Simultaneous-Use problem from virtual ISP
Hello, I am trying to get our radius servers to authenticate a virtual ISP request. When we have the Simultaneous-Use attribute in radcheck it ALWAYS fails with a Multiple login error, no matter how may Simultaneous-Use I give it. It always says there are more logins then the number I have. I have debugging on the radcheck script and it returns that there is no one logged in. Things work fine for all our own dial equipment, ascends, cicsos, portmaster, TNTs, etc. First here is the debug from when connecting from them: Next will be the debug from when connecting from out test Ascend. (we have a custom module that appends the domain name to a username if they don't supply it based off of the IP address of the NAS, ignore that stuff) rad_recv: Access-Request packet from host 170.147.113.49:58771, id=46, length=114 User-Name = [EMAIL PROTECTED] User-Password = icgtest NAS-IP-Address = 170.147.113.13 NAS-Port = 16930 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 2143799633 Calling-Station-Id = 7034816192 NAS-Port-Type = Async modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm trueband.net for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm trueband.net modcall[authorize]: module suffix returns noop modcall: entering group group radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]' sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql1): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql1): Reserving sql socket id: 14 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql1): Released sql socket id: 14 modcall[authorize]: module sql1 returns ok modcall: group group returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1045785600'' radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]' sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1045785600'' sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1045785600'}' radius_xlat: Running registered xlat function of module sql1 for string 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1045785600'' rlm_sql (sql1): - sql_xlat radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1045785600'' rlm_sql (sql1): Reserving sql socket id: 13 rlm_sql (sql1): - sql_xlat finished rlm_sql (sql1): Released sql socket id: 13 radius_xlat: '18' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=36000, counter=18 rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED], Type=Session-Timeout, value=28800 modcall[authorize]: module dailycounter returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1044057600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1044057600'' radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]'
Simultaneous-Use problem
Hello, I am trying to use Simultaneous-Use for group users through mysql with freeradius-snapshot-20021101. radiusd.conf: == # Session database, used for checking Simultaneous-Use. The radutmp module # handles this session { # radutmp sql } sql.conf: == # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 radgroupcheck: == GroupName Attribute op Value ppp-simul Simultaneous-Use:=3D1 I've also used op=:= And now users from another groups (not ppp-simul) hasn't access too: Multiple logins (max 1) : [ppgip] (from client riak port 11) Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026 Reply-Message := \r\nYou are already logged in - access denied\r\n\n I think GroupName wasn't checked. Why? rad_recv: Access-Request packet from host XXX.XX.XX.XX:1026, id=250, length=82 User-Name = ppgip User-Password = XXX NAS-IP-Address = XXX.XX.XX.XX NAS-Port = 11 NAS-Port-Type = Async Connect-Info = 14400 Framed-Protocol = PPP Service-Type = Framed-User modcall: entering group authorize modcall[authorize]: module preprocess returns ok radius_xlat: 'ppgip' sql_set_user: escaped user -- 'ppgip' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'ppgip' ORDER BY id' rlm_sql: Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppgip' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'ppgip' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppgip' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 2 modcall[authorize]: module sql returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module dailycounter returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module monthlycounter returns noop users: Matched DEFAULT at 12 modcall[authorize]: module files returns ok modcall: group authorize returns ok auth: type Local auth: user supplied User-Password matches local User-Password modcall: entering group session radius_xlat: 'ppgip' sql_set_user: escaped user -- 'ppgip' radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ppgip' AND AcctStopTime = 0' rlm_sql: Reserving sql socket id: 1 radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='ppgip' AND AcctStopTime = 0' rlm_sql: Released sql socket id: 1 modcall[session]: module sql returns ok modcall: group session returns ok Multiple logins (max 1) : [ppgip] (from client riak port 11) Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Finished request 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hi all, I have setup three freeradius servers v0.7.1 - two authorization, authentication - one accounting the two servers for authentication are working with files. the accouting server is working with mysql. The NASes are using BOTH servers (load-balancing). The feature Simultaneous-Use uses the radwtmp file. But the accounting do not go on those servers, so I cant do the check. I have done a little perl script which uses the accouting information to detect duplicate session and I would like to implement it. how can I tell the radius server to exec my script to check for Simultaneous-Use at connection ? usage: myscript.pl username Simultaneous-Use limit response: integer 0 or 1 (as 1 means Simultaneous-Use limit reached and 0 means Simultaneous-Use limit not reached) Regards, P. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
I'm using freeradius 0.4 with mysql 3.23.41 on SuSE Linux 7.3 for auth. of dial-up users on an livingston protmaster 2e.The problem:i added all users into a group PPPi set the Simultaneous-Use to 1when a user is connected and another connection is requested by the same user then connection is accepted the first instance of the user is removed from the "radutmp" file so i see only one instance of the user with "radwho" but when i'm looking at the portmaster i see 2 users connected with the same usernamehere's some part from "radiusd.conf"authorize { preprocess suffix sql counter }authenticate { sql}accounting { detail counter unix radutmp sql}session { radutmp}sql.confauthorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} WHERE UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC"MySQL Databasesradcheckid UserName Attribute Value op-252 user Password pass := radgroupcheckid GroupName Attribute Value op252 PPP Simultaneous-Use 1 := radgroupreplyid GroupName Attribute Value op13 PPP Framed-Protocol PPP :=12 PPP Service-Type Framed-User :=14 PPP Framed-IP-Address x.x.x.x+ :=15 PPP Framed-Compression ,Van-Jacobson-TCP-IP :=usergroupid username groupname---1 user PPP THANKS
Simultaneous-Use problem on freeradius 0.4
I'm using freeradius 0.4 with mysql 3.23.41 on SuSE Linux 7.3 for auth. of dial-up users on an livingston protmaster 2e. The problem: i added all users into a group PPP i set the Simultaneous-Use to 1 when a user is connected and another connection is requested by the same user then connection is accepted the first instance of the user is removed from the radutmp file so i see only one instance of the user with radwho but when i'm looking at the portmaster i see 2 users connected with the same username here's some part from radiusd.conf authorize { preprocess suffix sql counter } authenticate { sql } accounting { detail counter unix radutmp sql } session { radutmp } sql.conf authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id authorize_group_check_query = SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id authorize_group_reply_query = SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Att ribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id authenticate_query = SELECT Value,Attribute FROM ${authcheck_table} WHERE UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC MySQL Databases radcheck id UserNameAttribute Value op - 252 user Password pass := radgroupcheck id GroupNameAttribute Value op 252 PPP Simultaneous-Use1 := radgroupreply id GroupNameAttribute Value op 13PPP Framed-ProtocolPPP := 12PPP Service-Type Framed-User := 14PPP Framed-IP-Addressx.x.x.x+ := 15PPP Framed-Compression,Van-Jacobson-TCP-IP := usergroup id username groupname --- 1 user PPP THANKS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html