checkrad and db based simultaneous use checks
Bill Schoolfield
bill at billmax.com
Mon Jan 26 23:23:01 CET 2015
Thanks Alan for the quick reply... read on below.
On 1/26/2015 3:55 PM, Alan DeKok wrote:
> On Jan 26, 2015, at 4:49 PM, Bill Schoolfield <bill at billmax.com> wrote:
>> A client of mine just asked that we limit active sessions per user to 1 (e.g simultaneous use checking). Radutmp was already configured but I disabled it in favor of the checks via the SQL module.
> That’s a good idea.
>
>> Things look to be working but I'm concerned as the radacct table has lots of (possibly old/bogus) records with no stop info that I assume will cause the check to return false negatives.
> Maybe. That’s what checkrad is for. Or, a “cron” job which deletes old sessions.
>
>> We also configured checkrad and it is working. My question is this: how exactly is checkrad used? Is it used exclusively or in concert with the SQL module checks? Will I need to cleanup the radacct table or will checkrad "save" me? I have reviewed all the documents and configuration I can find but checkrad use is still a bit of a mystery to me.
> When you set Simultaneous-Use = 1, the server does the following:
>
> - checks if the user is already logged in
> if not, the user is allowed in, and we’re done.
Hmm... so the simultaneous check will fail in cases where there's
nothing in radacct for the user but there is indeed an active session on
the NAS? Admittedly this should be rare compared to the case where
bogus info is in radacct.
It does sound like it would be good to clean the table up to prevent
needlessly calling checkrad. I'll write a little script to do that.
> - otherwise, runs “checkrad” to query the NAS
>
> If checkrad returns “logged in”, the user is denied access. Otherwise, he’s allowed.
>
> See clients.conf for more information. You need to set a nastype for checkrad to work.
Yep my nastype is set.
> If there’s no nastype… the accounting data is presumed to be accurate.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list