6.6 Simultaneous Use
| Recall from Chapter 1 that RADIUS is a stateless protocol. Additionally, because of the way RADIUS accounting works, it's entirely possible and even probable that a RADIUS server will have an internal list of who is currently logged on that is different than the actual state of the RADIUS client portsin other words, your RADIUS server may think users are logged on when they really aren't, and vice versa. Fortunately, most NAS equipment includes some mechanism by which the administrator (or the RADIUS daemon servicing authentication requests ) can query it to find out which user is assigned to what port. This could be done through Telnet, the deprecated finger protocol, or even the Simple Network Monitoring Protocol (SNMP). This ability is especially important when attempting to control multiple logins at the same time from the same user. There exists a utility to tell FreeRADIUS to check on the terminal server first to see if a user is already logged on before denying his request to log on, thereby compensating for the RADIUS accounting discrepancies. The best way to do this is by installing two modulesthe SNMP_Session and BER modulesfrom the popular traffic-monitoring program MRTG. (These are core Perl modules, actually.) Having those modules installed lets a utility included in FreeRADIUS, the checkrad script, communicate with the terminal server equipment directly using the SNMP protocol. You can obtain more information and download these modules from the "SNMP Support for Perl 5" web site at http://www.switch.ch/misc/leinen/snmp/perl/.
To enforce a simultaneous-use restriction, you need to add a parameter to either an individual user's entry or a DEFAULT entry in the RADIUS users file ( /etc/raddb/users ). The value of the Simultaneous-Use attribute is the number of sessions that can occur at the same time with the same username. To enforce a restriction on user awatson , for example, of two simultaneous connections, I would configure a user entry for her similar to the following: Awatson Auth-Type := System, Simultaneous-Use := 2 Service-Type = Framed User <continue attribute listing> You can also define a certain group of usersfor example, a multilink group that can have two logins concurrentlywhile the rest of the user base can only have one simultaneous session. To achieve this, use the following DEFAULT entries and the fall-through feature: DEFAULT Group == "multilink", Simultaneous-Use := 2 Fall-Through = 1 DEFAULT Simultaneous-Use = 1 Fall-Through = 1 Once this is configured, the server now knows to use the checkrad script (located at either /usr/local/sbin/checkrad or /usr/sbin/checkrad ). When does it invoke the script? When a user connects, FreeRADIUS looks in its list of currently active users, which is kept in /var/log/radutmp . (Executing radwho at a command prompt will display the contents of this file on the screen.) If it finds that the username associated with the pending request is already listed in radutmp , then it will execute the checkrad script. The checkrad script then communicates with the NAS gear via finger, Telnet, or SNMP and determines whether that user is indeed logged on. It then either accepts or denies the request for a concurrent session based on the value of the Simultaneous-Use attribute as configured in the users file.
Table 6-6, which can also be found on the FreeRADIUS web site (http://www.freeradius.org), lists the types of terminal servers supported, the method by which FreeRADIUS can communicate with them, what software module support it needs, and whether it requires an entry in the /etc/raddb/naspasswd file. Table 6-6. NAS compatibility with checkrad.pl
6.6.1 When It Goes Pear ShapedWhen your simultaneous use enforcement doesn't seem to work right, try the following troubleshooting steps:
There are also some equipment-specific bugs that may be interfering with the functionality. 6.6.1.1 3Com and US Robotics equipment3Com/US Robotics equipment has a tendency to incorrectly calculate SNMP object ID values. There is a workaround for this, however. First, make sure the HiPerArc software is updated to at least Version 4.2.32. To prevent simultaneous logins, you need to issue the following command on the NAS machine: set pbus reported_port_density 256 Also, look at the checkrad program on the RADIUS server and comment out the following line, found under the subroutine sub_usrhiper : ($login) = /^.*\"([^"]+)".*$/; 6.6.1.2 Ascend equipmentYou may see the following error entry in your log files: Wed Jun 19 15:41:04 2002: Error: Check-TS: timeout waiting for checkrad This problem usually occurs with MAX 4048 machines. To correct this, make sure that the NAS is correctly set up as a max40xx in the naslist file and double-check that Finger is enabled on the NAS machine. It can be found by going to the Ethernet menu, selecting Mod Config and setting Finger to Yes . 6.6.1.3 Cisco equipmentYou may see the following error entry in your log files: Wed Jun 19 17:09:16 2002: Error: Check-TS: timeout waiting for checkrad This problem is mainly caused by not having SNMP enabled on the Cisco machine. Make sure the following line is present in the configuration file: snmp-server community public RO 33 Replace 33 with the access list that distinguishes machines that can access SNMP information from those that can't. For example, the following access list does this: access-list 33 permit 192.168.0.1 That line allows the machine at 192.168.0.1 to access the community information. |
