Simultaneous-Use unreliable for 'other' NAS-type
aland at deployingradius.com
Mon Jul 8 07:57:34 CEST 2019
On Jul 8, 2019, at 1:55 AM, Taymour Gabr via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Very interesting and useful,
> However, in the case where the accounting table already records
> multiple sessions for a username seconds after the first person has
> logged in on a fresh account, this periodic check won't help much.
Are multiple people actually logging in at the same time? If so, see the recent 3.0 releases. There's code in "queries.conf" which allows you to create accounting records from the post-auth section. Just look for "post-auth" in that file.
When that's used, you can update the accounting sessions immediately when a user logs in. Then, if another user tries to log in within a few seconds, you see that a session already exists, and reject the second session.
> checkrad would solve the problem here (if the controller provides the
> information), and rlm_snmp sounds like it would as well.
> For my case, I'm actually suspecting now that this controller might
> specifically have a tendency to spam sessions when someone logs in, so
> perhaps removing non-unique sessions might be useful.
The correct solution to a broken controller is to fix the controller. In most cases, it's just impossible to fix it on the RADIUS server. Only the controller knows what's actually going on.
The RADIUS server only knows what the controller tells it. And if the controller lies, the RADIUS server can't make any correct decision.
More information about the Freeradius-Users