Simultaneous-Use problem from virtual ISP
Hello, I am trying to get our radius servers to authenticate a virtual ISP request. When we have the Simultaneous-Use attribute in radcheck it ALWAYS fails with a Multiple login error, no matter how may Simultaneous-Use I give it. It always says there are more logins then the number I have. I have debugging on the radcheck script and it returns that there is no one logged in. Things work fine for all our own dial equipment, ascends, cicsos, portmaster, TNTs, etc. First here is the debug from when connecting from them: Next will be the debug from when connecting from out test Ascend. (we have a custom module that appends the domain name to a username if they don't supply it based off of the IP address of the NAS, ignore that stuff) rad_recv: Access-Request packet from host 170.147.113.49:58771, id=46, length=114 User-Name = "[EMAIL PROTECTED]" User-Password = "icgtest" NAS-IP-Address = 170.147.113.13 NAS-Port = 16930 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "2143799633" Calling-Station-Id = "7034816192" NAS-Port-Type = Async modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm trueband.net for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm trueband.net modcall[authorize]: module "suffix" returns noop modcall: entering group group radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]' sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql1): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql1): Reserving sql socket id: 14 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql1): Released sql socket id: 14 modcall[authorize]: module "sql1" returns ok modcall: group group returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]' sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'}' radius_xlat: Running registered xlat function of module sql1 for string 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' rlm_sql (sql1): - sql_xlat radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' rlm_sql (sql1): Reserving sql socket id: 13 rlm_sql (sql1): - sql_xlat finished rlm_sql (sql1): Released sql socket id: 13 radius_xlat: '18' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=36000, counter=18 rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED], Type=Session-Timeout, value=28800 modcall[authorize]: module "dailycounter" returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1044057600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1044057600'' radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[
Simultaneous-Use problem
Hello, I am trying to use Simultaneous-Use for group users through mysql with freeradius-snapshot-20021101. radiusd.conf: == # Session database, used for checking Simultaneous-Use. The radutmp module # handles this session { # radutmp sql } sql.conf: == # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" radgroupcheck: == GroupName Attribute op Value ppp-simul Simultaneous-Use:=3D1 I've also used op=":=" And now users from another groups (not "ppp-simul") hasn't access too: Multiple logins (max 1) : [ppgip] (from client riak port 11) Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" I think "GroupName" wasn't checked. Why? rad_recv: Access-Request packet from host XXX.XX.XX.XX:1026, id=250, length=82 User-Name = "ppgip" User-Password = "XXX" NAS-IP-Address = XXX.XX.XX.XX NAS-Port = 11 NAS-Port-Type = Async Connect-Info = "14400" Framed-Protocol = PPP Service-Type = Framed-User modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok radius_xlat: 'ppgip' sql_set_user: escaped user --> 'ppgip' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ppgip' ORDER BY id' rlm_sql: Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppgip' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'ppgip' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppgip' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 2 modcall[authorize]: module "sql" returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "dailycounter" returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop users: Matched DEFAULT at 12 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok auth: type Local auth: user supplied User-Password matches local User-Password modcall: entering group session radius_xlat: 'ppgip' sql_set_user: escaped user --> 'ppgip' radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ppgip' AND AcctStopTime = 0' rlm_sql: Reserving sql socket id: 1 radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='ppgip' AND AcctStopTime = 0' rlm_sql: Released sql socket id: 1 modcall[session]: module "sql" returns ok modcall: group session returns ok Multiple logins (max 1) : [ppgip] (from client riak port 11) Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Finished request 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hi all, I have setup three freeradius servers v0.7.1 - two authorization, authentication - one accounting the two servers for authentication are working with "files". the accouting server is working with mysql. The NASes are using BOTH servers (load-balancing). The feature "Simultaneous-Use" uses the "radwtmp" file. But the accounting do not go on those servers, so I cant do the check. I have done a little perl script which uses the accouting information to detect duplicate session and I would like to implement it. how can I tell the radius server to exec my script to check for "Simultaneous-Use" at connection ? usage: myscript.pl response: integer 0 or 1 (as 1 means "Simultaneous-Use limit" reached and 0 means "Simultaneous-Use limit" not reached) Regards, P. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem on freeradius 0.4
I'm using freeradius 0.4 with mysql 3.23.41 on SuSE Linux 7.3 for auth. of dial-up users on an livingston protmaster 2e. The problem: i added all users into a group PPP i set the Simultaneous-Use to 1 when a user is connected and another connection is requested by the same user then connection is accepted the first instance of the user is removed from the "radutmp" file so i see only one instance of the user with "radwho" but when i'm looking at the portmaster i see 2 users connected with the same username here's some part from "radiusd.conf" authorize { preprocess suffix sql counter } authenticate { sql } accounting { detail counter unix radutmp sql } session { radutmp } sql.conf authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Att ribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id" authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC" MySQL Databases radcheck id UserNameAttribute Value op - 252 user Password pass := radgroupcheck id GroupNameAttribute Value op 252 PPP Simultaneous-Use1 := radgroupreply id GroupNameAttribute Value op 13PPP Framed-ProtocolPPP := 12PPP Service-Type Framed-User := 14PPP Framed-IP-Addressx.x.x.x+ := 15PPP Framed-Compression,Van-Jacobson-TCP-IP := usergroup id username groupname --- 1 user PPP THANKS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
I'm using freeradius 0.4 with mysql 3.23.41 on SuSE Linux 7.3 for auth. of dial-up users on an livingston protmaster 2e.The problem: i added all users into a group PPP i set the Simultaneous-Use to 1 when a user is connected and another connection is requested by the same user then connection is accepted the first instance of the user is removed from the "radutmp" file so i see only one instance of the user with "radwho" but when i'm looking at the portmaster i see 2 users connected with the same usernamehere's some part from "radiusd.conf"authorize { preprocess suffix sql counter }authenticate { sql}accounting { detail counter unix radutmp sql}session { radutmp}sql.confauthorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC"MySQL Databasesradcheck id UserName Attribute Value op-252 user Password pass := radgroupcheck id GroupName Attribute Value op252 PPP Simultaneous-Use 1 := radgroupreplyid GroupName Attribute Value op13 PPP Framed-Protocol PPP :=12 PPP Service-Type Framed-User :=14 PPP Framed-IP-Address x.x.x.x+ :=15 PPP Framed-Compression ,Van-Jacobson-TCP-IP :=usergroupid username groupname---1 user PPP THANKS