> In order to implement simultaneous use checking in my environment I > added a subroutine to checkrad that handles snmp checks to the Cisco > 3000 series VPN concentrators. I am happy to share my work/experience > with anyone that may have a similar environment.
While we are on the subject of Cisco and checkrad.pl, I have found that sometimes trouble can be found here: if ($port < 20000) { # # The AS5350 doesn't support polling the session ID, # so we do it based on nas-port-id. This only works # for analog sessions where port < 20000. # Yes, this means that simultaneous-use on the as5350 # doesn't work for ISDN users. # $login = snmpget($ARGV[1], $pass, "$csm.2.9.2.1.18.$port"); print LOG " user at port S$port: $login\n" if ($debug); } else { $login = snmpget($ARGV[1], $pass, "$csm.9.150.1.1.3.1.2.$sess_id"); print LOG " user with session id $ARGV[4] ($sess_id): " . "$login\n" if ($debug); } There are devices that don't support that first OID. Solution is to comment out if section: # if ($port < 20000) { # # The AS5350 doesn't support polling the session ID, # so we do it based on nas-port-id. This only works # for analog sessions where port < 20000. # Yes, this means that simultaneous-use on the as5350 # doesn't work for ISDN users. # # $login = snmpget($ARGV[1], $pass, "$csm.2.9.2.1.18.$port"); # print LOG " user at port S$port: $login\n" if ($debug); # } else { $login = snmpget($ARGV[1], $pass, "$csm.9.150.1.1.3.1.2.$sess_id"); print LOG " user with session id $ARGV[4] ($sess_id): " . "$login\n" if ($debug); # } This alteration will get the script working properly for 7xxx routers that fail default check (ie. they don't support OID that checks who is on the port - instead they peek into local accounting to see if there is an active session for that accounting id). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html