Cisco VPN 3000 and Simultaneous Use via checkrad
Ivan Kalik
tnt at kalik.net
Tue Oct 6 18:31:55 CEST 2009
> In order to implement simultaneous use checking in my environment I
> added a subroutine to checkrad that handles snmp checks to the Cisco
> 3000 series VPN concentrators. I am happy to share my work/experience
> with anyone that may have a similar environment.
While we are on the subject of Cisco and checkrad.pl, I have found that
sometimes trouble can be found here:
if ($port < 20000) {
#
# The AS5350 doesn't support polling the session ID,
# so we do it based on nas-port-id. This only works
# for analog sessions where port < 20000.
# Yes, this means that simultaneous-use on the as5350
# doesn't work for ISDN users.
#
$login = snmpget($ARGV[1], $pass, "$csm.2.9.2.1.18.$port");
print LOG " user at port S$port: $login\n" if ($debug);
} else {
$login = snmpget($ARGV[1], $pass,
"$csm.9.150.1.1.3.1.2.$sess_id");
print LOG " user with session id $ARGV[4] ($sess_id): " .
"$login\n" if ($debug);
}
There are devices that don't support that first OID. Solution is to
comment out if section:
# if ($port < 20000) {
#
# The AS5350 doesn't support polling the session ID,
# so we do it based on nas-port-id. This only works
# for analog sessions where port < 20000.
# Yes, this means that simultaneous-use on the as5350
# doesn't work for ISDN users.
#
# $login = snmpget($ARGV[1], $pass, "$csm.2.9.2.1.18.$port");
# print LOG " user at port S$port: $login\n" if ($debug);
# } else {
$login = snmpget($ARGV[1], $pass,
"$csm.9.150.1.1.3.1.2.$sess_id");
print LOG " user with session id $ARGV[4] ($sess_id): " .
"$login\n" if ($debug);
# }
This alteration will get the script working properly for 7xxx routers that
fail default check (ie. they don't support OID that checks who is on the
port - instead they peek into local accounting to see if there is an
active session for that accounting id).
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list