Hi all,
I write again to this list to report a strange behavior :
I want to limit simultaneous logins : Each user can be logged on once at
a time.
[In the bottom, you can find interesting parts of my config file.]
My trouble is the following : When I want to test that he second
simultaneous is rejected, I can see into the logfile :
*** Received from 212.180.2.10 port 2291 ....
Code: Access-Request
Identifier: 22
Authentic: 1234567890123456
Attributes:
User-Name = "testrtc"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 12342
NAS-Port-Type = Async
User-Password =
"i<173><217><150><233><186><189><175><212>8<240>XUg<162><230>"
Wed Mar 21 18:08:14 2001: DEBUG: Check if Handler
Vendor-Specific=testing should be used to handle this request
Wed Mar 21 18:08:14 2001: DEBUG: Check if Handler
Vendor-Specific=dialup,Request-Type = Access-Request should be used to
handle this request
Wed Mar 21 18:08:14 2001: DEBUG: Handling request with Handler
'Vendor-Specific=dialup,Request-Type = Access-Request'
Wed Mar 21 18:08:14 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED]
Wed Mar 21 18:08:14 2001: DEBUG: SDB1 Deleting session for testrtc,
203.63.154.1, 12342
Wed Mar 21 18:08:14 2001: DEBUG: do query is: delete from RADONLINE
where NASIDENTIFIER='203.63.154.1' and NASPORT=012342
Wed Mar 21 18:08:14 2001: DEBUG: Query is: select NASIDENTIFIER,
NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
USERNAME='testrtc'
Wed Mar 21 18:08:14 2001: WARNING: SDB1 Could not find a Client for NAS
203.63.154.1 to double-check Simultaneous-Use. Perhaps
you do not have a reverse DNS for that NAS?
Wed Mar 21 18:08:14 2001: INFO: Access rejected for [EMAIL PROTECTED]:
MaxSessions exceeded
Wed Mar 21 18:08:14 2001: DEBUG: Packet dump:
*** Sending to 212.180.2.10 port 2291 ....
Code: Access-Reject
Identifier: 22
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Reply-Message = "MaxSessions exceeded"
Wed Mar 21 18:08:14 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Mar 21 18:08:14 2001: DEBUG: LDAP got result for
[EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet
.net
Wed Mar 21 18:08:14 2001: DEBUG: LDAP got userpassword:
{MD5}ZviHb9U7k5r2YaTNG6QuTA==
Wed Mar 21 18:08:14 2001: DEBUG: LDAP got idletime: 0
Wed Mar 21 18:08:14 2001: DEBUG: LDAP got ippool: 1
Wed Mar 21 18:08:14 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
Wed Mar 21 18:08:14 2001: DEBUG: LDAP got iproutemetric: 2
Wed Mar 21 18:08:14 2001: DEBUG: Radius::AuthLDAP2 looks for match with
[EMAIL PROTECTED]
Wed Mar 21 18:08:14 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Mar 21 18:08:14 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
Wed Mar 21 18:08:14 2001: DEBUG: Packet dump:
*** Sending to 212.180.2.10 port 2291 ....
Code: Access-Accept
Identifier: 22
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Reply-Message = "MaxSessions exceeded"
Ascend-Idle-Limit = 0
Ascend-Assign-IP-Pool = 1
Framed-IP-Netmask = 255.255.255.255
Ascend-Metric = 2
Service-Type = Framed-User
Framed-Protocol = PPP
Reply-Message = "Bienvenue sur Easynet France"
One request, and two answers : one reject (this is normal) and one
Accept (Abnormal, because of the MaxSessions Exceeded)
If think the Radius client will consider only the first answer, but in
case the first request is lost, the second (the wrong one) will be
received by the Radius client.
I want to have only one response, the reject.
Is there a way to do that ? with an AuthByPolicy ?
Thank you for attention, I hope someone can help me.
#################################### CONFIG FILE BELOW ##########
<AuthBy LDAP2>
Identifier Auth_ldap_dialup
Host xxx.xxx.xxx.xxx
Port 389
AuthDN cn=xxx,o=xxxxxx.xxx
AuthPassword xxxxxx
BaseDN o=xxxxxxx.xxx
UsernameAttr uid
PasswordAttr userPassword
HoldServerConnection
AuthAttrDef ipaddr,Framed-IP-Address,reply
AuthAttrDef ipNetmask,Framed-IP-Netmask,reply
AuthAttrDef protocol,Framed-Protocol,reply
AuthAttrDef ipPool,Ascend-Assign-IP-Pool,reply
AuthAttrDef ipRouteMetric,Ascend-Metric,reply
AuthAttrDef minChannels,Ascend-Minimum-Channels,reply
AuthAttrDef maxChannels,Ascend-Maximum-Channels,reply
AuthAttrDef baseChannels,Ascend-Base-Channel-Count,reply
AuthAttrDef idleTime,Ascend-Idle-Limit,reply
SearchFilter
(&(uid=$name)(|(services=pstn)(services=isdn))(status=active))
AddToReply
Service-Type=Framed-User,Framed-Protocol=PPP,Reply-Message="Bienvenue
sur Easynet France"
</AuthBy>
<AuthBy SQL>
Identifier Accounting1
# Disable authentication
AuthSelect
DBSource dbi:mysql:xxxxx:xxxxxxx
DBUsername xxxxxx
DBAuth xxxxx
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID, Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE, Acct_Terminate-Cause,integer
AcctColumnDef NASIDENTIFIER, NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
AcctColumnDef CALLERID,Caller-Id
</AuthBy>
<Handler Vendor-Specific=dialup,Request-Type = Access-Request>
RewriteUsername s/^([^@]+)$/$1\@easynet.fr/
RejectHasReason
SessionDatabase SDB1
AuthByPolicy ContinueUntilReject
MaxSessions 1
AuthBy Auth_ldap_dialup
</Handler>
<Handler Vendor-Specific=dialup,Request-Type = Accounting-Request>
RewriteUsername s/^([^@]+)$/$1\@easynet.fr/
AuthByPolicy ContinueAlways
AuthBy Accounting1
</Handler>
<SessionDatabase SQL>
DBSource dbi:mysql:xxxxx:xxxxx
DBUsername xxxxx
DBAuth xxxxx
Identifier SDB1
</SessionDatabase>
--
Frederic Gargula
Systems Design Engineer
Easynet France
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
