- Cistron-Radius and the Simultaneous-Use parameter.
+ FreeRADIUS server and the Simultaneous-Use parameter.
0. INTRODUCTION
#
# Simultaneous use restrictions.
#
- DEFAULT Group = "staff", Simultaneous-Use = 4
+ DEFAULT Group == "staff", Simultaneous-Use := 4
Fall-Through = 1
- DEFAULT Group = "business", Simultaneous-Use = 2
+ DEFAULT Group == "business", Simultaneous-Use := 2
Fall-Through = 1
- DEFAULT Simultaneous-Use = 1
+ DEFAULT Simultaneous-Use := 1
Fall-Through = 1
NOTE!!! The "Simultaneous-Use" parameter is in the "check" A/V pairs,
and not in the Reply A/V pairs (it _is_ a check).
+ For SQL, after creating and populating your schema, you should
+ execute the following statement (for MySQL, others may vary):
+
+ INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1");
+
+ Once that is done, your users should be limited to only one login at a time.
+
3. IMPLEMENTATION
The server keeps a list of logged-in users in the /var/log/radutmp file.
4. IF IT DOESN'T WORK
+ Note that you need to add the Simultaneous-Use parameter to the
+ check item (first line), not the reply item, using the ':=' operator.
+
You can edit the `checkrad' perl script and turn on debugging. Then
watch the debug file. The `radius.log' file also gives some hints.
- Note that you need to add the Simultaneous-Login parameter to the
- check item (first line), not the reply item.
+ You can also run the "checkrad" script manually, use the "-d"
+ switch to get debug output on standard output instead of in the log.
+
+ See also:
+
+ http://wrath.geoweb.ge/simult.html
+
+ which has a good discussion of the use of Simultaneous-Use.
- A portmaster numbers the ports in the SNMP protocol from 1 to XX. The
- perl script tries to find out which ones relates to S0 and calculates the
- SNMP offset from that. However with a PM3 there is a "gap" in the S ports.
- With a European ISDN-30 line, S30 and S31 do not exist. In the US, I think
- that S23 might be skipped (try a `show sessions' on the portmaster). The
- perl script catches the European situation, but needs to be adjusted for
- the American situation. Perhaps this can be made reasonably automatic by
- looking at what timezone we're in :)
5. CAVEATS
This solution checks the radutmp file. This file is kept up-to-date from
the Accounting records the NAS sends. Since some NASes delay these records
- for quite some time, it is possible to get a double login by loggin in
+ for quite some time, it is possible to get a double login by logging in
twice at _exactly_ the same time (plus or minus the mentioned delay time),
since neither of the logins are registered yet.