Problems with Simultaneous-Use

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

Problems with Simultaneous-Use

John C. Koen

Hello,

I am having problems with Simultaneous-Use and checkrad.  I know that
checkrad is not running because:

        grep debug /usr/local/sbin/checkrad
        #       Config: $debug is the file you want to put debug messages in
        #$debug         = "";
        $debug          = "$logdir/checkrad.log";


and:

--
tail -F /var/log/radius/checkrad.log



Fri Jul 29 12:57:30 2005 checkrad
Usage: checkrad nas_type nas_ip nas_port login session_id









--
(nothing new is showing up in the checkrad log file, except for when I
run it by hand)


I have both the Perl SNMP modules installed, along with NET-SNMP (and
the correct syntax for NET used in the checkrad script, even though
it should be using the perl modules first).

I am able to manually use snmpwalk /fine/.







Here is how my SQL table looks:

mysql> select * from radgroupcheck;
+----+------------+------------------+----+-------+
| id | GroupName  | Attribute        | op | Value |
+----+------------+------------------+----+-------+
|  1 | pirate     | Simultaneous-Use | := | 2     |
|  2 | pirate-stu | Simultaneous-Use | := | 2     |
|  3 | pirate-stf | Simultaneous-Use | := | 2     |
|  4 | pirate-fac | Simultaneous-Use | := | 2     |
|  5 | pirate-its | Simultaneous-Use | := | 1     |
+----+------------+------------------+----+-------+

Here are the related sections from my radiusd.conf file:

        radutmp {
                #  Where the file is stored.  It's not a log file,
                #  so it doesn't need rotating.
                #
                filename = ${logdir}/radutmp

                #  The field in the packet to key on for the
                #  'user' name,  If you have other fields which you want
                #  to use to key on to control Simultaneous-Use,
                #  then you can use them here.
                #
                #  Note, however, that the size of the field in the
                #  'utmp' data structure is small, around 32
                #  characters, so that will limit the possible choices
                #  of keys.
                #
                #  You may want instead: %{Stripped-User-Name:-%{User-Name}}
                username = %{User-Name}


                #  Whether or not we want to treat "user" the same
                #  as "USER", or "User".  Some systems have problems
                #  with case sensitivity, so this should be set to
                #  'no' to enable the comparisons of the key attribute
                #  to be case insensitive.
                #
                case_sensitive = yes

                #  Accounting information may be lost, so the user MAY
                #  have logged off of the NAS, but we haven't noticed.
                #  If so, we can verify this information with the NAS,
                #
                #  If we want to believe the 'utmp' file, then this
                #  configuration entry can be set to 'no'.
                #
                check_with_nas = yes

                # Set the file permissions, as the contents of this file
                # are usually private.
                perm = 0600

        #       callerid = "yes"
        }

        #
        #  For Simultaneous-Use tracking.
        #
        #  Due to packet losses in the network, the data here
        #  may be incorrect.  There is little we can do about it.
        radutmp
#       sradutmp

        #
        #  Log traffic to an SQL database.
        #
        #  See "Accounting queries" in sql.conf
        sql

#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
        #radutmp

        #
        #  See "Simultaneous Use Checking Querie" in sql.conf
        sql
}






And here is my sql.conf file:

        # Simultaneous Use Checking Queries
        #######################################################################
        # simul_count_query     - query for the number of current connections
        #                       - If this is not defined, no simultaneouls use checking
        #                       - will be performed by this module instance
        # simul_verify_query    - query to return details of current connections for verification
        #                       - Leave blank or commented out to disable verification step
        #                       - Note that the returned field order should not be changed.
        #######################################################################

        # Uncomment simul_count_query to enable simultaneous use checking
        simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
        simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"





Here is how my radacct table looks:

mysql> select * from radacct order by RadAcctId desc limit 1;
+-----------+---------------+------------------+----------+-------+---------------+-----------+-----------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+
| RadAcctId | AcctSessionId | AcctUniqueId     | UserName | Realm | NASIPAddress  | NASPortId | NASPortType     | AcctStartTime       | AcctStopTime        | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay |
+-----------+---------------+------------------+----------+-------+---------------+-----------+-----------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+
|       281 | 0000019F      | c91763dbcdfe02cb | johnk    |       | 192.168.0.49 |       558 | Wireless-802.11 | 2005-07-29 15:03:06 | 0000-00-00 00:00:00 |               0 | RADIUS        |                   |                  |               0 |                0 | 0014.691e.e9c0  | 000e.35b5.eb8f   |                    | Framed-User |                |                 |              0 |             0 |
+-----------+---------------+------------------+----------+-------+---------------+-----------+-----------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+---------------


hecate:/etc/raddb # tail naspasswd
# WARNING:      Always make sure that this file has the "-r------" permission.
#               And, don't set the passwords on your other systems to the same
#               passwords that can be found below.
#
#

#203.172.90.118 !root TufFseCrET
#203.172.42.152 !root ToTaLCnTl
192.168.0.49



hecate:/etc/raddb # grep 192.168 -A 3 clients.conf
client 192.168.0.49 {
        secret          = xXxXxXxX
        shortname       = Aironet1100-johnk
        nastype         = cisco




The proper accounting configuration lines have been included in my
Cisco AP conf.


My username is part of the pirate-its group; 1 connection allowed.  What
I find interesting is that if I connect once:

radwho
Login      Name              What  TTY  When      From      Location
johnk      John Koen         shell S534 Fri 14:57 192.168.0


...then if I open a second connection (from another machine, at the
same time as the first connection):

radwho
Login      Name              What  TTY  When      From      Location
johnk      John Koen         shell S535 Fri 14:58 192.168.0


Notice that radutmp seems to forget about the first connection,
and only remember the newest (connection number 2) connection.  On
this 2nd connection attempt I should be Rejected instead
of Accepted.  I see nothing in the checkrad log of checkrad running.

What else can I try?

--johnk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html