session log in SQL
Khapare Joshi
khapare77 at gmail.com
Fri Jul 31 17:50:53 CEST 2015
Simultaneous -use is working fine on all my stand alone wireless access
points. But now there are 100 of these WAPs are under the cisco WLC it
does not seem to work. Just wondering what people are doing with WLC and
simualtaneous -use.
One way I could do is set globally in the WLC i.e 4 connection for
everyone no matter what -- but in my case we needed to separate student
and staff.
Thanks,
K
On 04/20/2015 06:28 PM, Khapare Joshi wrote:
> well, I have done this way and it seem to work. Why it did not work before
> - I don't know.
>
> Added in /etc/raddb/ldap.attr
> checkItem affiliation eduPersonPrimaryAffiliation
>
> In /etc/raddb/dictonary
>
> ATTRIBUTE affiliation 3004 string
>
> enabled ldap module in /etc/raddb/site-enabled/default
>
> then in /etc/raddb/stie-enable/inner-tunnel
> update request {
> affiliation :=
> "%{ldap:ldap:///dc=example,dc=IcomeduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}"
> }
>
> if (affiliation == "student") {
> update control {
> Simultaneous-Use := 1
> }
> }
>
> if (affiliation == "staff") {
> update control {
> Simultaneous-Use := 3
> }
> }
>
> This works as it should be. But why this did not work before I have no
> clue. the 4th attempt actually get rejected
>
>
> In radius -X, I can see this has been rejected
>
> [ldap] - ldap_xlat
> expand:
> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}
> -> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=testsim
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=example,dc=com, with filter uid=testsim
> [ldap] Adding attribute eduPersonPrimaryAffiliation, value: staff
> [ldap] ldap_release_conn: Release Id: 0
> [ldap] - ldap_xlat end
> expand:
> %{ldap:ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}
> -> staff
> ++} # update request = noop
> ++? if (affiliation == "student")
> ? Evaluating (affiliation == "student") -> FALSE
> ++? if (affiliation == "student") -> FALSE
> ++? if (affiliation == "staff")
> ? Evaluating (affiliation == "staff") -> TRUE
> ++? if (affiliation == "staff") -> TRUE
> ++if (affiliation == "staff") {
> +++update control {
> +++} # update control = noop
> ++} # if (affiliation == "staff") = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] = ok
> +} # group authenticate = ok
> # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel
> +group session {
> [sql] expand: %{Stripped-User-Name} -> testsim
> [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim
> [sql] sql_set_user escaped user --> 'testsim'
> [sql] expand: SELECT COUNT(*) FROM radacct
> WHERE username = '%{SQL-User-Name}'
> AND acctstoptime IS NULL -> SELECT COUNT(*)
> FROM radacct WHERE username =
> 'testsim' AND acctstoptime IS NULL
> rlm_sql (sql): Reserving sql socket id: 14
> rlm_sql (sql): Released sql socket id: 14
> ++[sql] = ok
> +} # group session = ok
> Multiple logins (max 3) : [testsim at example.com] (from client
> nas1.example.com port 7705 cli 2064.3261.6d2d via TLS tunnel)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} -> testsim at example.com
> attr_filter: Matched entry DEFAULT at line 11
>
>
> It still says +++} # update control = noop
>
> but works :)
>
>
>
>
>
>
>
> On Wed, Apr 8, 2015 at 3:56 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77 at gmail.com> wrote:
>>> I did mistake on regex thing because I was also testing same with
>>> affiliation and had this lines before I turn to test gid thing. sorry for
>>> this
>> If you can't keep track of what you're doing, you will never solve the
>> problem.
>>
>>> This did not work either.
>> Probably for the same reason. You want one thing from the server, and
>> you've configured it to do something else.
>>
>>> I checked both debug output, the first one (DEFAULT Simultaneous-Use :=
>>> 1 Fall-Through = 1) actually executes session but i don't see
>>> these lines when i perform test with gidnumber check statement.
>> So read the debug output to see why.
>>
>>> ++? if (gidnumber < 200)
>>> (Attribute gidnumber was not found)
>> Doesn't that tell you anything?
>>
>> You've configured the LDAP module to add the attribute to the CHECK
>> items, and you're then looking for it in the REQUEST items.
>>
>> This is all documented, and it's all available in the debug output.
>>
>> I get the feeling that 3/4 of my posts here are just convincing people
>> to READ the messages that they post to the list.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list