Freeradius 3.0.15 x OpenLDAP (auth) x MySQL (acct): Limit Simultaneous Use
Jon Battista
jonbattista at gmail.com
Fri Sep 7 23:47:08 CEST 2018
Thanks for the replies,
> As it stands, I can query how many active connections a User has
> > (simul_count_query) from the radacct table of my local MySQL radius DB,
> so
> > now I am trying to figure out how to *set* and *enforce* the
> Simultaneous-Use
> > attribute.
> You set the Simultaneous-Use attribute, and the server does the
> enforcement.
> https://wiki.freeradius.org/guide/SQL%20HOWTO
> Look for "Simultaneous-Use"
All that doc says to do is have SQL in the Session section. It doesn't say
where to define the Simultaneous-Use attribute.
> Where I am caught up is the LDAP x SQL interfacing regarding the
> > Simultaneous-Use attribute.
> >
> > How and where does FreeRadius look for this attribute?
> You set it when the user is logging in. e.g. when the server receives
> an Access-Request packet.
> You can set it just like any other attribute.
I have defined the Simultaneous-Use attribute in my Users file like so:
DEFAULT LDAP-Group == "Squad"
Auth-Type := Accept,
Simultaneous-Use := 1
> Does this have to be in LDAP for the Group/User and FreeRadius queries
> for it
> That can work.
> > or can I define
> > within my FreeRadius configs somewhere?
> That can work, too. It all depends what you want.
If I can define it in the FreeRadius configs, such as the Users file, that
is fine.
> Most examples say to enforce it on
> > a per-user basis by using the Users file, but what about SQL on a large
> > scale?
> It can be set in SQL, too.
> Are you using SQL for other authorization? If not, don't set it there.
> Set it in LDAP, or set it in another place.
I am not using SQL for Authorization, just Accounting and Session.
With the Simultaneous-Use attribute set in my User file, shouldn't
FreeRadius check the auth from my User against the list of rules? Flagging
positive for LDAP Group == "Squad" and then setting the Simultaneous-Use :=
1. That is not working.
How would I check to see if Simultaneous-Use was set properly?
On Fri, Sep 7, 2018 at 4:06 AM Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 6, 2018, at 9:41 PM, Jon Battista <jonbattista at gmail.com> wrote:
> > I am currently attempting to set up FreeRadius 3.x to limit simultaneous
> > connection based on a User's LDAP Group. For example, people in the
> > Employee LDAP Group get 2 connections.
> >
> > After extensive research, I have surmised the best way to do so is to
> use a
> > SQL DB for Accounting, which I currently have all set up. Unless LDAP can
> > be used for Accounting?
>
> No.
>
> > As it stands, I can query how many active connections a User has
> > (simul_count_query) from the radacct table of my local MySQL radius DB,
> so
> > now I am trying to figure out how to *set* and *enforce* the
> Simultaneous-Use
> > attribute.
>
> You set the Simultaneous-Use attribute, and the server does the
> enforcement.
>
> https://wiki.freeradius.org/guide/SQL%20HOWTO
>
> Look for "Simultaneous-Use"
>
> > Where I am caught up is the LDAP x SQL interfacing regarding the
> > Simultaneous-Use attribute.
> >
> > How and where does FreeRadius look for this attribute?
>
> You set it when the user is logging in. e.g. when the server receives
> an Access-Request packet.
>
> You can set it just like any other attribute.
>
> > Does this have to be in LDAP for the Group/User and FreeRadius queries
> for it
>
> That can work.
>
> > or can I define
> > within my FreeRadius configs somewhere?
>
> That can work, too. It all depends what you want.
>
> > Most examples say to enforce it on
> > a per-user basis by using the Users file, but what about SQL on a large
> > scale?
>
> It can be set in SQL, too.
>
> Are you using SQL for other authorization? If not, don't set it there.
> Set it in LDAP, or set it in another place.
>
> > I've been scouring over the documentation with no luck. Again, LDAP is
> > enabled and working. SQL Accounting is enabled and logging activity.
> > Something I did notice was that radacct is NOT getting the groupname
> column
> > when I run: *simul_count_query*
>
> The groupname column in radacct isn't used.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
-- Jon
More information about the Freeradius-Users
mailing list