- FreeRadius and the Simultaneous-Use parameter.
+ FreeRADIUS server and the Simultaneous-Use parameter.
0. INTRODUCTION
Lots of people want to limit the number of times one user account can
- login, usually to one. Thi is hard to do with the radius protocol;
+ login, usually to one. This is hard to do with the radius protocol;
the nature of the accounting stuff is such that the idea the radius server
has about the list of logged-in users might be different from the idea
the terminal server has about it.
- However since ComOS 3.7 there is the possibility to get the list of logged
- in users through SNMP from a portmaster. So if the radius server thinks
- that someone is trying to login a second time, it is possible to check
- on the terminal server itself if the first login is indeed still active.
- Only then access is denied for the second login.
+ However, most terminal servers have an alternative way to get a list
+ of logged-in users. Most support some way through telnet, some have
+ a finger-daemon builtin and a lot of them support SNMP. So if the
+ radius server thinks that someone is trying to login a second time,
+ it is possible to check on the terminal server itself if the first
+ login is indeed still active. Only then access is denied for the
+ second login.
1. PREREQUISITES
version of this is at http://www.gaertner.de/snmp/
The other option is to install the SNMP_Session and BER modules that
- come with mrtg - http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
+ for example the well known `mrtg' package uses. This is recommended.
In that case you need no external snmpget program, checkrad will
- speak SNMP directly.
+ speak SNMP directly. See http://www.switch.ch/misc/leinen/snmp/perl/
- The checkroutine for USR/3Com Total Control, NetServer racks and
- Cyclades PathRAS uses the Net::Telnet module from CPAN, at least version
- 3.00. If you need that, obtain it from your local CPAN mirror (or see
- http://www.perl.com/CPAN/). The checkrad.pl perl script will autodetect if
- that module is installed.
+ The checkroutine for USR/3Com Total Control racks uses the Net::Telnet
+ module from CPAN, at least version 3.00. If you need that, obtain it from
+ your local CPAN mirror (or see http://www.perl.com/CPAN/). The checkrad.pl
+ perl script will autodetect if that module is installed.
2. USAGE.
#
# Simultaneous use restrictions.
#
- DEFAULT Group = "staff", Simultaneous-Use = 4
+ DEFAULT Group == "staff", Simultaneous-Use := 4
Fall-Through = 1
- DEFAULT Group = "business", Simultaneous-Use = 2
+ DEFAULT Group == "business", Simultaneous-Use := 2
Fall-Through = 1
- DEFAULT Simultaneous-Use = 1
+ DEFAULT Simultaneous-Use := 1
Fall-Through = 1
NOTE!!! The "Simultaneous-Use" parameter is in the "check" A/V pairs,
and not in the Reply A/V pairs (it _is_ a check).
+ For SQL, after creating and populating your schema, you should
+ execute the following statement (for MySQL, others may vary):
+
+ INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1");
+
+ Once that is done, your users should be limited to only one login at a time.
+
3. IMPLEMENTATION
- As soon as the radius server thinks it sees a double login, it executes the
- perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for
+ The server keeps a list of logged-in users in the /var/log/radutmp file.
+ This is also called "the session database". When you execute "radwho",
+ all that radwho really does is list the entries in this file in a pretty
+ format. Only when someone tries to login who _already_ has an active
+ session according to the radutmp file, the server executes the perl
+ script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for
the presence of both and in that order). This script queries the terminal
- server too see if the user is indeed logged in.
+ server to see if the user indeed already has an active session.
- The script uses SNMP for Livingston Portmasters, Ciscos and Patton,
- finger for Portslave, Computone and Ascend, and Net::Telnet for USR/3Com
- TC and Cyclades PathRAS.
+ The script uses SNMP for Livingston Portmasters and Ciscos, finger for
+ Portslave, Computone and Ascend, and Net::Telnet for USR/3Com TC.
Since the script has been witten in perl, it's easy to adjust for
any type of terminal server. There are implementations in the script for
type Vendor Uses method needs Need naspasswd
==== ====== =========== ===== ==============
- cisco Cisco SNMP SNMP No
- computone Computone finger - No
- livingston Livingston SNMP SNMP No [1]
- max40xx Lucent finger - No
ascend Lucent SNMP SNMP No
- multitech Multitech SNMP SNMP No
+ bay Nortel finger finger command No
+ cisco Cisco SNMP SNMP Optional [1]
+ computone Computone finger finger command No
+ cvx Nortel SNMP SNMP No
+ digitro Digitro rusers rusers command No
+ livingston Livingston SNMP SNMP No [2]
+ max40xx Lucent finger finger command No
netserver USR/3com telnet CPAN Net::Telnet Yes
pathras Cyclades telnet CPAN Net::Telnet Yes
patton Patton SNMP SNMP No
- portslave ? finger - No
+ portslave ? finger finger command No
+ pr3000 Cyclades SNMP snmpwalk command No
+ pr4000 Cyclades SNMP snmpwalk command No
tc USR/3com telnet CPAN Net::Telnet Yes
- usrhiper USR/3com SNMP SNMP No [2]
+ usrhyper USR/3com SNMP SNMP No [3]
versanet VersaNet SNMP SNMP No
- [1] Needs at least ComOS 3.5, SNMP enabled.
- [2] Set "Reported Port Desity" to 256 (default)
+ other none N/A - No
+
+ [1] In naspasswd file: set username to SNMP, password is community.
+ [2] Needs at least ComOS 3.5, SNMP enabled.
+ [3] Set "Reported Port Density" to 256 (default)
+
+ "other" means "don't bother checking, I believe what radutmp says".
+ This really is not recommended, if a user has a "stuck" entry in the
+ session database she will not be able to login again - hence the
+ extra check that "checkrad" does.
4. IF IT DOESN'T WORK
+ Note that you need to add the Simultaneous-Use parameter to the
+ check item (first line), not the reply item, using the ':=' operator.
+
You can edit the `checkrad' perl script and turn on debugging. Then
watch the debug file. The `radius.log' file also gives some hints.
- Note that you need to add the Simultaneous-Login parameter to the
- check item (first line), not the reply item.
+ You can also run the "checkrad" script manually, use the "-d"
+ switch to get debug output on standard output instead of in the log.
+
+ See also:
+
+ http://wrath.geoweb.ge/simult.html
+
+ which has a good discussion of the use of Simultaneous-Use.
- A portmaster numbers the ports in the SNMP protocol from 1 to XX. The
- perl script tries to find out which ones relates to S0 and calculates the
- SNMP offset from that. However with a PM3 there is a "gap" in the S ports.
- With a European ISDN-30 line, S30 and S31 do not exist. In the US, I think
- that S23 might be skipped (try a `show sessions' on the portmaster). The
- perl script catches the European situation, but needs to be adjusted for
- the American situation. Perhaps this can be made reasonably automatic by
- looking at what timezone we're in :)
5. CAVEATS
This solution checks the radutmp file. This file is kept up-to-date from
the Accounting records the NAS sends. Since some NASes delay these records
- for quite some time, it is possible to get a double login by loggin in
+ for quite some time, it is possible to get a double login by logging in
twice at _exactly_ the same time (plus or minus the mentioned delay time),
since neither of the logins are registered yet.