Simultaneous use control
I'm trying to use FreeRADIUS simultaneous use control. All requests are proxied to another RADIUS server. However, I wanted FreeRADIUS to control this. >From debug (radiusd -X) it looks to me that FreeRADIUS sends the request to the other server before checking. It worked once but I had to remove the configuration. Now I can't make it work again... I've posted the files which I think are relevant. If something is important from radiusd.conf (which is too big for a polite post) please let me know. I have not huntgroups or realms (outside the proxy.conf file) defined. I've included also a debugged session of one of these cases. Ok, you'll see that the destination RADIUS server did block the simultaneous login, but I need FreeRADIUS to do that (because it does it better when it works). I could really use some help here. Thanks -- Luiz Lima Image Link Internet http://www.imagelink.com.br /etc/raddb/users === DEFAULT Auth-Type := System, Simultaneous-Use := 1 Fall-Through = 1 === /etc/raddb/proxy.conf === proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 60 default_fallback = no } realm NULL { type= radius authhost= 10.0.0.1:1645 accthost= 10.0.0.1:1646 secret = mypassword } === /etc/raddb/attrs === DEFAULT Port-Limit := 1 === debug === rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195, length=70 NAS-IP-Address = 200.216.95.212 NAS-Port = 1342767363 NAS-Port-Type = Virtual User-Name = "user-login-here" Password = "\\K\\;\014\373\276h\267\361\225\201\376;A\204" rad_lowerpair: User-Name now 'user-login-here' rad_lowerpair: Password now 'user-password-here' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "attr_filter" returns noop rlm_realm: Looking up realm NULL for User-Name = "user-login-here" rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = "user-login-here" rlm_realm: Proxying request from user user-login-here to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module "suffix" returns updated users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated Sending Access-Request of id 1 to 10.0.0.1:1645 User-Name = "user-login-here" NAS-IP-Address = 200.216.95.212 NAS-Port = 1342767363 NAS-Port-Type = Virtual Password = "}w\237\342\203\265\020\242\301q}\320\303\271RR" Proxy-State = "195" --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 10.0.0.1:1645, id=1, length=61 Proxy-State = 0x313935 Reply-Message = "Simultaneous login limit exceeded!" rad_lowerpair: Stripped-User-Name now 'user-login-here' rad_lowerpair: Password now 'user-password-here' Login incorrect (Home Server says so): [user-login-here/user-password-here] (from client 200-216-4-170 port 1342767363) Delaying request 0 for 1 seconds Finished request 0 Going to the next request rl_next: returning NULL Waking up in 6 seconds... rad_recv: Access-Request packet from host 200.216.4.170:1645, id=195, length=70 Sending Access-Reject of id 195 to 200.216.4.170:1645 Reply-Message = "Simultaneous login limit exceeded!" === radwho -r === user-login-here,user-login-here,PPP,S1342767363,Fri 11:37,200.216.95.212,200.149.171.85 === - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping servers in sync
> The retries sent by the server are ONLY for about 30 seconds. > What you're talking about is having the server send Alive packets > for as long as the user is logged in, which may be hours. > That means the server has probably 100 to 1000 times as much > information to keep track of, which isn't a good thing. What if a second program was written to periodicaly read radutmp and generate the Alive packets? I could be a daemon or something to be run by crond. Would anyone but me find it usefull? Well, now all I need is to learn C and start coding... :-) Thanks a lot for all the info, Alan. -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping servers in sync
> Rather than hacking the server, I would suggest using > something like 'radrelay', which is a seperate process, > which ONLY relays/duplicates packets. I'll get into that. Thanks. > You still haven't discovered what's wrong. Sure, you know > that the "live" users aren't in sync, but you don't know *why* > they're not in sync. > Trying to add more code, and expend a lot of effort to work > around the problem is going to be a waste of your time. Find > out the CAUSE of the problem, and fix THAT. I'm 95% sure about the cause and it's that the telco screws up, sending packets from the same port-id for different customers and with different session-ids for Start and Stop packets for the same connection (among other stuff). Problem is, as in most of the places in the world, talking to the telco is even easy sometimes, but it's nearly impossible to convince them that they're wrong. FreeRADIUS "recovers" from these glitches but by other server doesn't. That's why my first idea was that FreeRADIUS could keep its target RADIUS server informed of online users through Alive packets. Since it already may be configured to have its own internal schedule for retries, I figured "why not sync remote servers with Alive packets". -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping servers in sync
>> Anyway, what I want to know is if FreeRADIUS can generate >> "Alive" packets to VPRRS with the goal of keeping them in sync. > No, and I wouldn't recommend implementing it, either. Why not? > If FreeRADIUS sees the users online, why doesn't the other system? > You said that FreeRADIUS is doing nothing more than proxying > packets, so they SHOULD be in sync automatically. I really don't know, Alan. But right now I'm kind of dependant on the other RADIUS server and I had some hope that FreeRADIUS could help me fix the situation. Looks like it doesn't. Well, it can't do everything, right? :-) Thanks for your reply. -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Keeping servers in sync
Hello, I'm new to this list, altough I've been using FreeRADIUS for a while now. I use it exclusively to receive requests from my DSL customers and relay them to my other RADIUS server (which is a Vircom Proxy and Roaming RADIUS Server -- VPRRS). I use FreeRADIUS for nothing else. All my DSL operations are run by the telco and I only authenticate the users. What happens is that I can see that VPRRS shows different users than FreeRADIUS. It's like Vircom's server would loose control of who is actually online. At this momment, there are 55 users online and VPRRS only shows 21. I DO know that the telco screws things a little bit, including duplicate ports, different session-ids and things like that, but FreeRADIUS seems to recover more gracefully than VPRRS from those "mistakes". They use Cisco equipment (DSL concentrators and a software called Dashboard to authenticate the users after they are already connected to the DSL system). Anyway, what I want to know is if FreeRADIUS can generate "Alive" packets to VPRRS with the goal of keeping them in sync. The telco does not send watchdogs packets of its own. Can FreeRADIUS that? Or if there's any other way to keep them together at all times? Thanks a lot. -- Luiz Lima Image Link Internet http://www.imagelink.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html