Two Simultaneous-Use on Same NAS Port

Smith, Mark J mjsmith at decommunications.com
Wed Mar 25 18:24:09 CET 2009 

I'm trying to limit a single username to logon 2 times on the same NAS
Port/NAS Port ID.  

Our test environment consists of a single FreeRadius Server (Version
2.1.5/4), MySQL Server 5.0.45, and a Cisco 7200VXR with IOS
12.2(31)SB13.


The main issue now is that a single user name with Simultaneous-Use set
too 2 is able to login an unlimited number of times on the same NAS
Port/NAS Port ID.  However, if the same user logon through a different
NAS Port/NAS Port ID, Simultaneous-Use checks work as expected.  Please,
note the following radwho and radiusd -X outputs.


radwho -R Output after first user logged in:

User-Name = "test1"
Acct-Session-Id = "00003377"
NAS-IP-Address = X.X.X.X
NAS-Port = 2097152
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = X.X.X.X


radwho -R Output after second user logged in:

User-Name = "test1"
Acct-Session-Id = "00003378"
NAS-IP-Address = X.X.X.X
NAS-Port = 2097152
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = X.X.X.X
Acct-Session-Time = 72


**Note the lack of the first user identified by Acct-Session-ID
00003377.




radwho -R Output with second user logged in through a different NAS
Port/NAS Port ID:

User-Name = "test1"
Acct-Session-Id = "00003378"
NAS-IP-Address = 66.109.238.133
NAS-Port = 2097152
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 66.216.191.36
Acct-Session-Time = 476

User-Name = "test1"
Acct-Session-Id = "00003379"
NAS-IP-Address = 66.109.238.133
NAS-Port = 1610625913
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 66.216.191.37
Acct-Session-Time = 70




Acct-Session-Id 00003377 radiusd -X output:
+- entering group session {...}
[radutmp]       expand: /usr/local/var/log/radius/radutmp ->
/usr/local/var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> test1
++[radutmp] returns ok

rad_recv: Accounting-Request packet from host 66.109.238.133 port 1646,
id=88, length=136
        Acct-Session-Id = "00003377"
        Framed-Protocol = PPP
        Framed-Route = "255.255.255.0"
        Framed-Route = "255.255.255.0"
        Framed-IP-Address = X.X.X.X
        User-Name = "test1"
        X-Ascend-Connect-Progress = LAN-Session-Up
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port-Type = 32
        NAS-Port = 2097152
        NAS-Port-Id = "0/0/2/0"
        Service-Type = Framed-User
        NAS-IP-Address = X.X.X.X
        Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok


Acct-Session-Id 00003378 radiusd -X output:
+- entering group session {...}
[radutmp]       expand: /usr/local/var/log/radius/radutmp ->
/usr/local/var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> test1
++[radutmp] returns ok

rad_recv: Accounting-Request packet from host 66.109.238.133 port 1646,
id=89, length=136
        Acct-Session-Id = "00003378"
        Framed-Protocol = PPP
        Framed-Route = "255.255.255.0"
        Framed-Route = "255.255.255.0"
        Framed-IP-Address = X.X.X.X
        User-Name = "test1"
        X-Ascend-Connect-Progress = LAN-Session-Up
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port-Type = 32
        NAS-Port = 2097152
        NAS-Port-Id = "0/0/2/0"
        Service-Type = Framed-User
        NAS-IP-Address = X.X.X.X
        Acct-Delay-Time = 0
+- entering group preacct {...}



Cisco Radius Configuration:

aaa authentication login default local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local group radius
aaa authorization exec default local group tacacs+ 
aaa authorization commands 1 default local group tacacs+ 
aaa authorization commands 15 default local group tacacs+ 
aaa authorization network default local group radius 
aaa accounting delay-start vrf default
aaa accounting delay-start all
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group radius
aaa accounting system default start-stop broadcast group radius group
tacacs+

radius-server attribute nas-port format e
SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute nas-port format e
SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30
radius-server attribute nas-port format e
SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 31
radius-server attribute nas-port format e
SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV type 32
radius-server attribute nas-port format e
SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33
radius-server attribute nas-port format e
SSSSAPPPQQQQQQQQQQQQVVVVVVVVVVVV type 34
radius-server attribute 61 extended
radius-server host X.X.X.X auth-port 1812 acct-port 1813 non-standard
key 



Please, let me know if any additional information is needed.

Thank you,

Mark



**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

More information about the Freeradius-Users mailing list