Simultaneous-Use and mysql

Alan DeKok aland at
Mon Aug 5 16:45:55 CEST 2019

On Aug 5, 2019, at 10:01 AM, Ben McTee <eastex.benmctee at> wrote:
> I understand your frustration. I tried my best to configure it on my
> own for many hours, combing through the documentation and list
> archives. Your documentation and dedication to this community is
> wonderful.


> I (and many others I'm sure) appreciate it. I actually enjoy reading
> your colorful responses.

  I'm glad someone enjoys them.

> This was posted because I've found inconsistencies in list archives
> where the authorize_reply_query section was commented out. I realize
> there are countless configuration scenarious, but during this time
> I've wished for a "beginning to end freeradius, mysql,
> simultaneous-use blocking" type tutorial. If people go Googling, they
> run across these threads, which (besides the Wiki and config comments)
> are how we troubleshoot similar scenarios. Would it not be prudent to
> clarify for future readers?

  It would be prudent for people to contribute documentation.  It *is* an open source project.  The Wiki *is* editable.

  The reality is that the basic documentation for the server isn't bad.  The configuration is documented, simple scenarios are documented.  There's a lot of stuff in the Wiki.


  Doing anything unusual or complex requires understanding just about everything.  Because RADIUS is complex.  So it's easy for experts to write the docs, but they're busy doing other things.  And then the people who *need* the docs generally don't contribute.  Which means that they don't get better.

  What I'm doing for v4 is just biting the bullet and *paying* people to write documentation.

> Changing the nas_type from cisco to other (in the nas table) allowed
> the limit to work as you explained.


> Is checkrad more efficient/preferred or should I have a reason not to
> trust the accounting database? For example, if the stop packet isn't
> received for whatever reason, does it periodically compare accounting
> database to actual situation and correct if a user appears online but
> isn't?

  The checkrad script compares the accounting database to what the NAS things.  But *only* when a second login attempt is made.

  The reality is that checkrad is used a lot less than 10 years ago.  Most NAS vendors have fixed their equipment to actually send packets. (!).  Which means that the accounting database is almost always correct.

> I can see this situation causing a user to not be allowed
> online if something goes wrong with accounting. I just don't want to
> worry if that's not a likely scenario.

  Yes.  That's the tradeoff.

  What happens most of the time is that the user logs in with the same NAS IP / port / whatever.  So the server can tell this new session *exactly matches* an old open session.  Which means that the old session can be safely closed, and a new session opened.

> The logging does not honor my msg_denied setting in radiusd.conf.  The
> detail_YYYYMMDD logs show the output below.

  Those are accounting logs.  msg_denied applies to authentication packets.

> Can I expect my logs to
> not include the simultaneous use message when nas_type is set to
> other?

  They should.

  Alan DeKok.

More information about the Freeradius-Users mailing list