Checkrad / Simultaneous-Use clarification please
Craig Campbell
craig at ccraft.ca
Thu Sep 10 13:08:56 CEST 2009
From: "Alan DeKok" <aland at deployingradius.com>
>"If you want to check the stripped user name... then use it."
How can I control this? I am assuming you are referring to proxy.con realm
configuration?
"Why you ask?"
The 'powers that be' have declared that the same userid may log in via
multiple realms (access technologies) up to a certain connection limit.
So user at realm1 and user at realm2 count as 2 connections for user. In their
original form, radius would view them as two distinct userids.
I need the form 'user at realm' for authentication right after the
simultaneous-use check.
How, specifically, can I get the Simultaneous-Use function to use the
Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the
remainder of the processing? (I have seen references to variable in some
cases having a form of %{prefix:User-Name} but am unclear of how/where that
can/should be used.
I have searched the internet, the docs available, and some of the source
code in attempting to understand freeradius, only posting questions when I
am truly puzzled. Indications of "how" to do (or NOT do) something are most
appreciated. This is a significant upgrade effort, and I'm ok with
re-designing how things are achieved, if I can determine WHAT the 'best way'
should be. I have NO control over the rules that apply to users and
accounts in the real world. (I especially love when they CONTRADICT! -
Marketing...)
Thanks,
-craig
----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, September 10, 2009 4:16 AM
Subject: Re: Checkrad / Simultaneous-Use clarification please
> Craig Campbell wrote:
>> We currently have users that log in both with and without realms.
>
> Well... then you have to manage that.
>
>> In radutmp we log the stripped username (i.e. no realm component).
>
> Why?
>
>> Since the radutmp data has no realm part for the username, how do I get
>> the Simultaneous-Use code to check the username without the realm
>> component? Currently the realm portion is carried through until the
>> accounting processing (for radutmp).
>
> I don't understand. You give radutmp a stripped user name, but you
> don't give the session checking a stripped user name?
>
> If you want to check the stripped user name... then use it.
>
>> If I understand correctly, fred at comfort will pass Sinultaneous-Use
>> because radutmp is logging these as just "fred".
>
> Yes. Because you told it to treat them as different users.
>
> If you want the simultaneous checking to check the stripped user name,
> then strip the user name...
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4412 (20090909) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
__________ Information from ESET Smart Security, version of virus signature database 4412 (20090909) __________
The message was checked by ESET Smart Security.
http://www.eset.com
More information about the Freeradius-Users
mailing list