Simultaneous-Use problem from virtual ISP
Hello,
I am trying to get our radius servers to authenticate a virtual ISP request.
When we have the Simultaneous-Use attribute in radcheck it ALWAYS fails with
a Multiple login error, no matter how may Simultaneous-Use I give it. It
always says there are more logins then the number I have. I have debugging
on the radcheck script and it returns that there is no one logged in.
Things work fine for all our own dial equipment, ascends, cicsos,
portmaster, TNTs, etc.
First here is the debug from when connecting from them: Next will be the
debug from when connecting from out test Ascend. (we have a custom module
that appends the domain name to a username if they don't supply it based off
of the IP address of the NAS, ignore that stuff)
rad_recv: Access-Request packet from host 170.147.113.49:58771, id=46,
length=114
User-Name = "[EMAIL PROTECTED]"
User-Password = "icgtest"
NAS-IP-Address = 170.147.113.13
NAS-Port = 16930
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "2143799633"
Calling-Station-Id = "7034816192"
NAS-Port-Type = Async
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm trueband.net for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm trueband.net
modcall[authorize]: module "suffix" returns noop
modcall: entering group group
radius_xlat: Running registered xlat function of module atdomain for string
'%n'
rlm_sql: sql_domain_xlat
radius_xlat: '[EMAIL PROTECTED]'
sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql1): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql1): Reserving sql socket id: 14
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql1): Released sql socket id: 14
modcall[authorize]: module "sql1" returns ok
modcall: group group returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1045785600''
radius_xlat: Running registered xlat function of module atdomain for string
'%n'
rlm_sql: sql_domain_xlat
radius_xlat: '[EMAIL PROTECTED]'
sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1045785600''
sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime -
GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1045785600'}'
radius_xlat: Running registered xlat function of module sql1 for string
'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1045785600''
rlm_sql (sql1): - sql_xlat
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1045785600''
rlm_sql (sql1): Reserving sql socket id: 13
rlm_sql (sql1): - sql_xlat finished
rlm_sql (sql1): Released sql socket id: 13
radius_xlat: '18'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=36000,
counter=18
rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED],
Type=Session-Timeout, value=28800
modcall[authorize]: module "dailycounter" returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1044057600 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '1044057600''
radius_xlat: Running registered xlat function of module atdomain for string
'%n'
rlm_sql: sql_domain_xlat
radius_xlat: '[
Simultaneous-Use problem
Hello,
I am trying to use Simultaneous-Use for group users through mysql with
freeradius-snapshot-20021101.
radiusd.conf:
==
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
# radutmp
sql
}
sql.conf:
==
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1}
WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
radgroupcheck:
==
GroupName Attribute op Value
ppp-simul Simultaneous-Use:=3D1
I've also used op=":="
And now users from another groups (not "ppp-simul") hasn't access too:
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
I think "GroupName" wasn't checked. Why?
rad_recv: Access-Request packet from host XXX.XX.XX.XX:1026, id=250, length=82
User-Name = "ppgip"
User-Password = "XXX"
NAS-IP-Address = XXX.XX.XX.XX
NAS-Port = 11
NAS-Port-Type = Async
Connect-Info = "14400"
Framed-Protocol = PPP
Service-Type = Framed-User
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: 'ppgip'
sql_set_user: escaped user --> 'ppgip'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'ppgip' ORDER BY id'
rlm_sql: Reserving sql socket id: 2
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'ppgip' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 2
modcall[authorize]: module "sql" returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "noresetcounter" returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "dailycounter" returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "monthlycounter" returns noop
users: Matched DEFAULT at 12
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
modcall: entering group session
radius_xlat: 'ppgip'
sql_set_user: escaped user --> 'ppgip'
radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ppgip' AND
AcctStopTime = 0'
rlm_sql: Reserving sql socket id: 1
radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE
UserName='ppgip' AND AcctStopTime = 0'
rlm_sql: Released sql socket id: 1
modcall[session]: module "sql" returns ok
modcall: group session returns ok
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
Finished request 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hi all, I have setup three freeradius servers v0.7.1 - two authorization, authentication - one accounting the two servers for authentication are working with "files". the accouting server is working with mysql. The NASes are using BOTH servers (load-balancing). The feature "Simultaneous-Use" uses the "radwtmp" file. But the accounting do not go on those servers, so I cant do the check. I have done a little perl script which uses the accouting information to detect duplicate session and I would like to implement it. how can I tell the radius server to exec my script to check for "Simultaneous-Use" at connection ? usage: myscript.pl response: integer 0 or 1 (as 1 means "Simultaneous-Use limit" reached and 0 means "Simultaneous-Use limit" not reached) Regards, P. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem on freeradius 0.4
I'm using freeradius 0.4 with mysql 3.23.41 on SuSE Linux 7.3 for auth. of
dial-up users on an livingston protmaster 2e.
The problem:
i added all users into a group PPP
i set the Simultaneous-Use to 1
when a user is connected and another connection is requested by the same
user then connection is accepted the first instance of the user is removed
from the "radutmp" file so i see only one instance of the user with "radwho"
but when i'm looking at the portmaster i see 2 users connected with the same
username
here's some part from "radiusd.conf"
authorize {
preprocess
suffix
sql
counter
}
authenticate {
sql
}
accounting {
detail
counter
unix
radutmp
sql
}
session {
radutmp
}
sql.conf
authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att
ribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM
${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQL-User-Name}' AND ${usergroup_table}.GroupName =
${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Att
ribute,${groupreply_table}.Value,${groupreply_table}.op FROM
${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQL-User-Name}' AND ${usergroup_table}.GroupName =
${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE
UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC"
MySQL Databases
radcheck
id UserNameAttribute Value op
-
252 user Password pass :=
radgroupcheck
id GroupNameAttribute Value op
252 PPP Simultaneous-Use1 :=
radgroupreply
id GroupNameAttribute Value
op
13PPP Framed-ProtocolPPP
:=
12PPP Service-Type Framed-User
:=
14PPP Framed-IP-Addressx.x.x.x+
:=
15PPP Framed-Compression,Van-Jacobson-TCP-IP
:=
usergroup
id username groupname
---
1 user PPP
THANKS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
I'm using freeradius
0.4 with mysql 3.23.41 on SuSE Linux 7.3 for auth. of dial-up users on an
livingston protmaster 2e.The problem: i added all users into a
group PPP i set the Simultaneous-Use to 1 when a user is
connected and another connection is requested by the same user then connection
is accepted the first instance of the user is removed from the "radutmp" file so
i see only one instance of the user with "radwho" but when i'm looking at the
portmaster i see 2 users connected with the same usernamehere's some
part from "radiusd.conf"authorize
{
preprocess
suffix
sql
counter }authenticate
{
sql}accounting {
detail
counter
unix
radutmp sql}session
{
radutmp}sql.confauthorize_check_query = "SELECT
id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username =
'%{SQL-User-Name}' ORDER BY id"authorize_reply_query = "SELECT
id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username =
'%{SQL-User-Name}' ORDER BY id"authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQL-User-Name}' AND ${usergroup_table}.GroupName =
${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username =
'%{SQL-User-Name}' AND ${usergroup_table}.GroupName =
${groupreply_table}.GroupName ORDER BY
${groupreply_table}.id"authenticate_query = "SELECT Value,Attribute FROM
${authcheck_table} WHERE UserName = '%{User-Name}' AND ( Attribute = 'Password'
OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC"MySQL
Databasesradcheck id
UserName
Attribute Value
op-252
user
Password pass :=
radgroupcheck id
GroupName
Attribute
Value
op252
PPP
Simultaneous-Use
1 :=
radgroupreplyid
GroupName
Attribute
Value
op13
PPP
Framed-Protocol
PPP
:=12
PPP
Service-Type
Framed-User
:=14
PPP
Framed-IP-Address
x.x.x.x+
:=15
PPP
Framed-Compression
,Van-Jacobson-TCP-IP
:=usergroupid username
groupname---1
user PPP
THANKS
