(RADIATOR) Radmin and MAXLOGINS
Michael Bellears
mbellears at staff.datafx.com.au
Mon Nov 26 18:14:49 CST 2001
We have a client who is using Radiator 2.18 and Radmin 1.5.
We are utilising MAXLOGINS to restrict simultaneous connections from
some permanent dial-up customers. (Eg. Ones that have only paid for
56/64k)
I am seeing users that connect with mutilink ISDN able to connect with
more than one simultaneous connection (Which we don't want!) -
Radmin/radwho.pl and portmaster are all reporting simultaneous logins.
A trace4 debug shows a unusual Access-Request for the first connection
from the offending user -> (Full trace 4 of the connection at end of
message)
Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 26 11:45:12 2001: DEBUG: Deleting session for gsqld001,
xxx.xxx.xxx.xxx, 1
But I do not see an Access-Request for the second connection - Only an
Accounting-Request ->
*** Sending to xxx.xxx.xxx.xxx port 1026 ....
Code: Accounting-Response
Identifier: 137
Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168>
Attributes:
Mon Nov 26 11:45:13 2001: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.xxx port 1026 ....
Code: Accounting-Request
Identifier: 138
Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127>
Attributes:
Acct-Session-Id = "76000463"
User-Name = "gsqld001"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 14
NAS-Port-Type = ISDN
Acct-Status-Type = Start
Acct-Authentic = RADIUS
radwho.pl output ->
gsqld001 xxx.xxx.xxx.xxx 1 76000462 Mon Nov 26
11:45:12 2001 0 00:08:48 xxx.xxx.xxx.xxx.246 ISDN
Framed-User
gsqld001 xxx.xxx.xxx.xxx 14 76000463 Mon Nov 26
11:45:13 2001 0 00:08:47 xxx.xxx.xxx.xxx.246 ISDN
Framed-User
mysql> select USERNAME, MAXLOGINS from RADUSERS where
USERNAME="gsqld001";
+----------+-----------+
| USERNAME | MAXLOGINS |
+----------+-----------+
| gsqld001 | 1 |
+----------+-----------+
1 row in set (0.00 sec)
Trace 4 Debug ->
Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.xxx port 1026 ....
Code: Access-Request
Identifier: 136
Authentic: <30><16>&<30>z<177>%<20>&<165><137>w<174><205>S{
Attributes:
User-Name = "gsqld001"
User-Password =
"<151>Zq<164><24>s<23><156><14><171><29>tW<29><206><201>"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 1
NAS-Port-Type = ISDN
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "55849500"
Calling-Station-Id = "755381085"
Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 26 11:45:12 2001: DEBUG: Deleting session for gsqld001,
xxx.xxx.xxx.xxx, 1
Mon Nov 26 11:45:12 2001: DEBUG: do query is: delete from RADONLINE
where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=01
Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with
Radius:
:AuthRADMIN')
Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with
Radius:
:AuthRADMIN')
Mon Nov 26 11:45:12 2001: DEBUG: Query is: select PASS_WORD,
STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where
USERNAME='gsqld001' and BAD
LOGINS < 5 and VALIDFROM < 1006739112 and VALIDTO > 1006739112
Mon Nov 26 11:45:12 2001: DEBUG: Radius::AuthRADMIN looks for match with
gsqld001
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Radius::AuthRADMIN
lo
oks for match with gsqld001')
Mon Nov 26 11:45:12 2001: DEBUG: Query is: select NASIDENTIFIER,
NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
USERNAME='gsqld00
1'
Mon Nov 26 11:45:12 2001: DEBUG: Radius::AuthRADMIN ACCEPT:
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Radius::AuthRADMIN
AC
CEPT: ')
Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADUSERS set
BADLOGINS=0 where USERNAME='gsqld001'
Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
Mon Nov 26 11:45:12 2001: DEBUG: Query is: select TIME_STAMP, YIADDR,
SUBNETMASK, DNSSERVER from RADPOOL
where POOL='pool1' and STATE=0 order by TIME_STAMP
Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADPOOL set
STATE=1,
TIME_STAMP=1006739112,
EXPIRY=1006820228, USERNAME='gsqld001' where
YIADDR='xxx.xxx.xxx.xxx.246' and TIME_STAMP =1006394858
Mon Nov 26 11:45:12 2001: DEBUG: Access accepted for gsqld001
Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1026 ....
Code: Access-Accept
Identifier: 136
Authentic: <30><16>&<30>z<177>%<20>&<165><137>w<174><205>S{
Attributes:
Session-Timeout = 81116
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Netmask = 255.255.255.0
Framed-IP-Address = xxx.xxx.xxx.xxx.246
Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.xxx port 1026 ....
Code: Accounting-Request
Identifier: 137
Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168>
Attributes:
Acct-Session-Id = "76000462"
User-Name = "gsqld001"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 1
NAS-Port-Type = ISDN
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Called-Station-Id = "55849500"
Calling-Station-Id = "755381085"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = xxx.xxx.xxx.xxx.246
Acct-Delay-Time = 0
Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 26 11:45:12 2001: DEBUG: Adding session for gsqld001,
xxx.xxx.xxx.xxx, 1
Mon Nov 26 11:45:12 2001: DEBUG: do query is: delete from RADONLINE
where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=01
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRE
SS, NASPORTTYPE, SERVICETYPE) values ('gsqld001', 'xxx.xxx.xxx.xxx', 01,
'76000462', 1006739112, 'xxx.xxx.xxx.xxx.246', 'ISDN', 'Framed-User')
Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with
Radius:
:AuthRADMIN')
Mon Nov 26 11:45:12 2001: DEBUG: Handling accounting with
Radius::AuthRADMIN
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling accounting
w
ith Radius::AuthRADMIN')
Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADUSERS set
TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0,
OCTETSOUTLEFT=OCTETSOUTLEFT
-0 where USERNAME='gsqld001'
Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADUSAGE
(USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS,
Client_Phon
e_Number)
values
('gsqld001', 1006739112, 1, 0, '76000462',
'xxx.xxx.xxx.xxx.246', 'xxx.xxx.xxx.xxx', 1, '55849500', '755381085')
Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
Mon Nov 26 11:45:12 2001: DEBUG: Accounting accepted
Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1026 ....
Code: Accounting-Response
Identifier: 137
Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168>
Attributes:
Mon Nov 26 11:45:13 2001: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.xxx port 1026 ....
Code: Accounting-Request
Identifier: 138
Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127>
Attributes:
Acct-Session-Id = "76000463"
User-Name = "gsqld001"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 14
NAS-Port-Type = ISDN
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Called-Station-Id = "55849500"
Calling-Station-Id = "755381085"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = xxx.xxx.xxx.xxx.246
Acct-Delay-Time = 0
Mon Nov 26 11:45:13 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 26 11:45:13 2001: DEBUG: Adding session for gsqld001,
xxx.xxx.xxx.xxx, 14
Mon Nov 26 11:45:13 2001: DEBUG: do query is: delete from RADONLINE
where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=014
Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRE
SS, NASPORTTYPE, SERVICETYPE) values ('gsqld001', 'xxx.xxx.xxx.xxx',
014, '76000463', 1006739113, 'xxx.xxx.xxx.xxx.246', 'ISDN',
'Framed-User')
Mon Nov 26 11:45:13 2001: DEBUG: Handling with Radius::AuthRADMIN
Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739113, 4, 'Handling with
Radius:
:AuthRADMIN')
Mon Nov 26 11:45:13 2001: DEBUG: Handling accounting with
Radius::AuthRADMIN
Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADMESSAGES
(TIME_STAMP, TYPE, MESSAGE) values (1006739113, 4, 'Handling accounting
w
ith Radius::AuthRADMIN')
Mon Nov 26 11:45:13 2001: DEBUG: do query is: update RADUSERS set
TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0,
OCTETSOUTLEFT=OCTETSOUTLEFT
-0 where USERNAME='gsqld001'
Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADUSAGE
(USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS,
Client_Phon
e_Number)
values
('gsqld001', 1006739113, 1, 0, '76000463',
'xxx.xxx.xxx.xxx.246', 'xxx.xxx.xxx.xxx', 14, '55849500', '755381085')
Mon Nov 26 11:45:13 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
Mon Nov 26 11:45:13 2001: DEBUG: Accounting accepted
Mon Nov 26 11:45:13 2001: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1026 ....
Code: Accounting-Response
Identifier: 138
Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127>
Attributes:
Config file ->
# You should consider this file to be a starting point only
# $Id $
Foreground
LogStdout
LogDir .
DbDir .
#DbDir /root/radiator/Radiator-2.18
#LogDir /var/log/radacct
DictionaryFile /root/Radiator-2.18/dictionary
# AuthPort specifies the port to list on for authentication requests
# Can be a numeric port number or a service name from /etc/services
# Defaults to 1645
#AuthPort 1645
AuthPort 1812
# AcctPort specifies the port to list on for accounting requests
# Can be a numeric port number or a service name from /etc/services
# Defaults to 1646
#AcctPort 1646
AcctPort 1813
BindAddress xxx.xxx.xxx.2
# Dont turn this up too high, since all log messages are logged
# to the RADMESSAGES table in the database. 3 will give you everything
# except debugging messages
Trace 4
# You will probably want to change this to suit your site.
# You should list all the clients you have, and their secrets
# If you are using the Radmin Clients table, you wil probably
# want to disable this.
#<Client DEFAULT>
# Secret mysecret
# DupInterval 0
#</Client>
# You can put additonal (or all) client details in your Radmin
# database table
# and get their details from there with something like this:
# You can then use the Radmin 'Add Radius Client' to add new clients.
<ClientListSQL>
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth xxxxxxxxx
</ClientListSQL>
<SNMPAgent>
Community xxxxxxxx
</SNMPAgent>
# You can also set up an address pool for Radiator to manage.
# The standard Radmin tables include a RADPOOL address pool table.
# see the example in addressallocator.cfg
<AddressAllocator SQL>
# This name allows us to refer to it from inside
# an AuthBy DYNADDRESS
Identifier myallocator
# For mysql, use something like this
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth xxxxxxxxx
# If SessionTimeout is set by a previous AuthBy
# then that is used as the expiry time. Otherwise
# DefaultLeasePeriod (in seconds) is used.
# Defaults to 1 day
#DefaultLeasePeriod 86400
# How often we check the database for expired leases
# leases can expire if an acounting stop is lost
# or if the session goes longer than the lease
# we originally asked for. Defaults to 1 day.
#LeaseReclaimInterval 86400
# Define the pools that are to be in our database
# defining pools here will make AddressAllocator SQL
# ensure that all the addresses are present in the database
# at startup. You dont have to define pools here. If you dont,
# AddressAllocator SQL will just use whatever addresses
# it finds in the RADPOOL table.
<AddressPool pool1>
Subnetmask 255.255.255.0
Range xxx.xxx.xxx.200 xxx.xxx.xxx.250
DNSServer xxx.xxx.xxx.1
</AddressPool>
# <AddressPool pool2>
# Subnetmask 255.255.255.127
# Range 192.2.2.62 192.2.2.99
# </AddressPool>
</AddressAllocator>
# Handle everyone with RADMIN
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
<AuthBy RADMIN>
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in <SessionDatabse SQL> below
# so its the same
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth xxxxxxxxx
# You can add to or change these if you want, but you
# will probably want to change the database schema first
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef
ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef
ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef
ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef
ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
AcctColumnDef Client_Phone_Number,Calling-Station-Id
AcctColumnDef Connect_info,Connect-Info
# This updates the time and octets left
# for this user
AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
</AuthBy>
# AuthBy DYNADDRESS needs to be the last AuthBy. If
# all the previous ones have succeeded, then an address
# is allocated
<AuthBy DYNADDRESS>
# This refers to the AddressAllocator
# defined below. IT says tyo us that allocator
# to get an address. Insterad ofg this, you can
# put the <AddressAllocator xxx> clause directly
# in here
Allocator myallocator
# This specifies how to form the pool hint, that
# the allocator uses to specifiy which pool
# to allocate an address from. The default
# is %{Reply:PoolHint}, ie a pseudo
# attribute in teh current reply,
# presumably set by an earlier
# AuthBy, but it could be for example
# the NAS IP address or similar, or a hardwired
# string.
#PoolHint %{Reply:PoolHint}
PoolHint pool1
# These parameters tell us how to set reply
# attribtues from the result of the allocation.
# The left hand side of each pair is
# the "name" of the data item. The right hand
# side is the Radius attribute name to use
# in the reply. The valid data item names are:
# yiaddr - The allocated address
# subnetmask - The subnet mask to use
# dnsserver - the IP address of the DNS server
# The defualt mappings are:
#MapAttribute yiaddr, Framed-IP-Address
#MapAttribute subnetmask, Framed-IP-Netmask
# The AuthBy FILE above sets the pseudo reply attribute
# PoolHint as the clue to the address allocator
# need to strip it out at the end of processing
StripFromReply PoolHint
</AuthBy>
<AuthLog FILE>
Identifier myauthlogger
Filename authlog
SuccessFormat
%l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Assigned:%a:Reply:%{Reply:Reply-Message}:Connect_In
fo:%{Connect-Info}:SUCCESS
FailureFormat
%l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Reply:%{Reply:Reply-Message}:FAILURE
LogSuccess 1
LogFailure 1
</AuthLog>
</Realm>
<SessionDatabase SQL>
# This database spec usually should be exactly the same
# as in <AuthBy RADMIN> above
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth xxxxxxxxx
Regards,
Michael
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list