Re: Simultaneous-User Questions
WA Support <[EMAIL PROTECTED]> wrote: > Thank you for your suggestions. However, no one has responded to why I > don't see any debugging traffic coming from checkrad. Is it not being > called? Did you read my previous message, where I told you how to find out the answer? I don't understand why you're refusing to do any work to find out the answer for yourself. I don't know what's going on in your server. YOU can find out by running it in debugging mode. I've said that until I'm sick of saying it, and still you refuse to follow simple instructions. Go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
Hello, Thank you for your suggestions. However, no one has responded to why I don't see any debugging traffic coming from checkrad. Is it not being called? Murrah Boswell Alan DeKok wrote: > > WA Support <[EMAIL PROTECTED]> wrote: > > I will look at running freeradius in debug mode, but I would rather set > > debug flags in checkrad. > > Most of your questions about what happens, and when it happens, can > be answered by running the server in debugging mode, and reading the > output. > > > > Have you looked into using realms? > > > > I read this in the duplicate-users documentation: > > > > "Now, about now, many of you are thinking, "what about realms?" > > Well, realms are great, but, in general, it will require the end > > user to add "@domain.com", which is a pain. It means ISP A has to > > call 375 people and tell them to add that to their login name." > > > > and decided against realms, since I would have to notify a few thousand > > people. > > With the attr_rewrite module, it should be possible to have the > server re-write the usernames for them. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
WA Support <[EMAIL PROTECTED]> wrote: > I will look at running freeradius in debug mode, but I would rather set > debug flags in checkrad. Most of your questions about what happens, and when it happens, can be answered by running the server in debugging mode, and reading the output. > > Have you looked into using realms? > > I read this in the duplicate-users documentation: > > "Now, about now, many of you are thinking, "what about realms?" > Well, realms are great, but, in general, it will require the end > user to add "@domain.com", which is a pain. It means ISP A has to > call 375 people and tell them to add that to their login name." > > and decided against realms, since I would have to notify a few thousand > people. With the attr_rewrite module, it should be possible to have the server re-write the usernames for them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
Hello, > Run the radius server in debugging mode (-x) and see what the NAS actually > sends to the server when a person tries to authenticate. That will show you > the data you can use in the users file to help determine where packets get > proxied. I believe the Called-Station-Id is sent only in accounting packets, > which is sent after successful authentication. > My understanding is that freeradius first checks radutemp and if it sees a user logged on with the same username as one attempting to log on, it calls checkrad to query the NAS. This from the documentation on Simultaneous-Use: "...Only when someone tries to login who _already_ has an active session according to the radutmp file, the server executes the perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for the presence of both and in that order). This script queries the terminal server to see if the user indeed already has an active session." Now, it makes sense to me that this checking would be done before the authentication process, since it is the more efficient path. However, I am not familiar with the logic flow of freeradius, so I do not know this for certain. If it does check radutmp, and call checkrad when necessary, before authentication, then it has access to the Called-Station-Id, since this is available in the requesting packet from the new user. It also has access to the Called-Station-Id for all users currently logged on, since the NAS keeps record of this in a table. At least my NAS does, since this is how they know which modem bank to assign my customers to. So, I am fairly certain that both the username and Called-Station-Id are available when/if checkrad is called. Since this is written in perl, it would be the most logical place to start working on a fix; i.e., would require recompiles of radiusd.c. However, I can not see any traffic coming out of the checkrad script, it doesn't seem to be writing to checkrad.log. Does freeradius-0.7.1, in fact, call the perl script checkrad? I did find where checkrad is called from the session.c module, so I know that the thought is in the code, but it doesn't seem to get triggered. However, I also see in my radius.log that certain sessions are being flagged as 'Multiple logins,' so I know something is catching them, but I don't know what. Do you? I will look at running freeradius in debug mode, but I would rather set debug flags in checkrad. > Have you looked into using realms? I read this in the duplicate-users documentation: "Now, about now, many of you are thinking, "what about realms?" Well, realms are great, but, in general, it will require the end user to add "@domain.com", which is a pain. It means ISP A has to call 375 people and tell them to add that to their login name." and decided against realms, since I would have to notify a few thousand people. Thanks, Murrah Boswell > > Kevin Bonner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
On Tuesday 05 November 2002 16:44, WA Support wrote: > What I want to do is check for username and called-station-id. The NAS > reporst this back to freeradius, since it is recorded in the detail > file. It should be very simple to rework the source for freeradius, > i.e., radiusd.c, and check for both the username and the > called-station-id, right? Run the radius server in debugging mode (-x) and see what the NAS actually sends to the server when a person tries to authenticate. That will show you the data you can use in the users file to help determine where packets get proxied. I believe the Called-Station-Id is sent only in accounting packets, which is sent after successful authentication. Have you looked into using realms? Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
If you had read the original message that I sent, you would see what I am trying to do. I have to be able to check both username and called-station-id. Thanks, Murrah Boswell CTA wrote: > > On 5 Nov 2002, at 14:44, WA Support wrote: > > From: WA Support <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Simultaneous-User Questions > Send reply to: [EMAIL PROTECTED] > <mailto:freeradius-users-request@;lists.cistron.nl?subject=subscribe> > <mailto:freeradius-users-request@;lists.cistron.nl?subject=unsubscribe> > Date sent: Tue, 05 Nov 2002 14:44:19 -0700 > > > What I want to do is check for username and called-station-id. > > The NAS reporst this back to freeradius, since it is recorded in > > the detail file. It should be very simple to rework the source > > for freeradius, i.e., radiusd.c, and check for both the username > > and the called-station-id, right? > >>> > If all you want to do is to check username and called-station-id, > then why not use some regx logic: > > proxy to here... > > # Can we talk? > tester Auth-Type := Reject, Called-Station != "number" > > # Good, then let me in? > tester Auth-Type := XYZ, Password == "letmein", > Simultaneous-Use := 1 > Fall-Through = Yes > > DEFAULT ... etc > > bernie > [EMAIL PROTECTED] > > > > > > But, from the perl world, checkrad.pl is used to check for > > simultaneous use, according to the docs that came with > > freeradius. However, I can not see that anything calls > > checkrad.pl. Does anyone know what does call checkrad.pl? > > > > Thanks, > > Murrah Boswell > > > > Alan DeKok wrote: > > > > > > WA Support <[EMAIL PROTECTED]> wrote: > > > > What I am trying to do is support the case where I have a > > > > user at IPS1 with the same username as a user at IPS2. > > > > > > For general information about this situation, see: > > > doc/duplicate-users > > > > > > > From what I can read, freeradius just queries the CVX (in > > > > this case) for the username and if it sees a session with > > > > that username, it will not allow another one, correct? > > > > > > Yes. > > > > > > > How can I make freeradius check for the username AND the > > > > Called-Number? > > > > > > No, it checks for a specific user has logged into a specific > > > port. > > > > > > The issue appears to be that you want to keep track of users > > > locally > > > by information OTHER than their username, but to check for > > > Simultaneous-Use on the NAS by username and NAS port. > > > > > > I'm not sure how to do this right now. > > > > > > Alan DeKok. > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > This email and any files transmitted with it are confidential and are > intended solely for the use of the individual or entity to whom they are > addressed. This communication may contain material protected by the > attorney-client privilege. If you are not the intended recipient, be > advised that you have received this email in error and that any use, > dissemination, forwarding, printing, or copying of this email is strictly > prohibited. If you have receive this email in error, please immediately > notify the sender by email. > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
On 5 Nov 2002, at 14:44, WA Support wrote: From: WA Support <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Simultaneous-User Questions Send reply to: [EMAIL PROTECTED] <mailto:freeradius-users-request@;lists.cistron.nl?subject=subscribe> <mailto:freeradius-users-request@;lists.cistron.nl?subject=unsubscribe> Date sent: Tue, 05 Nov 2002 14:44:19 -0700 > What I want to do is check for username and called-station-id. > The NAS reporst this back to freeradius, since it is recorded in > the detail file. It should be very simple to rework the source > for freeradius, i.e., radiusd.c, and check for both the username > and the called-station-id, right? >>> If all you want to do is to check username and called-station-id, then why not use some regx logic: proxy to here... # Can we talk? tester Auth-Type := Reject, Called-Station != "number" # Good, then let me in? tester Auth-Type := XYZ, Password == "letmein", Simultaneous-Use := 1 Fall-Through = Yes DEFAULT ... etc bernie [EMAIL PROTECTED] > > But, from the perl world, checkrad.pl is used to check for > simultaneous use, according to the docs that came with > freeradius. However, I can not see that anything calls > checkrad.pl. Does anyone know what does call checkrad.pl? > > Thanks, > Murrah Boswell > > Alan DeKok wrote: > > > > WA Support <[EMAIL PROTECTED]> wrote: > > > What I am trying to do is support the case where I have a > > > user at IPS1 with the same username as a user at IPS2. > > > > For general information about this situation, see: > > doc/duplicate-users > > > > > From what I can read, freeradius just queries the CVX (in > > > this case) for the username and if it sees a session with > > > that username, it will not allow another one, correct? > > > > Yes. > > > > > How can I make freeradius check for the username AND the > > > Called-Number? > > > > No, it checks for a specific user has logged into a specific > > port. > > > > The issue appears to be that you want to keep track of users > > locally > > by information OTHER than their username, but to check for > > Simultaneous-Use on the NAS by username and NAS port. > > > > I'm not sure how to do this right now. > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
What I want to do is check for username and called-station-id. The NAS reporst this back to freeradius, since it is recorded in the detail file. It should be very simple to rework the source for freeradius, i.e., radiusd.c, and check for both the username and the called-station-id, right? But, from the perl world, checkrad.pl is used to check for simultaneous use, according to the docs that came with freeradius. However, I can not see that anything calls checkrad.pl. Does anyone know what does call checkrad.pl? Thanks, Murrah Boswell Alan DeKok wrote: > > WA Support <[EMAIL PROTECTED]> wrote: > > What I am trying to do is support the case where I have a user at IPS1 > > with the same username as a user at IPS2. > > For general information about this situation, see: doc/duplicate-users > > > From what I can read, freeradius just queries the CVX (in this case) for > > the username and if it sees a session with that username, it will not > > allow another one, correct? > > Yes. > > > How can I make freeradius check for the username AND the Called-Number? > > No, it checks for a specific user has logged into a specific port. > > The issue appears to be that you want to keep track of users locally > by information OTHER than their username, but to check for > Simultaneous-Use on the NAS by username and NAS port. > > I'm not sure how to do this right now. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
WA Support <[EMAIL PROTECTED]> wrote: > What I am trying to do is support the case where I have a user at IPS1 > with the same username as a user at IPS2. For general information about this situation, see: doc/duplicate-users > From what I can read, freeradius just queries the CVX (in this case) for > the username and if it sees a session with that username, it will not > allow another one, correct? Yes. > How can I make freeradius check for the username AND the Called-Number? No, it checks for a specific user has logged into a specific port. The issue appears to be that you want to keep track of users locally by information OTHER than their username, but to check for Simultaneous-Use on the NAS by username and NAS port. I'm not sure how to do this right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-User Questions
Hello, Couple of questions: I have freeradius-0.7.1 running on 2 linux boxes, at separate ISPs (ISP1 and ISP2). The two ISPs have different access numbers (three numbers for ISP1, and one number for ISP2). Obviously each ISP has separate /etc/passwd and /etc/shadow files, which implies separate users, right? Now, all four access numbers are pointed to the same channelized T1s by my telco. My telco uses a CVX for my access traffic. In my /etc/raddb/users file, which lives on a server at IPS1, I check to see if a user coming in has called the access number for ISP2, and if so, I proxy them over to ISP2 for authentication; i.e., DEFAULT Called-Station-ID == "9286348077", Simultaneous-Use := 1, Proxy-To-Realm := verdenet Acct-Interim-Interval = 600, Fall-Through = No If the access number is one for ISP1 (i.e., not 9286348077), then it falls through to the DEFAULT for IPS1. ISP1 also has a 'Simultaneous-Use := 1' default. This all works well, no complaints. What I am trying to do is support the case where I have a user at IPS1 with the same username as a user at IPS2. For example, I have a user at IPS1 with the username "grandma," and a user at ISP2 with the same username. If one of the 'grandma' users is logged in, the other can not login. I get around this by adding 2 entries in my /etc/raddb/users file for 'grandma,' i.e., grandma Called-Station-ID == "9286348077", Simultaneous-Use := 2, Proxy-To-Realm := verdenet Acct-Interim-Interval = 600, Fall-Through = No grandma Auth-Type := System, Simultaneous-Use := 2 User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Acct-Interim-Interval = 600, Framed-Compression = Van-Jacobsen-TCP-IP, Idle-Timeout = 1800 This works, but it is not very elegant. >From what I can read, freeradius just queries the CVX (in this case) for the username and if it sees a session with that username, it will not allow another one, correct? How can I make freeradius check for the username AND the Called-Number? I could probably do this in checkrad, if I knew where to look for the vector coming back from the CVX, or I could do it in radiusd.c and recompile. I can't get checkrad to work though, that is, I turned debugging on, I thought, in /usr/local/sbin/checkrad by setting $debug = "/var/log/radius/checkrad.log"; but I get no traffic in /var/log/radius/checkrad.log, so it doesn't look like checkrad is even being called. Can some one help here please? Thanks, Murrah Boswell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
