[EXTERNAL] Re: [EXT] problem with Simultaneous-Use roaming

Winfield, Alister Alister.Winfield at sky.uk
Mon Jun 17 11:23:15 CEST 2019


Hint it's not RADIUS that’s going to fix this much like many things that come up on this list the problem is the flawed assumption that RADIUS is in control. The control is really in the session managing device here likely something to do with the AP. So a free hint.

You need to understand the AP's behaviour. Especially so if each of your AP's are independent.  Remember an AP only has two possible triggers to mark you as 'gone' and thus send a stop. (I don't think there are any more than this in reality)

1) Disassociation. Read your device appears to have vanished at the WiFi layer (well it 'could' be an active disconnect but its far more likely the device just goes out of range). Obviously there are timers involved to avoid transient loss causing authentication storms.
2) DHCP timeout.

Neither are particularly quick. So you are very likely to get >1 session even though the device is only in one actual location on one AP.

NB: In a managed AP setup the session management is centralised so the device association can migrate between AP's without reauthentication. Problem solved but last time I looked you pay $$$$$$..

So nothing to do with RADIUS more to do with how WiFi and DHCP standards operate and how your AP's actually manage sessions. Understand that first then work out how to get the behaviour you desire if that’s possible. It might be that there is no clear solution so you might need to compromise slightly.

Alister




On 14/06/2019, 16:46, "Freeradius-Users on behalf of Mustafa Nassir" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of mustafa.n.gaid at gmail.com> wrote:

    nice sound , do u have any suggestion what is best way to limit total users
    uses in without use  (Simultaneous-Use) , i test  delay-time but its same
    things the users cant reconnect when it go to new ap signal .

    On Fri, Jun 14, 2019 at 6:09 PM Brian Julin <BJulin at clarku.edu> wrote:

    >
    > Mustafa Nassir <mustafa.n.gaid at gmail.com> wrote:
    >
    > > i have problem with 802.1X , i have multi openwrt access point all it
    > work
    > > with wpa2-enterprise and freeradius server with mysql in other side , in
    > > freeradius i enable Simultaneous-Use my problem is when my users move
    > from
    > > first ap to second or to third ap its disconnect and reconnect and in
    > some
    > > time its take over 10-30 second to reconnect successful . i set ideal
    > > time-out 1s and life-time 1s . its reconnect faster than first one , but
    > > its stay disconnect when they move , any idea ?
    >
    > Probably the APs are not sending an Accounting Stop packet soon enough.
    > You'll have to do some packet analysis to see how late they are.  It might
    > be possible to insert a delay in the authentication to wait for the
    > Accounting-Stop
    > before checking Simultaneous-Use... dunno, I never used this feature for
    > exactly
    > this reason.
    > -
    > List info/subscribe/unsubscribe? See
    > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Calister.winfield%40sky.uk%7C60a141039be44279b64a08d6f0df808f%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636961240055054273&sdata=2oEZ3q4SItBRTW%2BZY3zF2JUEr81HpWyBVHKtiiKCNs0%3D&reserved=0
    -
    List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Calister.winfield%40sky.uk%7C60a141039be44279b64a08d6f0df808f%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636961240055064282&sdata=m4%2Bgmby1ca%2BzwzHvYVFV48OiZunn%2FWBXvjQaqrLUWWo%3D&reserved=0
    --------------------------------------------------------------------
    This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing at sky.uk as attachments. Thank you
    --------------------------------------------------------------------



Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD



More information about the Freeradius-Users mailing list