checkrad and db based simultaneous use checks
aland at deployingradius.com
Mon Jan 26 22:55:07 CET 2015
On Jan 26, 2015, at 4:49 PM, Bill Schoolfield <bill at billmax.com> wrote:
> A client of mine just asked that we limit active sessions per user to 1 (e.g simultaneous use checking). Radutmp was already configured but I disabled it in favor of the checks via the SQL module.
That’s a good idea.
> Things look to be working but I'm concerned as the radacct table has lots of (possibly old/bogus) records with no stop info that I assume will cause the check to return false negatives.
Maybe. That’s what checkrad is for. Or, a “cron” job which deletes old sessions.
> We also configured checkrad and it is working. My question is this: how exactly is checkrad used? Is it used exclusively or in concert with the SQL module checks? Will I need to cleanup the radacct table or will checkrad "save" me? I have reviewed all the documents and configuration I can find but checkrad use is still a bit of a mystery to me.
When you set Simultaneous-Use = 1, the server does the following:
- checks if the user is already logged in
if not, the user is allowed in, and we’re done.
- otherwise, runs “checkrad” to query the NAS
If checkrad returns “logged in”, the user is denied access. Otherwise, he’s allowed.
See clients.conf for more information. You need to set a nastype for checkrad to work.
If there’s no nastype… the accounting data is presumed to be accurate.
More information about the Freeradius-Users