Simultaneous-Use and UserName sent from NAS

Ziggy Bopster ziggybopster at gmail.com
Fri Jun 10 16:53:42 CEST 2011


Hi Fajar,

Thanks for replying.. Really appreciate it.

> Ask the NAS vendor.
It's CISCO.. I do see one Accounting-Request packet for
Username="Ziggy" when I terminate the connection.. But no
Accounting-Request packet for the Start of Username="ziggy" logging
in.  I do see Access-Request packets for Ziggy.  I'll have to check on
that with them. ???


> SQL should be faster, and easier to manage
Great.. If I only want to use SQL for Simultaneous-Use checking (and
not User Authentication), is that going to work?  I want to use LDAP
for Authenticaiton..


> Sure.

>In fact, once I get EVERYTHING worked out just like I wanted, I
>usually remove unnecessary components.
>If your all your user configuration and acct data is on sql, then you>
should be able to remove some configuration lines (e.g. unix, radutmp,
> detail, etc.)

I will disable RADUTMP & other stuff after I get this SQL working.  Thanks.


> If you have some clients  that authenticate using PAP while others
> using PEAP/802.1x, then yes. But if ALL your clients only use
> PEAP/802.1x, then it shouldn't matter much what you put on
> sites-available/default, as long as eap-related options are there.

All our clients will be using PEAP/802.1x.. So does that mean only the
eap.conf file matters?  Do I need to make changes in the
sites-available/default and the inner-tunnel files?

> The image on http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html
> might give some illustration on the packets involved in EAP/MSCHAPv2
> works

Thanks so much for the link.. It is great.. That explains why I have 8
Packets for the PEAP authentication for Ziggy.. :) The rest of the
DEBUG logs contain Accounting-Request Packets..




On Thu, Jun 9, 2011 at 9:16 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Fri, Jun 10, 2011 at 2:26 AM, Ziggy Bopster <ziggybopster at gmail.com> wrote:
>> IV.  Questions:
>> 1) Why is the NAS sending so many randomly generated numeric
>> "UserName" in the Accounting-Request?
>> 2) How can I get the NAS to send the correct Username (Ziggy) instead
>> of the randomly generated numbers in the Accounting-Request packets to
>> update in SQL?
>
> Ask the NAS vendor.
>
>> 3) I'm confused, should I use radutmp or sql to get Simultaenous-Use
>> to work?
>
> SQL should be faster, and easier to manage
>
>> If only sql, can I disable radutmp in configuration files?
>
> Sure.
>
> In fact, once I get EVERYTHING worked out just like I wanted, I
> usually remove unnecessary components.
> If your all your user configuration and acct data is on sql, then you
> should be able to remove some configuration lines (e.g. unix, radutmp,
> detail, etc.)
>
>> 4) What do I need to do to get Simultaneous-Use to work properly?
>
> As Alan ponted out, the included doc is a good start.
> You need to have radcct table populated with correct values (which is
> related to your question #1 and #2).
>
>> 5) Should the default & inner-tunnel files that have the same
>> parameters match? (i.e. in authorize {sql} in the default file and the
>> authorize {sql} in the inner-tunnel file)
>
> Depends.
>
> If you have some clients  that authenticate using PAP while others
> using PEAP/802.1x, then yes. But if ALL your clients only use
> PEAP/802.1x, then it shouldn't matter much what you put on
> sites-available/default, as long as eap-related options are there.
>
>> 6) Why do I see so many packets for Ziggy trying to authenticate just
>> once..   It is not until about Line 1389 in the debug log (see below
>> ITEM# 6) that the tunnel actually get's established and the next
>> packet on Line 1453 has the Acct-Status-Type = Start?    There is a
>> total of about 3174 lines for just one login attempt.
>
> The image on http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html
> might give some illustration on the packets involved in EAP/MSCHAPv2
> works
>
> --
> Fajar
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list