update session database in Authorization
Hello,
When 2 users with same username try to login to the server at the same
time; Radius server receives Auth and Acct packets in the following order:
1- Auth from user1
2- Auth from user2
3- Acct from user1
4- Acct from user2
Since the session database is not populated until a user sends an accounting
packet (using radutmp or sql modules)
How can we prevent multiple login in this situation? shall we think in
adding a record to the session database in authorization section?
I am using freeradius-2.1.6
configurations
=
authorize {
preprocess
chap
suffix
files
sql
pap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
# radutmp
sql
}
session {
# radutmp
sql
}
Thanks,
Houssam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update session database in Authorization
On Wed, Feb 17, 2010 at 12:19 AM, Houssam Melhem hmel...@gmail.com wrote: How can we prevent multiple login in this situation? shall we think in adding a record to the session database in authorization section? In normal situation, acct-capable NAS send acct-start immediately after it receives access-accept, so there should be no need for you to do that manually. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update session database in Authorization
Hello, You are right, I have this problem with Pheenet Access point and Nomadix AG, for cisco NAS I have no problem If I need to fix this issue what is the recommended solution to fix this issue? If I modify the authorize section to save sessions does it break Radius Protocol ? I am thinking in patching rlm_sql, what do you think? Thanks, Houssam On Wed, Feb 17, 2010 at 12:19 AM, Fajar A. Nugraha fa...@fajar.net wrote: On Wed, Feb 17, 2010 at 12:19 AM, Houssam Melhem hmel...@gmail.com wrote: How can we prevent multiple login in this situation? shall we think in adding a record to the session database in authorization section? In normal situation, acct-capable NAS send acct-start immediately after it receives access-accept, so there should be no need for you to do that manually. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update session database in Authorization
On Wed, Feb 17, 2010 at 7:16 AM, Houssam Melhem hmel...@gmail.com wrote: Hello, You are right, I have this problem with Pheenet Access point and Nomadix AG, for cisco NAS I have no problem If I need to fix this issue what is the recommended solution to fix this issue? Well, I'd say you need to find root cause of problem first. Do they not send acct-start at all? Do they send it late? It's possible that they don't support acct at all (wireless AP used for 802.1x usually only use auth), so you'll have a hard time (if even possible) to limit simultaneus connections. If I modify the authorize section to save sessions does it break Radius Protocol ? It wouldn't be REAL accounting session. It'd be just some data you put there based on the information available during auth. You won't have enough information (like AcctSessionId) to create a real accounting entry. I am thinking in patching rlm_sql, what do you think? You can just use post-auth section, no need to patch the source code. See the example for Authentication Logging Queries. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
