Simultaneous use control
I'm trying to use FreeRADIUS simultaneous use control. All requests are
proxied to another RADIUS server. However, I wanted FreeRADIUS to control
this.
>From debug (radiusd -X) it looks to me that FreeRADIUS sends the request to
the other server before checking.
It worked once but I had to remove the configuration. Now I can't make it
work again...
I've posted the files which I think are relevant. If something is important
from radiusd.conf (which is too big for a polite post) please let me know. I
have not huntgroups or realms (outside the proxy.conf file) defined.
I've included also a debugged session of one of these cases. Ok, you'll see
that the destination RADIUS server did block the simultaneous login, but I
need FreeRADIUS to do that (because it does it better when it works).
I could really use some help here. Thanks
--
Luiz Lima
Image Link Internet
http://www.imagelink.com.br
/etc/raddb/users
===
DEFAULT Auth-Type := System, Simultaneous-Use := 1
Fall-Through = 1
===
/etc/raddb/proxy.conf
===
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 60
default_fallback = no
}
realm NULL {
type= radius
authhost= 10.0.0.1:1645
accthost= 10.0.0.1:1646
secret = mypassword
}
===
/etc/raddb/attrs
===
DEFAULT
Port-Limit := 1
===
debug
===
rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195,
length=70
NAS-IP-Address = 200.216.95.212
NAS-Port = 1342767363
NAS-Port-Type = Virtual
User-Name = "user-login-here"
Password = "\\K\\;\014\373\276h\267\361\225\201\376;A\204"
rad_lowerpair: User-Name now 'user-login-here'
rad_lowerpair: Password now 'user-password-here'
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "attr_filter" returns noop
rlm_realm: Looking up realm NULL for User-Name = "user-login-here"
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = "user-login-here"
rlm_realm: Proxying request from user user-login-here to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module "suffix" returns updated
users: Matched DEFAULT at 1
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
Sending Access-Request of id 1 to 10.0.0.1:1645
User-Name = "user-login-here"
NAS-IP-Address = 200.216.95.212
NAS-Port = 1342767363
NAS-Port-Type = Virtual
Password = "}w\237\342\203\265\020\242\301q}\320\303\271RR"
Proxy-State = "195"
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 10.0.0.1:1645, id=1, length=61
Proxy-State = 0x313935
Reply-Message = "Simultaneous login limit exceeded!"
rad_lowerpair: Stripped-User-Name now 'user-login-here'
rad_lowerpair: Password now 'user-password-here'
Login incorrect (Home Server says so): [user-login-here/user-password-here]
(from client 200-216-4-170 port 1342767363)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195,
length=70
Sending Access-Reject of id 195 to 200.216.4.170:1645
Reply-Message = "Simultaneous login limit exceeded!"
===
radwho -r
===
user-login-here,user-login-here,PPP,S1342767363,Fri
11:37,200.216.95.212,200.149.171.85
===
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping servers in sync
> The retries sent by the server are ONLY for about 30 seconds. > What you're talking about is having the server send Alive packets > for as long as the user is logged in, which may be hours. > That means the server has probably 100 to 1000 times as much > information to keep track of, which isn't a good thing. What if a second program was written to periodicaly read radutmp and generate the Alive packets? I could be a daemon or something to be run by crond. Would anyone but me find it usefull? Well, now all I need is to learn C and start coding... :-) Thanks a lot for all the info, Alan. -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping servers in sync
> Rather than hacking the server, I would suggest using > something like 'radrelay', which is a seperate process, > which ONLY relays/duplicates packets. I'll get into that. Thanks. > You still haven't discovered what's wrong. Sure, you know > that the "live" users aren't in sync, but you don't know *why* > they're not in sync. > Trying to add more code, and expend a lot of effort to work > around the problem is going to be a waste of your time. Find > out the CAUSE of the problem, and fix THAT. I'm 95% sure about the cause and it's that the telco screws up, sending packets from the same port-id for different customers and with different session-ids for Start and Stop packets for the same connection (among other stuff). Problem is, as in most of the places in the world, talking to the telco is even easy sometimes, but it's nearly impossible to convince them that they're wrong. FreeRADIUS "recovers" from these glitches but by other server doesn't. That's why my first idea was that FreeRADIUS could keep its target RADIUS server informed of online users through Alive packets. Since it already may be configured to have its own internal schedule for retries, I figured "why not sync remote servers with Alive packets". -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping servers in sync
>> Anyway, what I want to know is if FreeRADIUS can generate >> "Alive" packets to VPRRS with the goal of keeping them in sync. > No, and I wouldn't recommend implementing it, either. Why not? > If FreeRADIUS sees the users online, why doesn't the other system? > You said that FreeRADIUS is doing nothing more than proxying > packets, so they SHOULD be in sync automatically. I really don't know, Alan. But right now I'm kind of dependant on the other RADIUS server and I had some hope that FreeRADIUS could help me fix the situation. Looks like it doesn't. Well, it can't do everything, right? :-) Thanks for your reply. -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Keeping servers in sync
Hello, I'm new to this list, altough I've been using FreeRADIUS for a while now. I use it exclusively to receive requests from my DSL customers and relay them to my other RADIUS server (which is a Vircom Proxy and Roaming RADIUS Server -- VPRRS). I use FreeRADIUS for nothing else. All my DSL operations are run by the telco and I only authenticate the users. What happens is that I can see that VPRRS shows different users than FreeRADIUS. It's like Vircom's server would loose control of who is actually online. At this momment, there are 55 users online and VPRRS only shows 21. I DO know that the telco screws things a little bit, including duplicate ports, different session-ids and things like that, but FreeRADIUS seems to recover more gracefully than VPRRS from those "mistakes". They use Cisco equipment (DSL concentrators and a software called Dashboard to authenticate the users after they are already connected to the DSL system). Anyway, what I want to know is if FreeRADIUS can generate "Alive" packets to VPRRS with the goal of keeping them in sync. The telco does not send watchdogs packets of its own. Can FreeRADIUS that? Or if there's any other way to keep them together at all times? Thanks a lot. -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
