Simultaneous-Use unreliable for 'other' NAS-type

Taymour Gabr taymourgabr at googlemail.com
Mon Jul 8 01:55:08 CEST 2019


Very interesting and useful,
However, in the case where the accounting table already records
multiple sessions for a username seconds after the first person has
logged in on a fresh account, this periodic check won't help much.

checkrad would solve the problem here (if the controller provides the
information), and rlm_snmp sounds like it would as well.

For my case, I'm actually suspecting now that this controller might
specifically have a tendency to spam sessions when someone logs in, so
perhaps removing non-unique sessions might be useful.
Regardless, I'll have a proper look at my radacct table before
proceeding with checkrad and SNMP.

Thanks a lot,

Taymour

On 08/07/2019, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On Jul 7, 2019, at 3:10 PM, Alan DeKok <aland at deployingradius.com> wrote:
>>
>> On Jul 7, 2019, at 8:49 PM, Taymour Gabr via Freeradius-Users
>> <freeradius-users at lists.freeradius.org> wrote:
>>> this doesn't answer my question though of how/if checkrad works for
>>> simultaneous-use set to anything other than 1.
>>
>>  Checkrad is run once for every user session.  But that means it has to
>> check *each* user session.
>>
>>> Also, could you please expand on what you consider to be 'modern'
>>> NASes? 2 years-old, 5 years-old, 10?
>>
>>  Realistically, 10 years.  Checkrad is ~20 years old, and hasn't been
>> updated in a very long time.
>>
>>> We are looking to replace our crappy HP controller. Unfortunately HP
>>> was taken over by Aruba, and their controllers don't support HP Access
>>> points. So we are trying to go with the latest HP controller, and I
>>> would like to make sure that simultaneous-use will be covered.
>>
>>  At this point, the NASes should work better.  Checkrad is less useful.
>
> The majority of installations that use simultaneous use checks, just run a
> script against the database periodically, looking at the last time an
> interim was received, and closing out sessions where at least two interims
> have been missed.  I added 'acctupdatetime' to the majority of the default
> schemas a few years back to encourage more people to do that, over using the
> old SNMP based methods.  For this to work you do need to enable interim
> updates on the controller (set it to something like 5 mins if your servers
> can handle it).
>
> If you wanted to contribute something useful, I know some databases have
> cronlike functionality.  It'd be good to include a cronlike job to close out
> stale sessions in the default schemas.
>
> Just as an aside - there's also been some internal discussion about creating
> an rlm_snmp to allow async queries against NAS.  If that work gets
> completed, then we'd likely ditch checkrad in favour of integrated runtime
> checks.  When the I/O is async you don't really care about blocking the
> request trying to talk to an unreachable NAS, you just need to set
> appropriate timeouts.
>
> -Arran
>


More information about the Freeradius-Users mailing list