish patel
linuxtrap at yahoo.co.in
Tue Mar 6 14:25:41 CET 2007
my radius.conf file is
# the check-name attribute before any module which sets
# it
# daily
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# Read the 'users' file
files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql
noresetcounter
dailycounter
monthlycounter
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
#
# As of 1.1.4, you should list "pap" last in this section.
# See "man rlm_pap" for more information.
pap
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
[root at radius ~]#
tnt at kalik.co.yu wrote: Something to do with Simultaneous-Use. But without config etc. ...
Ivan Kalik
Kalik Informatika ISP
Dana 6/3/2007, "satish patel"
pi¹e:
>what is the errror i have useing freeradius + MSSQL
>
>
>Tue Mar 6 17:22:34 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 761)
>Tue Mar 6 17:22:35 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 528)
>Tue Mar 6 17:22:36 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 290)
>Tue Mar 6 17:22:37 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 242)
>Tue Mar 6 17:22:38 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 1004)
>Tue Mar 6 17:22:38 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 1101)
>Tue Mar 6 17:22:39 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 851)
>Tue Mar 6 17:22:39 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 1012)
>Tue Mar 6 17:22:41 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 780)
>Tue Mar 6 17:22:41 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 670)
>Tue Mar 6 17:22:42 2007 : Auth: Multiple logins (max 1) : [mlpm629/] (from client cisco port 303)
>Tue Mar 6 17:22:43 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 826)
>Tue Mar 6 17:22:43 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 964)
>Tue Mar 6 17:22:44 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 690)
>Tue Mar 6 17:22:44 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 147)
>Tue Mar 6 17:22:46 2007 : Auth: Multiple logins (max 1) : [mlpm138/] (from client cisco port 150)
>Tue Mar 6 17:22:49 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 83)
>Tue Mar 6 17:22:50 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 1091)
>Tue Mar 6 17:22:51 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 1002)
>Tue Mar 6 17:22:52 2007 : Auth: Multiple logins (max 1) : [mlpm629/] (from client cisco port 1023)
>Tue Mar 6 17:22:52 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 687)
>Tue Mar 6 17:22:54 2007 : Auth: Multiple logins (max 1) : [mlpm532/] (from client cisco port 693)
>Tue Mar 6 17:22:55 2007 : Auth: Multiple logins (max 1) : [mlpm143/akshaya] (from client cisco port 94)
>Tue Mar 6 17:22:59 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 713)
>Tue Mar 6 17:23:00 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 647)
>Tue Mar 6 17:23:05 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mlpm138/] (from client cisco port 646)
>Tue Mar 6 17:23:05 2007 : Auth: Multiple logins (max 1) : [mlpm143/akshaya] (from client cisco port 958)
>Tue Mar 6 17:23:07 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 98)
>Tue Mar 6 17:23:09 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mlpm138/] (from client cisco port 600)
>Tue Mar 6 17:23:11 2007 : Auth: Multiple logins (max 1) : [mlpm085/] (from client cisco port 894)
>Tue Mar 6 17:23:11 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 7
>
>
>$ cat ~/satish/url.txt
>
>System administrator ( Data Center )
>
>please visit this site
>
>http://linux.tulipit.com
>
>---------------------------------
> Here’s a new way to find what you're looking for - Yahoo! Answers
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
$ cat ~/satish/url.txt
System administrator ( Data Center )
please visit this site
http://linux.tulipit.com
---------------------------------
Here’s a new way to find what you're looking for - Yahoo! Answers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070306/cb9e8957/attachment.html>
More information about the Freeradius-Users
mailing list