Simultaneous-Use unreliable for 'other' NAS-type
taymourgabr at googlemail.com
Mon Jul 8 01:55:08 CEST 2019
Very interesting and useful,
However, in the case where the accounting table already records
multiple sessions for a username seconds after the first person has
logged in on a fresh account, this periodic check won't help much.
checkrad would solve the problem here (if the controller provides the
information), and rlm_snmp sounds like it would as well.
For my case, I'm actually suspecting now that this controller might
specifically have a tendency to spam sessions when someone logs in, so
perhaps removing non-unique sessions might be useful.
Regardless, I'll have a proper look at my radacct table before
proceeding with checkrad and SNMP.
Thanks a lot,
On 08/07/2019, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>> On Jul 7, 2019, at 3:10 PM, Alan DeKok <aland at deployingradius.com> wrote:
>> On Jul 7, 2019, at 8:49 PM, Taymour Gabr via Freeradius-Users
>> <freeradius-users at lists.freeradius.org> wrote:
>>> this doesn't answer my question though of how/if checkrad works for
>>> simultaneous-use set to anything other than 1.
>> Checkrad is run once for every user session. But that means it has to
>> check *each* user session.
>>> Also, could you please expand on what you consider to be 'modern'
>>> NASes? 2 years-old, 5 years-old, 10?
>> Realistically, 10 years. Checkrad is ~20 years old, and hasn't been
>> updated in a very long time.
>>> We are looking to replace our crappy HP controller. Unfortunately HP
>>> was taken over by Aruba, and their controllers don't support HP Access
>>> points. So we are trying to go with the latest HP controller, and I
>>> would like to make sure that simultaneous-use will be covered.
>> At this point, the NASes should work better. Checkrad is less useful.
> The majority of installations that use simultaneous use checks, just run a
> script against the database periodically, looking at the last time an
> interim was received, and closing out sessions where at least two interims
> have been missed. I added 'acctupdatetime' to the majority of the default
> schemas a few years back to encourage more people to do that, over using the
> old SNMP based methods. For this to work you do need to enable interim
> updates on the controller (set it to something like 5 mins if your servers
> can handle it).
> If you wanted to contribute something useful, I know some databases have
> cronlike functionality. It'd be good to include a cronlike job to close out
> stale sessions in the default schemas.
> Just as an aside - there's also been some internal discussion about creating
> an rlm_snmp to allow async queries against NAS. If that work gets
> completed, then we'd likely ditch checkrad in favour of integrated runtime
> checks. When the I/O is async you don't really care about blocking the
> request trying to talk to an unreachable NAS, you just need to set
> appropriate timeouts.
More information about the Freeradius-Users