(RADIATOR) Question about SessionDatabase

2000-11-17 Thread Alexey A. Shavaldin 

Hello !

I have experienced a problem with simultaneous logins of such a case.
I have global RewriteUsername defined in my radius.cfg:

RewriteUsername tr/[A-Z]/[a-z]/
RewriteUsername s/^(.*)\/(.*)/$2/
RewriteUsername s/^(.*)\\(.*)/$2/
RewriteUsername tr/A-Za-z0-9_@,\\\ \.\-/\*/c

Simultaneous login limits work OK for users, who enter their usernames in low 
register, but not for users, who try to mix upper and lower register symbols. 
Their Access-Requests are accepted everywhere. Here is part of my trace4 log:

**

If usernames are entered in mixed case:

Fri Nov 17 11:56:46 2000: DEBUG: Radius::AuthSQL looks for match with xxx
  ^^^
Fri Nov 17 11:56:46 2000: DEBUG: Query is: select NASIDENTIFIER, NASPORT, 
ACCTSESSIONID from RADONLINE where USERNAME='xxx'
 ^^^
Fri Nov 17 11:56:46 2000: DEBUG: Checking if user is still online: 
TotalControlSNMP, Xxx, my_nas_ip_address, 3082, 201918932
  ^^^
Fri Nov 17 11:56:46 2000: DEBUG: Running command `/usr/bin/snmpget 
my_nas_ip_address my_com_string 
.iso.org.dod.internet.private.enterprises.429.4.10.1.1.18.4338`
Fri Nov 17 11:56:46 2000: NOTICE: Special Session for Xxx at
  ^^^
my_nas_ip_address:3082 has gone away
Fri Nov 17 11:56:46 2000: DEBUG: Special Deleting session for Xxx,
  ^^^ 
my_nas_ip_address, 3082
Fri Nov 17 11:56:46 2000: DEBUG: do query is: delete from RADONLINE where 
USERNAME='xxx'
  ^^^
and NASIDENTIFIER='my_nas_ip_address' and NASPORT=ifnull("3082",0)

xxx = logins in lower case
Xxx = logins in mixed case

If usernames are entered in lower case the result is:

Fri Nov 17 11:56:32 2000: DEBUG: Running command `/usr/bin/snmpget 
my_nas_ip_address my_com_string 
.iso.org.dod.internet.private.enterprises.429.4.10.1.1.18.4338`
Fri Nov 17 11:56:33 2000: DEBUG: Radius::AuthSQL REJECT: Simultaneous-Use of 
1 exceeded 
Fri Nov 17 11:56:33 2000: INFO: Access rejected for xxx: Simultaneous-Use of 
1 exceeded


My SessionDatabase part of radius.cfg is:

AddQuery insert delayed into RADONLINE ( \
USERNAME, \
REALM, \
NASIDENTIFIER, \
NASPORT, \
ACCTSESSIONID, \
TIME_STAMP, \
FRAMEDIPADDRESS, \
NASPORTTYPE, \
SERVICETYPE, \
CalledStationId, \
CallingStationId \
) values ( \
"%U" , \
"%R" , \
"%N" , \
ifnull("%{NAS-Port}",0), \
"%{Acct-Session-Id}", \
from_unixtime(%{Timestamp}), \
"%{Framed-IP-Address}", \
"%{NAS-Port-Type}", \
"%{Service-Type}", \
"%{Called-Station-Id}", \
"%{Calling-Station-Id}" \
)
 
 DeleteQuery delete from RADONLINE where USERNAME="%U" and \
NASIDENTIFIER="%N" and NASPORT=ifnull("%{NAS-Port}",0

 ClearNasQuery delete from RADONLINE where NASIDENTIFIER="%N"
 
 CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE \
 where USERNAME="%U"


Where can I find the source of a problem, such straightforward users begin to 
bother me :))

-- 
With regards,
Alexey A. Shavaldin  [EMAIL PROTECTED]

System Administrator
of Kraft-S, JSC

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about SessionDatabase

2000-11-17 Thread Hugh Irvine 


Hello Alexey -

On Fri, 17 Nov 2000, Alexey A. Shavaldin wrote:
 Hello !
 
 I have experienced a problem with simultaneous logins of such a case.
 I have global RewriteUsername defined in my radius.cfg:
 
 RewriteUsername tr/[A-Z]/[a-z]/
 RewriteUsername s/^(.*)\/(.*)/$2/
 RewriteUsername s/^(.*)\\(.*)/$2/
 RewriteUsername tr/A-Za-z0-9_@,\\\ \.\-/\*/c
 
 Simultaneous login limits work OK for users, who enter their usernames in low 
 register, but not for users, who try to mix upper and lower register symbols. 
 Their Access-Requests are accepted everywhere. Here is part of my trace4 log:
 

This is really a business policy issue, rather than a technical Radiator issue.

You have two opposing views being expressed:

1. do you allow "naive" users to misspell their login names and still be
accepted?

2. do you forbid "clever" users from abusing multiple use limits?

You have to decide which policy to implement - you can't do both.

As to checking simultaneous use - the problem is that the NAS keeps the
username string that was entered by the user, so the session database also
needs to keep that string to be able to query the NAS.

In this case (and others as discussed on the list) I tend towards the strict
view, that simply rejects unacceptable login attempts.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.