Simultaneous-Use with EAP

Alan DeKok alan.dekok at inkbridge.io
Wed Mar 18 10:34:21 UTC 2026 

On Mar 18, 2026, at 5:51 AM, Matthew <mdg583 at gmail.com> wrote:
> I set up the sql module, and made sure "sql" was listed under the
> "authorize" and "session" sections of by site's (default) configuration. I
> also enabled accounting and everything seemed to be working. I added users
> to the radcheck table with cleartext passwords. I added a Simultaneous-Use
> line for my user, but it always seemed to be ignored.

  Simultaneous-Use depends on a number of factors.  It's not possible to simply set a flag and have it work.  The only way to validate it is to test it.

> After a lot of searching, I've discovered that my 'default' config was
> being used for the 'outer' authentication (eap), and then the
> "inner-tunnel" config was being used for actual authentication.

  Yes, that's how EAP works.

> This
> already has the sql option under "authorize", but not in "session". Adding
> "sql" to the "session" section of
> /etc/freeradius/sites-enabled/inner-tunnel is what finally allowed
> Simultaneous-Use checking.

  That's good.

  But again, this particular configuration depends on a number of factors, and might not work for everyone.  For example, the issue of "inner" username versus "outer" username is complex, and can change from organization to organization.  All we can do is document the choices, and hope for the best.

  The default configuration for the "inner-tunnel" virtual server also has a "session" section which includes a reference to "sql".  So this is at least somewhat documented.

> I'm posting this because this didn't seem to be documented (here:
> https://www.freeradius.org/documentation/freeradius-server/3.2.9/howto/simultaneous_use.html).
> It would have been helpful to have a hint about the inner-tunnel
> configuration when using eap authentication.

  I'll add a note.

> I'm not looking for more help at the moment, other than that I am wondering
> if there is a way to constrain simultaneous connections for all users at
> once. The Simultaneous-Use query doesn't look for a DEFAULT line in the
> mysql database.

  Do you want to limit the total number of connections over all users?  That's not really a Simultaneous-Use thing.  The Simultaneous-Use query is design to limit connections for one user.

  If you want to limit the total number of users, just do a SELECT / count over all active sessions in the radacct database.

	if ("%{sql:SELECT ... count ..}" > 4) {
		reject
	}

  Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260318/fc5ceae8/attachment.sig>

More information about the Freeradius-Users mailing list