Freeradius 3.0.15 x OpenLDAP (auth) x MySQL (acct): Limit Simultaneous Use

Jon Battista jonbattista at gmail.com
Fri Sep 7 23:47:08 CEST 2018


Thanks for the replies,

> As it stands, I can query how many active connections a User has
> > (simul_count_query) from the radacct table of my local MySQL radius DB,
> so
> > now I am trying to figure out how to *set* and *enforce* the
> Simultaneous-Use
> > attribute.
>   You set the Simultaneous-Use attribute, and the server does the
> enforcement.
> https://wiki.freeradius.org/guide/SQL%20HOWTO
>   Look for "Simultaneous-Use"


All that doc says to do is have SQL in the Session section. It doesn't say
where to define the Simultaneous-Use attribute.

> Where I am caught up is the LDAP x SQL interfacing regarding the
> > Simultaneous-Use attribute.
> >
> > How and where does FreeRadius look for this attribute?
>   You set it when the user is logging in.  e.g. when the server receives
> an Access-Request packet.
>   You can set it just like any other attribute.


I have defined the Simultaneous-Use attribute in my Users file like so:
  DEFAULT LDAP-Group == "Squad"
   Auth-Type := Accept,
   Simultaneous-Use := 1


> Does this have to be in LDAP for the Group/User and FreeRadius queries
> for it
>   That can work.
> > or can I define
> > within my FreeRadius configs somewhere?
>   That can work, too.  It all depends what you want.


If I can define it in the FreeRadius configs, such as the Users file, that
is fine.

> Most examples say to enforce it on
> > a per-user basis by using the Users file, but what about SQL on a large
> > scale?
>   It can be set in SQL, too.
>   Are you using SQL for other authorization?  If not, don't set it there.
> Set it in LDAP, or set it in another place.


I am not using SQL for Authorization, just Accounting and Session.

With the Simultaneous-Use attribute set in my User file, shouldn't
FreeRadius check the auth from my User against the list of rules? Flagging
positive for LDAP Group == "Squad" and then setting the Simultaneous-Use :=
1. That is not working.

How would I check to see if Simultaneous-Use was set properly?

On Fri, Sep 7, 2018 at 4:06 AM Alan DeKok <aland at deployingradius.com> wrote:

> On Sep 6, 2018, at 9:41 PM, Jon Battista <jonbattista at gmail.com> wrote:
> > I am currently attempting to set up FreeRadius 3.x to limit simultaneous
> > connection based on a User's LDAP Group. For example, people in the
> > Employee LDAP Group get 2 connections.
> >
> > After extensive research, I have surmised the best way to do so is to
> use a
> > SQL DB for Accounting, which I currently have all set up. Unless LDAP can
> > be used for Accounting?
>
>   No.
>
> > As it stands, I can query how many active connections a User has
> > (simul_count_query) from the radacct table of my local MySQL radius DB,
> so
> > now I am trying to figure out how to *set* and *enforce* the
> Simultaneous-Use
> > attribute.
>
>   You set the Simultaneous-Use attribute, and the server does the
> enforcement.
>
> https://wiki.freeradius.org/guide/SQL%20HOWTO
>
>   Look for "Simultaneous-Use"
>
> > Where I am caught up is the LDAP x SQL interfacing regarding the
> > Simultaneous-Use attribute.
> >
> > How and where does FreeRadius look for this attribute?
>
>   You set it when the user is logging in.  e.g. when the server receives
> an Access-Request packet.
>
>   You can set it just like any other attribute.
>
> > Does this have to be in LDAP for the Group/User and FreeRadius queries
> for it
>
>   That can work.
>
> > or can I define
> > within my FreeRadius configs somewhere?
>
>   That can work, too.  It all depends what you want.
>
> > Most examples say to enforce it on
> > a per-user basis by using the Users file, but what about SQL on a large
> > scale?
>
>   It can be set in SQL, too.
>
>   Are you using SQL for other authorization?  If not, don't set it there.
> Set it in LDAP, or set it in another place.
>
> > I've been scouring over the documentation with no luck. Again, LDAP is
> > enabled and working. SQL Accounting is enabled and logging activity.
> > Something I did notice was that radacct is NOT getting the groupname
> column
> > when I run: *simul_count_query*
>
>   The groupname column in radacct isn't used.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
-- Jon


More information about the Freeradius-Users mailing list