checkrad and db based simultaneous use checks

Alan DeKok aland at
Mon Jan 26 22:55:07 CET 2015

On Jan 26, 2015, at 4:49 PM, Bill Schoolfield <bill at> wrote:
> A client of mine just asked that we limit active sessions per user to 1 (e.g simultaneous use checking). Radutmp was already configured but I disabled it in favor of the checks via the SQL module. 

  That’s a good idea.

> Things look to be working but I'm concerned as the radacct table has lots of (possibly old/bogus) records with no stop info that I assume will cause the check to return false negatives.

  Maybe.  That’s what checkrad is for.  Or, a “cron” job which deletes old sessions.

> We also configured checkrad and it is working. My question is this: how exactly is checkrad used? Is it used exclusively or in concert with the SQL module checks? Will I need to cleanup the radacct table or will checkrad "save" me? I have reviewed all the documents and configuration I can find but checkrad use is still a bit of a mystery to me.

  When you set Simultaneous-Use = 1, the server does the following:

- checks if the user is already logged in
  if not, the user is allowed in, and we’re done.

- otherwise, runs “checkrad” to query the NAS

  If checkrad returns “logged in”, the user is denied access.  Otherwise, he’s allowed.

  See clients.conf for more information.  You need to set a nastype for checkrad to work.

  If there’s no nastype… the accounting data is presumed to be accurate.

  Alan DeKok.

More information about the Freeradius-Users mailing list