2 Cistron-Radius and the Simultaneous-Use parameter.
7 Lots of people want to limt the number of times one user account can
8 login, usually to one. Thi is hard to do with the radius protocol;
9 the nature of the accounting stuff is such that the idea the radius server
10 has about the list of logged-in users might be different from the idea
11 the terminal server has about it.
13 However since ComOS 3.7 there is the possibility to get the list of logged
14 in users through SNMP from a portmaster. So if the radius server thinks
15 that someone is trying to login a second time, it is possible to check
16 on the terminal server itself if the first login is indeed still active.
17 Only then access is denied for the second login.
22 You need to have perl installed.
24 For SNMP checks, you have 2 options. You can use the `snmpget' program
25 from the cmu-snmp tools. You can probably get precompiled ones,
26 maybe even packaged for your system (Debian/Linux, Redhat/Linux, FreeBSD
27 ports collection etc). The source code is at
28 http://www.net.cmu.edu/projects/snmp/snmpapps/. The Linux-specific
29 version of this is at http://www.gaertner.de/snmp/
31 The other option is to install the SNMP_Session and BER modules that
32 come with mrtg - http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
33 In that case you need no external snmpget program, checkrad will
36 The checkroutine for USR/3Com Total Control, NetServer racks and
37 Cyclades PathRAS uses the Net::Telnet module from CPAN, at least version
38 3.00. If you need that, obtain it from your local CPAN mirror (or see
39 http://www.perl.com/CPAN/). The checkrad.pl perl script will autodetect if
40 that module is installed.
44 It works by adding the `check' parameter "Simultaneous-Use" to the entry
45 for a users or DEFAULT in /etc/raddb/users. It should be at least one;
46 it defines the maximum number of users logged in with the same account name.
50 # Simultaneous use restrictions.
52 DEFAULT Group = "staff", Simultaneous-Use = 4
54 DEFAULT Group = "business", Simultaneous-Use = 2
56 DEFAULT Simultaneous-Use = 1
60 NOTE!!! The "Simultaneous-Use" parameter is in the "check" A/V pairs,
61 and not in the Reply A/V pairs (it _is_ a check).
65 As soon as the radius server thinks it sees a double login, it executes the
66 perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for
67 the presence of both and in that order). This script queries the terminal
68 server too see if the user is indeed logged in.
70 The script uses SNMP for Livingston Portmasters, Ciscos and Patton,
71 finger for Portslave, Computone and Ascend, and Net::Telnet for USR/3Com
72 TC and Cyclades PathRAS.
74 Since the script has been witten in perl, it's easy to adjust for
75 any type of terminal server. There are implementations in the script for
76 checks using SNMP, finger, and telnet, so it should be easy to add
77 your own check routine if your terminal server is not supported yet.
79 You can find the script in the file src/checkrad.pl.
81 You need to set the correct type in the file /etc/raddb/naslist so that
82 checkrad KNOWS how it should interrogate the terminal server. At this
83 time you can define the following types:
85 type Vendor Uses method needs Need naspasswd
86 ==== ====== =========== ===== ==============
87 cisco Cisco SNMP SNMP No
88 computone Computone finger - No
89 livingston Livingston SNMP SNMP No [1]
90 max40xx Ascend finger - No
91 multitech Multitech SNMP SNMP No
92 netserver USR/3com telnet CPAN Net::Telnet Yes
93 pathras Cyclades telnet CPAN Net::Telnet Yes
94 patton Patton SNMP SNMP No
95 portslave ? finger - No
96 tc USR/3com telnet CPAN Net::Telnet Yes
97 usrhiper USR/3com SNMP SNMP No [2]
98 versanet VersaNet SNMP SNMP No
100 [1] Needs at least ComOS 3.5, SNMP enabled.
101 [2] Set "Reported Port Desity" to 256 (default)
103 4. IF IT DOESN'T WORK
105 You can edit the `checkrad' perl script and turn on debugging. Then
106 watch the debug file. The `radius.log' file also gives some hints.
108 Note that you need to add the Simultaneous-Login parameter to the
109 check item (first line), not the reply item.
111 A portmaster numbers the ports in the SNMP protocol from 1 to XX. The
112 perl script tries to find out which ones relates to S0 and calculates the
113 SNMP offset from that. However with a PM3 there is a "gap" in the S ports.
114 With a European ISDN-30 line, S30 and S31 do not exist. In the US, I think
115 that S23 might be skipped (try a `show sessions' on the portmaster). The
116 perl script catches the European situation, but needs to be adjusted for
117 the American situation. Perhaps this can be made reasonably automatic by
118 looking at what timezone we're in :)
122 This solution checks the radutmp file. This file is kept up-to-date from
123 the Accounting records the NAS sends. Since some NASes delay these records
124 for quite some time, it is possible to get a double login by loggin in
125 twice at _exactly_ the same time (plus or minus the mentioned delay time),
126 since neither of the logins are registered yet.
128 The solution would be to create a small 1-minute cache of Authentication
129 records, that is also checked for double login attempts. Perhaps in the
132 When implementing this one thing was considered the most important: when
133 trying to detect double logins, we always try to err on the safe side. So
134 in rare cases, a double login is possible but we try never to limit access
135 for a legitimate login.
137 6. PROBLEMS WITH DROPPED CONNECTIONS
139 Our PM3, with 2 ISDN-30 lines coming into it, had the habit of sometimes
140 dropping connections. In a few cases, the portmaster thought the session was
141 still alive so if the user tried to login again, he or she was denied access.
142 In our case, this problem was caused by a bad PRI line from the phone
145 We tried to compensate this by setting the Idle-Timeout to 15 minutes. That
146 way, even if a user did get locked out the portmaster would clear the rogue
147 session within 15 minutes and the user could login again.