Freeradius 3.0.15 x OpenLDAP (auth) x MySQL (acct): Limit Simultaneous Use
Jon Battista
jonbattista at gmail.com
Tue Sep 11 16:59:26 CEST 2018
>
> On Sep 10, 2018, at 6:48 PM, Jon Battista <jonbattista at gmail.com> wrote:
> > So I have the following set in my *user (mods-config/files/authorize)*
> file:
> >
> > DEFAULT Ldap-Group == "Squad", Simultaneous-Use := 1
> > Auth-Type := Accept
> Again, that's still wrong. The "Auth-Type" has to go on the first line,
> with the other check items.
> The subsequent lines are attributes for the reply. This is documented
> extensively in the server.
Okay, but freeradius still runs! It doesn't complain.
> What does setting this Check Item do exactly?
> It tells the server to limit the number of simultaneous logins that a
> user can have
> > Will it call *checkrad *which will query *radgroupcheck* to see if it has
> > the following entry:
> checkrad never calls radgroupcheck.
> If you want to know how Simultaneous-Use works, it's documented:
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/simultaneous_use
> |1 | dialup | Simultaneous-Use | := | 1|
> >
> > When is *simul_check_query* called?
> When necessary. Read the debug output to see.
> > I've read through the comments. I am not sure what I am missing.
> The server comes with extensive man pages and other documentation.
> Reading just the comments isn't helpful.
I have been going back and forth over this documentation for days.
I have seemingly done everything it says, yet there is no trace in my debug
output that it is checking for simultaneous use.
Is this syntax correct?
DEFAULT Ldap-Group == "Squad", Simultaneous-Use := 1, Auth-Type := Accept
cisco-avpair = "shell:priv-lvl=15",
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 3,
Tunnel-Type = VLAN
Does there have to be an entry in radgroupcheck for my LDAP group "Squad"
since I have set Simultaneous-Use := 1 in my user file?
Again, I have looked over all the documentation. My debug output has
nothing about Simultaneous-Use in it.
Accounting is enabled on my Wireless Controller.
SQL is set for accounting and session in sites-enabled/default.
All authentications are logged in the radacct table of my MySQL DB.
Even if I explicitly set the attribute for my user "service" in my user
file (service Simultaneous-Use := 1) it doesnt work.
It like it's not actually running the simul_check_query. How does the
Session section play into all this?
Thanks,
On Mon, Sep 10, 2018 at 4:32 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Sep 10, 2018, at 6:48 PM, Jon Battista <jonbattista at gmail.com> wrote:
> > So I have the following set in my *user (mods-config/files/authorize)*
> file:
> >
> > DEFAULT Ldap-Group == "Squad", Simultaneous-Use := 1
> > Auth-Type := Accept
>
> Again, that's still wrong. The "Auth-Type" has to go on the first line,
> with the other check items.
>
> The subsequent lines are attributes for the reply. This is documented
> extensively in the server.
>
> > What does setting this Check Item do exactly?
>
> It tells the server to limit the number of simultaneous logins that a
> user can have
>
> > Will it call *checkrad *which will query *radgroupcheck* to see if it has
> > the following entry:
>
> checkrad never calls radgroupcheck.
>
> If you want to know how Simultaneous-Use works, it's documented:
>
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/simultaneous_use
>
> > |1 | dialup | Simultaneous-Use | := | 1|
> >
> > When is *simul_check_query* called?
>
> When necessary. Read the debug output to see.
>
> > I've read through the comments. I am not sure what I am missing.
>
> The server comes with extensive man pages and other documentation.
> Reading just the comments isn't helpful.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
-- Jon
More information about the Freeradius-Users
mailing list