(RADIATOR) Radmin and MAXLOGINS
Hugh Irvine
hugh at open.com.au
Wed Nov 28 15:00:47 CST 2001
Hello Michael -
Thanks for the trace and configuration information.
The problem you have is due to the NAS not sending an Access-Request
for the second channel of the ISDN connection. If Radaitor does not
receive an Access-Request, it then follows that Radiator cannot
Reject it, hence cannot enforce the MAXLOGINS.
You will have to do some investigation on the NAS, but the simplest
approach may be to return a "Port-Limit = 1" in the initial
Access-Accept, assuming that the NAS will actually honour it.
regards
Hugh
At 10:14 +1000 01/11/27, Michael Bellears wrote:
>We have a client who is using Radiator 2.18 and Radmin 1.5.
>
>We are utilising MAXLOGINS to restrict simultaneous connections from
>some permanent dial-up customers. (Eg. Ones that have only paid for
>56/64k)
>
>I am seeing users that connect with mutilink ISDN able to connect with
>more than one simultaneous connection (Which we don't want!) -
>Radmin/radwho.pl and portmaster are all reporting simultaneous logins.
>
>A trace4 debug shows a unusual Access-Request for the first connection
>from the offending user -> (Full trace 4 of the connection at end of
>message)
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler
>'Realm=DEFAULT'
>Mon Nov 26 11:45:12 2001: DEBUG: Deleting session for gsqld001,
>xxx.xxx.xxx.xxx, 1
>
>But I do not see an Access-Request for the second connection - Only an
>Accounting-Request ->
>
>*** Sending to xxx.xxx.xxx.xxx port 1026 ....
>Code: Accounting-Response
>Identifier: 137
>Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168>
>Attributes:
>
>Mon Nov 26 11:45:13 2001: DEBUG: Packet dump:
>*** Received from xxx.xxx.xxx.xxx port 1026 ....
>Code: Accounting-Request
>Identifier: 138
>Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127>
>Attributes:
> Acct-Session-Id = "76000463"
> User-Name = "gsqld001"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 14
> NAS-Port-Type = ISDN
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
>
>
>radwho.pl output ->
>
>gsqld001 xxx.xxx.xxx.xxx 1 76000462 Mon Nov 26
>11:45:12 2001 0 00:08:48 xxx.xxx.xxx.xxx.246 ISDN
>Framed-User
>gsqld001 xxx.xxx.xxx.xxx 14 76000463 Mon Nov 26
>11:45:13 2001 0 00:08:47 xxx.xxx.xxx.xxx.246 ISDN
>Framed-User
>
>mysql> select USERNAME, MAXLOGINS from RADUSERS where
>USERNAME="gsqld001";
>+----------+-----------+
>| USERNAME | MAXLOGINS |
>+----------+-----------+
>| gsqld001 | 1 |
>+----------+-----------+
>1 row in set (0.00 sec)
>
>
>Trace 4 Debug ->
>
>Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
>*** Received from xxx.xxx.xxx.xxx port 1026 ....
>Code: Access-Request
>Identifier: 136
>Authentic: <30><16>&<30>z<177>%<20>&<165><137>w<174><205>S{
>Attributes:
> User-Name = "gsqld001"
> User-Password =
>"<151>Zq<164><24>s<23><156><14><171><29>tW<29><206><201>"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 1
> NAS-Port-Type = ISDN
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Called-Station-Id = "55849500"
> Calling-Station-Id = "755381085"
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler
>'Realm=DEFAULT'
>Mon Nov 26 11:45:12 2001: DEBUG: Deleting session for gsqld001,
>xxx.xxx.xxx.xxx, 1
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: delete from RADONLINE
>where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=01
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with
>Radius:
>:AuthRADMIN')
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with
>Radius:
>:AuthRADMIN')
>
>Mon Nov 26 11:45:12 2001: DEBUG: Query is: select PASS_WORD,
>STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where
>USERNAME='gsqld001' and BAD
>LOGINS < 5 and VALIDFROM < 1006739112 and VALIDTO > 1006739112
>
>Mon Nov 26 11:45:12 2001: DEBUG: Radius::AuthRADMIN looks for match with
>gsqld001
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Radius::AuthRADMIN
>lo
>oks for match with gsqld001')
>
>Mon Nov 26 11:45:12 2001: DEBUG: Query is: select NASIDENTIFIER,
>NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
>USERNAME='gsqld00
>1'
>
>Mon Nov 26 11:45:12 2001: DEBUG: Radius::AuthRADMIN ACCEPT:
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Radius::AuthRADMIN
>AC
>CEPT: ')
>
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADUSERS set
>BADLOGINS=0 where USERNAME='gsqld001'
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
>Mon Nov 26 11:45:12 2001: DEBUG: Query is: select TIME_STAMP, YIADDR,
>SUBNETMASK, DNSSERVER from RADPOOL
>where POOL='pool1' and STATE=0 order by TIME_STAMP
>
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADPOOL set
>STATE=1,
>TIME_STAMP=1006739112,
>EXPIRY=1006820228, USERNAME='gsqld001' where
>YIADDR='xxx.xxx.xxx.xxx.246' and TIME_STAMP =1006394858
>
>Mon Nov 26 11:45:12 2001: DEBUG: Access accepted for gsqld001
>Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
>*** Sending to xxx.xxx.xxx.xxx port 1026 ....
>Code: Access-Accept
>Identifier: 136
>Authentic: <30><16>&<30>z<177>%<20>&<165><137>w<174><205>S{
>Attributes:
> Session-Timeout = 81116
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Framed-IP-Netmask = 255.255.255.0
> Framed-IP-Address = xxx.xxx.xxx.xxx.246
>
>Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
>*** Received from xxx.xxx.xxx.xxx port 1026 ....
>Code: Accounting-Request
>Identifier: 137
>Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168>
>Attributes:
> Acct-Session-Id = "76000462"
> User-Name = "gsqld001"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 1
> NAS-Port-Type = ISDN
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Called-Station-Id = "55849500"
> Calling-Station-Id = "755381085"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = xxx.xxx.xxx.xxx.246
> Acct-Delay-Time = 0
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling request with Handler
>'Realm=DEFAULT'
>Mon Nov 26 11:45:12 2001: DEBUG: Adding session for gsqld001,
>xxx.xxx.xxx.xxx, 1
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: delete from RADONLINE
>where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=01
>
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADONLINE
>(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
>FRAMEDIPADDRE
>SS, NASPORTTYPE, SERVICETYPE) values ('gsqld001', 'xxx.xxx.xxx.xxx', 01,
>'76000462', 1006739112, 'xxx.xxx.xxx.xxx.246', 'ISDN', 'Framed-User')
>
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthRADMIN
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling with
>Radius:
>:AuthRADMIN')
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling accounting with
>Radius::AuthRADMIN
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739112, 4, 'Handling accounting
>w
>ith Radius::AuthRADMIN')
>
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: update RADUSERS set
>TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0,
>OCTETSOUTLEFT=OCTETSOUTLEFT
>-0 where USERNAME='gsqld001'
>
>Mon Nov 26 11:45:12 2001: DEBUG: do query is: insert into RADUSAGE
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
>ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS,
>Client_Phon
>e_Number)
> values
> ('gsqld001', 1006739112, 1, 0, '76000462',
>'xxx.xxx.xxx.xxx.246', 'xxx.xxx.xxx.xxx', 1, '55849500', '755381085')
>
>Mon Nov 26 11:45:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
>Mon Nov 26 11:45:12 2001: DEBUG: Accounting accepted
>Mon Nov 26 11:45:12 2001: DEBUG: Packet dump:
>*** Sending to xxx.xxx.xxx.xxx port 1026 ....
>Code: Accounting-Response
>Identifier: 137
>Authentic: <155><3><152>|<255><208>x<196><154>c<200>,<203>4<142><168>
>Attributes:
>
>Mon Nov 26 11:45:13 2001: DEBUG: Packet dump:
>*** Received from xxx.xxx.xxx.xxx port 1026 ....
>Code: Accounting-Request
>Identifier: 138
>Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127>
>Attributes:
> Acct-Session-Id = "76000463"
> User-Name = "gsqld001"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 14
> NAS-Port-Type = ISDN
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Called-Station-Id = "55849500"
> Calling-Station-Id = "755381085"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = xxx.xxx.xxx.xxx.246
> Acct-Delay-Time = 0
>
>
>Mon Nov 26 11:45:13 2001: DEBUG: Handling request with Handler
>'Realm=DEFAULT'
>Mon Nov 26 11:45:13 2001: DEBUG: Adding session for gsqld001,
>xxx.xxx.xxx.xxx, 14
>Mon Nov 26 11:45:13 2001: DEBUG: do query is: delete from RADONLINE
>where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=014
>
>Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADONLINE
>(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
>FRAMEDIPADDRE
>SS, NASPORTTYPE, SERVICETYPE) values ('gsqld001', 'xxx.xxx.xxx.xxx',
>014, '76000463', 1006739113, 'xxx.xxx.xxx.xxx.246', 'ISDN',
>'Framed-User')
>
>Mon Nov 26 11:45:13 2001: DEBUG: Handling with Radius::AuthRADMIN
>Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739113, 4, 'Handling with
>Radius:
>:AuthRADMIN')
>
>Mon Nov 26 11:45:13 2001: DEBUG: Handling accounting with
>Radius::AuthRADMIN
>Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADMESSAGES
>(TIME_STAMP, TYPE, MESSAGE) values (1006739113, 4, 'Handling accounting
>w
>ith Radius::AuthRADMIN')
>
>Mon Nov 26 11:45:13 2001: DEBUG: do query is: update RADUSERS set
>TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0,
>OCTETSOUTLEFT=OCTETSOUTLEFT
>-0 where USERNAME='gsqld001'
>
>Mon Nov 26 11:45:13 2001: DEBUG: do query is: insert into RADUSAGE
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
>ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS,
>Client_Phon
>e_Number)
> values
> ('gsqld001', 1006739113, 1, 0, '76000463',
>'xxx.xxx.xxx.xxx.246', 'xxx.xxx.xxx.xxx', 14, '55849500', '755381085')
>
>Mon Nov 26 11:45:13 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
>Mon Nov 26 11:45:13 2001: DEBUG: Accounting accepted
>Mon Nov 26 11:45:13 2001: DEBUG: Packet dump:
>*** Sending to xxx.xxx.xxx.xxx port 1026 ....
>Code: Accounting-Response
>Identifier: 138
>Authentic: <165>t<21><214>LM<229><13>V<218><255><11><2><149><161><127>
>Attributes:
>
>
>Config file ->
>
># You should consider this file to be a starting point only
># $Id $
>
>Foreground
>LogStdout
>LogDir .
>DbDir .
>
>#DbDir /root/radiator/Radiator-2.18
>#LogDir /var/log/radacct
>DictionaryFile /root/Radiator-2.18/dictionary
>
># AuthPort specifies the port to list on for authentication requests
># Can be a numeric port number or a service name from /etc/services
># Defaults to 1645
>#AuthPort 1645
>AuthPort 1812
>
># AcctPort specifies the port to list on for accounting requests
># Can be a numeric port number or a service name from /etc/services
># Defaults to 1646
>#AcctPort 1646
>AcctPort 1813
>
>BindAddress xxx.xxx.xxx.2
>
># Dont turn this up too high, since all log messages are logged
># to the RADMESSAGES table in the database. 3 will give you everything
># except debugging messages
>Trace 4
>
># You will probably want to change this to suit your site.
># You should list all the clients you have, and their secrets
># If you are using the Radmin Clients table, you wil probably
># want to disable this.
>#<Client DEFAULT>
># Secret mysecret
># DupInterval 0
>#</Client>
>
># You can put additonal (or all) client details in your Radmin
># database table
># and get their details from there with something like this:
># You can then use the Radmin 'Add Radius Client' to add new clients.
><ClientListSQL>
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
></ClientListSQL>
>
><SNMPAgent>
> Community xxxxxxxx
></SNMPAgent>
>
># You can also set up an address pool for Radiator to manage.
># The standard Radmin tables include a RADPOOL address pool table.
># see the example in addressallocator.cfg
><AddressAllocator SQL>
> # This name allows us to refer to it from inside
> # an AuthBy DYNADDRESS
> Identifier myallocator
>
> # For mysql, use something like this
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
>
> # If SessionTimeout is set by a previous AuthBy
> # then that is used as the expiry time. Otherwise
> # DefaultLeasePeriod (in seconds) is used.
> # Defaults to 1 day
> #DefaultLeasePeriod 86400
>
> # How often we check the database for expired leases
> # leases can expire if an acounting stop is lost
> # or if the session goes longer than the lease
> # we originally asked for. Defaults to 1 day.
> #LeaseReclaimInterval 86400
>
> # Define the pools that are to be in our database
> # defining pools here will make AddressAllocator SQL
> # ensure that all the addresses are present in the database
> # at startup. You dont have to define pools here. If you dont,
> # AddressAllocator SQL will just use whatever addresses
> # it finds in the RADPOOL table.
> <AddressPool pool1>
> Subnetmask 255.255.255.0
> Range xxx.xxx.xxx.200 xxx.xxx.xxx.250
> DNSServer xxx.xxx.xxx.1
> </AddressPool>
> # <AddressPool pool2>
> # Subnetmask 255.255.255.127
> # Range 192.2.2.62 192.2.2.99
> # </AddressPool>
></AddressAllocator>
>
>
># Handle everyone with RADMIN
><Realm DEFAULT>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy RADMIN>
> # Change DBSource, DBUsername, DBAuth for your database
> # See the reference manual. You will also have to
> # change the one in <SessionDatabse SQL> below
> # so its the same
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
>
> # You can add to or change these if you want, but you
> # will probably want to change the database schema first
>
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef
>ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef
>ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef
>ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef
>ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef DNIS,Called-Station-Id
> AcctColumnDef Client_Phone_Number,Calling-Station-Id
> AcctColumnDef Connect_info,Connect-Info
>
> # This updates the time and octets left
> # for this user
> AcctSQLStatement update RADUSERS set
>TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
>OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
>OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
>
> # AuthBy DYNADDRESS needs to be the last AuthBy. If
> # all the previous ones have succeeded, then an address
> # is allocated
> <AuthBy DYNADDRESS>
> # This refers to the AddressAllocator
> # defined below. IT says tyo us that allocator
> # to get an address. Insterad ofg this, you can
> # put the <AddressAllocator xxx> clause directly
> # in here
> Allocator myallocator
>
> # This specifies how to form the pool hint, that
> # the allocator uses to specifiy which pool
> # to allocate an address from. The default
> # is %{Reply:PoolHint}, ie a pseudo
> # attribute in teh current reply,
> # presumably set by an earlier
> # AuthBy, but it could be for example
> # the NAS IP address or similar, or a hardwired
> # string.
> #PoolHint %{Reply:PoolHint}
> PoolHint pool1
>
> # These parameters tell us how to set reply
> # attribtues from the result of the allocation.
> # The left hand side of each pair is
> # the "name" of the data item. The right hand
> # side is the Radius attribute name to use
> # in the reply. The valid data item names are:
> # yiaddr - The allocated address
> # subnetmask - The subnet mask to use
> # dnsserver - the IP address of the DNS server
> # The defualt mappings are:
> #MapAttribute yiaddr, Framed-IP-Address
> #MapAttribute subnetmask, Framed-IP-Netmask
>
> # The AuthBy FILE above sets the pseudo reply attribute
> # PoolHint as the clue to the address allocator
> # need to strip it out at the end of processing
> StripFromReply PoolHint
>
> </AuthBy>
><AuthLog FILE>
> Identifier myauthlogger
> Filename authlog
> SuccessFormat
>%l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Assigned:%a:Reply:%{Reply:Reply-Message}:Connect_In
>
>fo:%{Connect-Info}:SUCCESS
> FailureFormat
>%l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Reply:%{Reply:Reply-Message}:FAILURE
>
> LogSuccess 1
> LogFailure 1
></AuthLog>
></Realm>
>
><SessionDatabase SQL>
> # This database spec usually should be exactly the same
> # as in <AuthBy RADMIN> above
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
>
>Regards,
>Michael
>
>
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list