http:///radiusd/doc/Simultaneous-Use INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1");
0. INTRODUCTION
Lots of people want to limit the number of times one user account can login, usually to one. This is hard to do with the radius protocol; the nature of the accounting stuff is such that the idea the radius server has about the list of logged-in users might be different from the idea the terminal server has about it.
However, most terminal servers have an alternative way to get a list of logged-in users. Most support some way through telnet, some have a finger-daemon builtin and a lot of them support SNMP. So if the radius server thinks that someone is trying to login a second time, it is possible to check on the terminal server itself if the first login is indeed still active. Only then access is denied for the second login.
1. PREREQUISITES
You need to have perl installed.
For SNMP checks, you have 2 options. You can use the `snmpget' program from the cmu-snmp tools. You can probably get precompiled ones, maybe even packaged for your system (Debian/Linux, Redhat/Linux, FreeBSD ports collection etc). The source code is at http://www.net./projects/snmp/snmpapps/. The Linux-specific version of this is at http://www./snmp/
The other option is to install the SNMP_Session and BER modules that for example the well known `mrtg' package uses. This is recommended. In that case you need no external snmpget program, checkrad will speak SNMP directly. See http://www./misc/leinen/snmp/perl/
The checkroutine for USR/3Com Total Control racks uses the Net::Telnet module from CPAN, at least version 3.00. If you need that, obtain it from your local CPAN mirror (or see http://www./CPAN/). The checkrad.pl perl script will autodetect if that module is installed.
2. USAGE.
It works by adding the `check' parameter "Simultaneous-Use" to the entry for a users or DEFAULT in /etc/raddb/users. It should be at least one; it defines the maximum number of users logged in with the same account name. For example:
# # Simultaneous use restrictions. # DEFAULT Group == "staff", Simultaneous-Use := 4 Fall-Through = 1 DEFAULT Group == "business", Simultaneous-Use := 2 Fall-Through = 1 DEFAULT Simultaneous-Use := 1 Fall-Through = 1
NOTE!!! The "Simultaneous-Use" parameter is in the "check" A/V pairs, and not in the Reply A/V pairs (it _is_ a check).
For SQL, after creating and populating your schema, you should execute the following statement (for MySQL, others may vary):
INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1");
Once that is done, your users should be limited to only one login at a time.
3. IMPLEMENTATION
The server keeps a list of logged-in users in the /var/log/radutmp file. This is also called "the session database". When you execute "radwho", all that radwho really does is list the entries in this file in a pretty format. Only when someone tries to login who _already_ has an active session according to the radutmp file, the server executes the perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for the presence of both and in that order). This script queries the terminal server to see if the user indeed already has an active session.
The script uses SNMP for Livingston Portmasters and Ciscos, finger for Portslave, Computone and Ascend, and Net::Telnet for USR/3Com TC.
Since the script has been witten in perl, it's easy to adjust for any type of terminal server. There are implementations in the script for checks using SNMP, finger, and telnet, so it should be easy to add your own check routine if your terminal server is not supported yet.
You can find the script in the file src/checkrad.pl.
You need to set the correct type in the file /etc/raddb/naslist so that checkrad KNOWS how it should interrogate the terminal server. At this time you can define the following types:
type Vendor Uses method needs Need naspasswd ==== ====== =========== ===== ============== ascend Lucent SNMP SNMP No bay Nortel finger finger command No cisco Cisco SNMP |