Freeradius 3.0.15 x OpenLDAP (auth) x MySQL (acct): Limit Simultaneous Use

Jon Battista jonbattista at gmail.com
Tue Sep 11 16:59:26 CEST 2018


>
> On Sep 10, 2018, at 6:48 PM, Jon Battista <jonbattista at gmail.com> wrote:
> > So I have the following set in my *user (mods-config/files/authorize)*
> file:
> >
> > DEFAULT Ldap-Group == "Squad", Simultaneous-Use := 1
> >   Auth-Type := Accept
>   Again, that's still wrong.  The "Auth-Type" has to go on the first line,
> with the other check items.
>   The subsequent lines are attributes for the reply.  This is documented
> extensively in the server.


Okay, but freeradius still runs! It doesn't complain.

> What does setting this Check Item do exactly?
>   It tells the server to limit the number of simultaneous logins that a
> user can have


> > Will it call *checkrad *which will query *radgroupcheck* to see if it has
> > the following entry:
>   checkrad never calls radgroupcheck.
>   If you want to know how Simultaneous-Use works, it's documented:
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/simultaneous_use

> |1 | dialup    | Simultaneous-Use | := | 1|
> >
> > When is *simul_check_query* called?
>   When necessary.  Read the debug output to see.
> > I've read through the comments. I am not sure what I am missing.
>   The server comes with extensive man pages and other documentation.
> Reading just the comments isn't helpful.


I have been going back and forth over this documentation for days.
I have seemingly done everything it says, yet there is no trace in my debug
output that it is checking for simultaneous use.

Is this syntax correct?

DEFAULT Ldap-Group == "Squad", Simultaneous-Use := 1, Auth-Type := Accept
   cisco-avpair = "shell:priv-lvl=15",
   Tunnel-Medium-Type = 6,
   Tunnel-Private-Group-ID = 3,
   Tunnel-Type = VLAN

Does there have to be an entry in radgroupcheck for my LDAP group "Squad"
since I have set Simultaneous-Use := 1 in my user file?

Again, I have looked over all the documentation. My debug output has
nothing about Simultaneous-Use in it.

Accounting is enabled on my Wireless Controller.
SQL is set for accounting and session in sites-enabled/default.
All authentications are logged in the radacct table of my MySQL DB.


Even if I explicitly set the attribute for my user "service" in my user
file (service Simultaneous-Use := 1) it doesnt work.
It like it's not actually running the simul_check_query. How does the
Session section play into all this?

Thanks,




On Mon, Sep 10, 2018 at 4:32 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 10, 2018, at 6:48 PM, Jon Battista <jonbattista at gmail.com> wrote:
> > So I have the following set in my *user (mods-config/files/authorize)*
> file:
> >
> > DEFAULT Ldap-Group == "Squad", Simultaneous-Use := 1
> >   Auth-Type := Accept
>
>   Again, that's still wrong.  The "Auth-Type" has to go on the first line,
> with the other check items.
>
>   The subsequent lines are attributes for the reply.  This is documented
> extensively in the server.
>
> > What does setting this Check Item do exactly?
>
>   It tells the server to limit the number of simultaneous logins that a
> user can have
>
> > Will it call *checkrad *which will query *radgroupcheck* to see if it has
> > the following entry:
>
>   checkrad never calls radgroupcheck.
>
>   If you want to know how Simultaneous-Use works, it's documented:
>
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/simultaneous_use
>
> > |1 | dialup    | Simultaneous-Use | := | 1|
> >
> > When is *simul_check_query* called?
>
>   When necessary.  Read the debug output to see.
>
> > I've read through the comments. I am not sure what I am missing.
>
>   The server comes with extensive man pages and other documentation.
> Reading just the comments isn't helpful.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
-- Jon


More information about the Freeradius-Users mailing list