Excluding non-NAS from simultaneous-use checks

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Excluding non-NAS from simultaneous-use checks

Dan Siemon
I'm looking for a way to exclude some sources of RADIUS authentication
requests from being subjected to the simultaneous-use checks.

Basically we use RADIUS for more than just dialin,  simultaneous-use is
not applicable to these services.

I found the following thread on the Cistron mailing list which would
solve my problem if I were still running Cistron.

http://lists.cistron.nl/pipermail/cistron-radius/2002-June/003861.html

Setting the RAS type to none appears to have no effect for FreeRADIUS.

Is there another way to accomplish this with FreeRADIUS?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Excluding non-NAS from simultaneous-use checks

Alan DeKok
Dan Siemon <[hidden email]> wrote:
> I'm looking for a way to exclude some sources of RADIUS authentication
> requests from being subjected to the simultaneous-use checks.

  Don't set Simultaneous-Use.

> Setting the RAS type to none appears to have no effect for FreeRADIUS.
>
> Is there another way to accomplish this with FreeRADIUS?

  Set it to "other".  See "clients.conf"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Excluding non-NAS from simultaneous-use checks

Dan Siemon
Alan DeKok wrote:

>Dan Siemon <[hidden email]> wrote:
>  
>
>>Setting the RAS type to none appears to have no effect for FreeRADIUS.
>>
>>Is there another way to accomplish this with FreeRADIUS?
>>    
>>
>
>  Set it to "other".  See "clients.conf"
>  
>
I should have mentioned I tried using 'other' and did not get the
desired behavior.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Excluding non-NAS from simultaneous-use checks

Alan DeKok
Dan Siemon <[hidden email]> wrote:
> I should have mentioned I tried using 'other' and did not get the
> desired behavior.

  Please explain, then, what he desired behavior is.  Include examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Excluding non-NAS from simultaneous-use checks

Dan Siemon
Alan DeKok wrote:

>Dan Siemon <[hidden email]> wrote:
>  
>
>>I should have mentioned I tried using 'other' and did not get the
>>desired behavior.
>>    
>>
>  Please explain, then, what he desired behavior is.  Include examples.
>  
>

I have a bunch of RASs and PPPoE concentrators.  When authenticating
against these clients I want the simultaneous-use enforced.

The same FreeRADIUS server also authenticates other services such as
NNTP.  When auth requests come from these other RADIUS clients I don't
want any simultaneous-use checking to happen at all.

For example, a user "bob", with simultaneous-use=1 should be able to
authenticate for PPPoE and then start his NNTP client without the first
authentication blocking the NNTP login because of the simultaneous-use=1
check.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Excluding non-NAS from simultaneous-use checks

Alan DeKok
Dan Siemon <[hidden email]> wrote:
> For example, a user "bob", with simultaneous-use=1 should be able to
> authenticate for PPPoE and then start his NNTP client without the first
> authentication blocking the NNTP login because of the simultaneous-use=1
> check.

  To do that, you have to:

  a) configure Simulteneous-Use for the user ONLY when you want to enforce it

  b) not track logins in radutmp, from places where you don't want those
     logins to affect Simultaneous-Use

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html