6.6 Simultaneous Use

Recall from Chapter 1 that RADIUS is a stateless protocol. Additionally, because of the way RADIUS accounting works, it's entirely possible and even probable that a RADIUS server will have an internal list of who is currently logged on that is different than the actual state of the RADIUS client ports—in other words, your RADIUS server may think users are logged on when they really aren't, and vice versa. Fortunately, most NAS equipment includes some mechanism by which the administrator (or the RADIUS daemon servicing authentication requests) can query it to find out which user is assigned to what port. This could be done through Telnet, the deprecated finger protocol, or even the Simple Network Monitoring Protocol (SNMP).

This ability is especially important when attempting to control multiple logins at the same time from the same user. There exists a utility to tell FreeRADIUS to check on the terminal server first to see if a user is already logged on before denying his request to log on, thereby compensating for the RADIUS accounting discrepancies. The best way to do this is by installing two modules—the SNMP_Session and BER modules—from the popular traffic-monitoring program MRTG. (These are core Perl modules, actually.) Having those modules installed lets a utility included in FreeRADIUS, the checkrad script, communicate with the terminal server equipment directly using the SNMP protocol. You can obtain more information and download these modules from the "SNMP Support for Perl 5" web site at http://www.switch.ch/misc/leinen/snmp/perl/.

If you have USR/3Com Total Control terminal server gear and you want to make use of the checking routine, you will need the Net::Telnet module for Perl 5. This can be obtained from the CPAN archive at http://www.perl.com/CPAN/.

To enforce a simultaneous-use restriction, you need to add a parameter to either an individual user's entry or a DEFAULT entry in the RADIUS users file (/etc/raddb/users). The value of the Simultaneous-Use attribute is the number of sessions that can occur at the same time with the same username. To enforce a restriction on user awatson, for example, of two simultaneous connections, I would configure a user entry for her similar to the following:

Awatson    Auth-Type := System, Simultaneous-Use := 2
           Service-Type = Framed User
           <continue attribute listing>

You can also define a certain group of users—for example, a multilink group that can have two logins concurrently—while the rest of the user base can only have one simultaneous session. To achieve this, use the following DEFAULT entries and the fall-through feature:

  DEFAULT     Group == "multilink", Simultaneous-Use := 2
              Fall-Through = 1
  DEFAULT     Simultaneous-Use = 1
              Fall-Through = 1

Once this is configured, the server now knows to use the checkrad script (located at either /usr/local/sbin/checkrad or /usr/sbin/checkrad). When does it invoke the script? When a user connects, FreeRADIUS looks in its list of currently active users, which is kept in /var/log/radutmp. (Executing radwho at a command prompt will display the contents of this file on the screen.) If it finds that the username associated with the pending request is already listed in radutmp, then it will execute the checkrad script. The checkrad script then communicates with the NAS gear via finger, Telnet, or SNMP and determines whether that user is indeed logged on. It then either accepts or denies the request for a concurrent session based on the value of the Simultaneous-Use attribute as configured in the users file.

Be forewarned that the load and performance impact of using checkrad can be quite significant and can affect not only the RADIUS server but also busy RADIUS client machines.

Table 6-6, which can also be found on the FreeRADIUS web site (http://www.freeradius.org), lists the types of terminal servers supported, the method by which FreeRADIUS can communicate with them, what software module support it needs, and whether it requires an entry in the /etc/raddb/naspasswd file.

Table 6-6. NAS compatibility with checkrad.pl

Vendor

Naslist type

Checkrad method

Modules required

Naspasswdentry required?

Lucent

ascend

SNMP

SNMP/BER

No

Nortel

Bay

Finger

Finger command

No

Cisco

Cisco

SNMP

SNMP/BER

Username: SNMP; Password: community

Computone

Computone

Finger

Finger command

No

Nortel

Cvx

SNMP

SNMP/BER

No

Digitro

Digitro

Rusers

Rusers command

No

Livingston

livingston

SNMP

SNMP/BER, ComOS 3.5 or later with SNMP

No

Lucent

Max40xx

finger

Finger command

No

VersaNet

versanet

SNMP

SNMP/BER

No

Various

portslave

finger

Finger command

No

Patton

patton

SNMP

SNMP/BER

No

Cyclades

pathras

telnet

Net::Telnet

Yes

Cyclades

Pr3000

SNMP

Snmpwalk command

No

Cyclades

Pr4000

SNMP

Snmpwalk command

No

USR/3Com

tc

telnet

Net::Telnet

Yes

USR/3Com

usrhyper

SNMP

SNMP/BER

No

USR/3Com

netserver

telnet

Net::Telnet

Yes

6.6.1 When It Goes Pear Shaped

When your simultaneous use enforcement doesn't seem to work right, try the following troubleshooting steps:

Make sure the NAS machine is contained in the naslist file and that its type is identified correctly.
Check the naspasswd file and make sure all is well.
Use the -sx flag when starting FreeRADIUS and look at the output to determine if it is seeing the Simultaneous-Use line.
Run radcheck.pl manually and see if it executes. This eliminates Perl version problems and module presence failures.

There are also some equipment-specific bugs that may be interfering with the functionality.

6.6.1.1 3Com and US Robotics equipment

3Com/US Robotics equipment has a tendency to incorrectly calculate SNMP object ID values. There is a workaround for this, however. First, make sure the HiPerArc software is updated to at least Version 4.2.32. To prevent simultaneous logins, you need to issue the following command on the NAS machine:

set pbus reported_port_density 256

Also, look at the checkrad program on the RADIUS server and comment out the following line, found under the subroutine sub_usrhiper:

($login) = /^.*\"([^"]+)".*$/;

6.6.1.2 Ascend equipment

You may see the following error entry in your log files:

Wed Jun 19 15:41:04 2002: Error: Check-TS: timeout waiting for checkrad

This problem usually occurs with MAX 4048 machines. To correct this, make sure that the NAS is correctly set up as a max40xx in the naslist file and double-check that Finger is enabled on the NAS machine. It can be found by going to the Ethernet menu, selecting Mod Config and setting Finger to Yes.

6.6.1.3 Cisco equipment

You may see the following error entry in your log files:

Wed Jun 19 17:09:16 2002: Error: Check-TS: timeout waiting for checkrad

This problem is mainly caused by not having SNMP enabled on the Cisco machine. Make sure the following line is present in the configuration file:

snmp-server community public RO 33

Replace 33 with the access list that distinguishes machines that can access SNMP information from those that can't. For example, the following access list does this:

access-list 33 permit 192.168.0.1

That line allows the machine at 192.168.0.1 to access the community information.

[ Team LiB ]