freeradius + mssql Multiple logins (max 1)

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Mar 6 15:41:18 CET 2007


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
        #radutmp

        #
        # See "Simultaneous Use Checking Querie" in sql.conf
        sql
}

This bit is fine. Check in sql.conf that simul_verify_query is not
commented out. Change nastype to other in clients.conf - that will check
only database.

Then check:

select username from radacct where AcctSessionTime='0'

that will list users with open sessions - maybe you have open sessions
and radius is behaving as it should. Sort out the open sessions and try
again. Once you have this sorted change nastype other to cisco and see
if it still works.

Ivan Kalik
Kalik Informatika ISP


Dana 6/3/2007, "satish patel" <linuxtrap at yahoo.co.in> piše:

>my radius.conf  file is
>
>
>        # the check-name attribute before any module which sets
>        # it
>#       daily
>}
>
>#  Authorization. First preprocess (hints and huntgroups files),
>#  then realms, and finally look in the "users" file.
>#
>#  The order of the realm modules will determine the order that
>#  we try to find a matching realm.
>#
>#  Make *sure* that 'preprocess' comes before any realm if you
>#  need to setup hints for the remote radius server
>authorize {
>        #
>        #  The preprocess module takes care of sanitizing some bizarre
>        #  attributes in the request, and turning them into attributes
>        #  which are more standard.
>        #
>        #  It takes care of processing the 'raddb/hints' and the
>        #  'raddb/huntgroups' files.
>        #
>        #  It also adds the %{Client-IP-Address} attribute to the request.
>        preprocess
>
>        #
>        #  If you want to have a log of authentication requests,
>        #  un-comment the following line, and the 'detail auth_log'
>        #  section, above.
>#       auth_log
>
>#       attr_filter
>
>        #
>        #  The chap module will set 'Auth-Type := CHAP' if we are
>        #  handling a CHAP request and Auth-Type has not already been set
>        chap
>
>        #
>        #  If the users are logging in with an MS-CHAP-Challenge
>        #  attribute for authentication, the mschap module will find
>        #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
>        #  to the request, which will cause the server to then use
>        #  the mschap module for authentication.
>        mschap
>
>        #
>        #  If you have a Cisco SIP server authenticating against
>        #  FreeRADIUS, uncomment the following line, and the 'digest'
>        #  line in the 'authenticate' section.
>#       digest
>
>        #
>        #  Look for IPASS style 'realm/', and if not found, look for
>        #  '@realm', and decide whether or not to proxy, based on
>        #  that.
>#       IPASS
>
>        #
>        #  If you are using multiple kinds of realms, you probably
>        #  want to set "ignore_null = yes" for all of them.
>        #  Otherwise, when the first style of realm doesn't match,
>        #  the other styles won't be checked.
>        #
>        suffix
>#       ntdomain
>
>        #
>        #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
>        #  authentication.
>        #
>        #  It also sets the EAP-Type attribute in the request
>        #  attribute list to the EAP type from the packet.
>        eap
>
>        #
>        #  Read the 'users' file
>        files
>
>        #
>        #  Look in an SQL database.  The schema of the database
>        #  is meant to mirror the "users" file.
>        #
>        #  See "Authorization Queries" in sql.conf
>        sql
>        noresetcounter
>        dailycounter
>        monthlycounter
>        #
>        #  If you are using /etc/smbpasswd, and are also doing
>        #  mschap authentication, the un-comment this line, and
>        #  configure the 'etc_smbpasswd' module, above.
>#       etc_smbpasswd
>
>        #
>        #  The ldap module will set Auth-Type to LDAP if it has not
>        #  already been set
>#       ldap
>
>        #
>        #  Enforce daily limits on time spent logged in.
>#       daily
>
>        #
>        # Use the checkval module
>#       checkval
>
>        #
>        # As of 1.1.4, you should list "pap" last in this section.
>        # See "man rlm_pap" for more information.
>        pap
>}
>
>
>#  Authentication.
>#
>#
>#  This section lists which modules are available for authentication.
>#  Note that it does NOT mean 'try each module in order'.  It means
>#  that a module from the 'authorize' section adds a configuration
>#  attribute 'Auth-Type := FOO'.  That authentication type is then
>#  used to pick the apropriate module from the list below.
>#
>
>#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
>#  will figure it out on its own, and will do the right thing.  The
>#  most common side effect of erroneously setting the Auth-Type
>#  attribute is that one authentication method will work, but the
>#  others will not.
>#
>#  The common reasons to set the Auth-Type attribute by hand
>#  is to either forcibly reject the user, or forcibly accept him.
>#
>authenticate {
>        #
>        #  PAP authentication, when a back-end database listed
>        #  in the 'authorize' section supplies a password.  The
>        #  password can be clear-text, or encrypted.
>        Auth-Type PAP {
>                pap
>        }
>
>        #
>        #  Most people want CHAP authentication
>        #  A back-end database listed in the 'authorize' section
>        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
>        #  won't work.
>        Auth-Type CHAP {
>                chap
>        }
>
>        #
>        #  MSCHAP authentication.
>        Auth-Type MS-CHAP {
>                mschap
>        }
>
>        #
>        #  If you have a Cisco SIP server authenticating against
>        #  FreeRADIUS, uncomment the following line, and the 'digest'
>        #  line in the 'authorize' section.
>#       digest
>
>        #
>        #  Pluggable Authentication Modules.
>#       pam
>
>        #
>        #  See 'man getpwent' for information on how the 'unix'
>        #  module checks the users password.  Note that packets
>        #  containing CHAP-Password attributes CANNOT be authenticated
>        #  against /etc/passwd!  See the FAQ for details.
>        #
>        unix
>
>        # Uncomment it if you want to use ldap for authentication
>        #
>        # Note that this means "check plain-text password against
>        # the ldap database", which means that EAP won't work,
>        # as it does not supply a plain-text password.
>#       Auth-Type LDAP {
>#               ldap
>#       }
>
>        #
>        #  Allow EAP authentication.
>        eap
>}
>
>
>#
>#  Pre-accounting.  Decide which accounting type to use.
>#
>preacct {
>        preprocess
>
>        #
>        #  Ensure that we have a semi-unique identifier for every
>        #  request, and many NAS boxes are broken.
>        acct_unique
>
>        #
>        #  Look for IPASS-style 'realm/', and if not found, look for
>        #  '@realm', and decide whether or not to proxy, based on
>        #  that.
>        #
>        #  Accounting requests are generally proxied to the same
>        #  home server as authentication requests.
>#       IPASS
>        suffix
>#       ntdomain
>
>        #
>        #  Read the 'acct_users' file
>        files
>}
>
>#
>#  Accounting.  Log the accounting data.
>#
>accounting {
>        #
>        #  Create a 'detail'ed log of the packets.
>        #  Note that accounting requests which are proxied
>        #  are also logged in the detail file.
>        detail
>#       daily
>
>        #  Update the wtmp file
>        #
>        #  If you don't use "radlast", you can delete this line.
>        unix
>
>        #
>        #  For Simultaneous-Use tracking.
>        #
>        #  Due to packet losses in the network, the data here
>        #  may be incorrect.  There is little we can do about it.
>        radutmp
>#       sradutmp
>
>        #  Return an address to the IP Pool when we see a stop record.
>#       main_pool
>
>        #
>        #  Log traffic to an SQL database.
>        #
>        #  See "Accounting queries" in sql.conf
>        sql
>
>        #
>        #  Instead of sending the query to the SQL server,
>        #  write it into a log file.
>        #
>#       sql_log
>
>        #  Cisco VoIP specific bulk accounting
>#       pgsql-voip
>
>}
>
>
>#  Session database, used for checking Simultaneous-Use. Either the radutmp
>#  or rlm_sql module can handle this.
>#  The rlm_sql module is *much* faster
>session {
>        #radutmp
>
>        #
>        #  See "Simultaneous Use Checking Querie" in sql.conf
>        sql
>}
>
>
>#  Post-Authentication
>#  Once we KNOW that the user has been authenticated, there are
>#  additional steps we can take.
>post-auth {
>        #  Get an address from the IP Pool.
>#       main_pool
>
>        #
>        #  If you want to have a log of authentication replies,
>        #  un-comment the following line, and the 'detail reply_log'
>        #  section, above.
>#       reply_log
>
>        #
>        #  After authenticating the user, do another SQL query.
>        #
>        #  See "Authentication Logging Queries" in sql.conf
>        sql
>
>        #
>        #  Instead of sending the query to the SQL server,
>        #  write it into a log file.
>        #
>#       sql_log
>
>        #
>        #  Un-comment the following if you have set
>        #  'edir_account_policy_check = yes' in the ldap module sub-section of
>        #  the 'modules' section.
>        #
>#       ldap
>        #
>        #  Access-Reject packets are sent through the REJECT sub-section of the
>        #  post-auth section.
>        #  Uncomment the following and set the module name to the ldap instance
>        #  name if you have set 'edir_account_policy_check = yes' in the ldap
>        #  module sub-section of the 'modules' section.
>        #
>#       Post-Auth-Type REJECT {
>#               insert-module-name-here
>#       }
>
>}
>
>#
>#  When the server decides to proxy a request to a home server,
>#  the proxied request is first passed through the pre-proxy
>#  stage.  This stage can re-write the request, or decide to
>#  cancel the proxy.
>#
>#  Only a few modules currently have this method.
>#
>pre-proxy {
>#       attr_rewrite
>
>        #  Uncomment the following line if you want to change attributes
>        #  as defined in the preproxy_users file.
>#       files
>
>        #  If you want to have a log of packets proxied to a home
>        #  server, un-comment the following line, and the
>        #  'detail pre_proxy_log' section, above.
>#       pre_proxy_log
>}
>
>#
>#  When the server receives a reply to a request it proxied
>#  to a home server, the request may be massaged here, in the
>#  post-proxy stage.
>#
>post-proxy {
>
>        #  If you want to have a log of replies from a home server,
>        #  un-comment the following line, and the 'detail post_proxy_log'
>        #  section, above.
>#       post_proxy_log
>
>#       attr_rewrite
>
>        #  Uncomment the following line if you want to filter replies from
>        #  remote proxies based on the rules defined in the 'attrs' file.
>
>#       attr_filter
>
>        #
>        #  If you are proxying LEAP, you MUST configure the EAP
>        #  module, and you MUST list it here, in the post-proxy
>        #  stage.
>        #
>        #  You MUST also use the 'nostrip' option in the 'realm'
>        #  configuration.  Otherwise, the User-Name attribute
>        #  in the proxied request will not match the user name
>        #  hidden inside of the EAP packet, and the end server will
>        #  reject the EAP request.
>        #
>        eap
>}
>[root at radius ~]#
>
>
>
>tnt at kalik.co.yu wrote: Something to do with Simultaneous-Use. But without config etc. ...
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 6/3/2007, "satish patel"
> piše:
>
>>what is the errror i have useing freeradius + MSSQL
>>
>>
>>Tue Mar  6 17:22:34 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 761)
>>Tue Mar  6 17:22:35 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 528)
>>Tue Mar  6 17:22:36 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 290)
>>Tue Mar  6 17:22:37 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 242)
>>Tue Mar  6 17:22:38 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 1004)
>>Tue Mar  6 17:22:38 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 1101)
>>Tue Mar  6 17:22:39 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 851)
>>Tue Mar  6 17:22:39 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 1012)
>>Tue Mar  6 17:22:41 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 780)
>>Tue Mar  6 17:22:41 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 670)
>>Tue Mar  6 17:22:42 2007 : Auth: Multiple logins (max 1) : [mlpm629/] (from client cisco port 303)
>>Tue Mar  6 17:22:43 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 826)
>>Tue Mar  6 17:22:43 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 964)
>>Tue Mar  6 17:22:44 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 690)
>>Tue Mar  6 17:22:44 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 147)
>>Tue Mar  6 17:22:46 2007 : Auth: Multiple logins (max 1) : [mlpm138/] (from client cisco port 150)
>>Tue Mar  6 17:22:49 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 83)
>>Tue Mar  6 17:22:50 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 1091)
>>Tue Mar  6 17:22:51 2007 : Auth: Multiple logins (max 1) : [mlpm268/] (from client cisco port 1002)
>>Tue Mar  6 17:22:52 2007 : Auth: Multiple logins (max 1) : [mlpm629/] (from client cisco port 1023)
>>Tue Mar  6 17:22:52 2007 : Auth: Multiple logins (max 1) : [rdoptm/tulip] (from client cisco port 687)
>>Tue Mar  6 17:22:54 2007 : Auth: Multiple logins (max 1) : [mlpm532/] (from client cisco port 693)
>>Tue Mar  6 17:22:55 2007 : Auth: Multiple logins (max 1) : [mlpm143/akshaya] (from client cisco port 94)
>>Tue Mar  6 17:22:59 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 713)
>>Tue Mar  6 17:23:00 2007 : Auth: Multiple logins (max 1) : [mlpm173/] (from client cisco port 647)
>>Tue Mar  6 17:23:05 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mlpm138/] (from client cisco port 646)
>>Tue Mar  6 17:23:05 2007 : Auth: Multiple logins (max 1) : [mlpm143/akshaya] (from client cisco port 958)
>>Tue Mar  6 17:23:07 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 98)
>>Tue Mar  6 17:23:09 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mlpm138/] (from client cisco port 600)
>>Tue Mar  6 17:23:11 2007 : Auth: Multiple logins (max 1) : [mlpm085/] (from client cisco port 894)
>>Tue Mar  6 17:23:11 2007 : Auth: Login incorrect (rlm_chap: Wrong user password): [mesmedical/] (from client cisco port 7
>>
>>
>>$ cat ~/satish/url.txt
>>
>>System administrator ( Data Center )
>>
>>please visit this site
>>
>>http://linux.tulipit.com
>>
>>---------------------------------
>> Here’s a new way to find what you're looking for - Yahoo! Answers
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>$ cat ~/satish/url.txt
>
>System administrator ( Data Center )
>
>please visit this site
>
>http://linux.tulipit.com
>
>---------------------------------
> Here’s a new way to find what you're looking for - Yahoo! Answers
>




More information about the Freeradius-Users mailing list