From owner-freebsd-questions Fri Jul 20 1:52:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id B1ACE37B405 for ; Fri, 20 Jul 2001 01:52:24 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f6K8qH825806; Fri, 20 Jul 2001 01:52:17 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Panagiotis Skoulikaritis" , "FreeBSD Questions" Subject: RE: need help configuring radius Date: Fri, 20 Jul 2001 01:52:16 -0700 Message-ID: <003d01c110f9$46a368e0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3B57DA52.CDEE84D@egreta.gr> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG First, you don't want to ask this here, instead you want to subscribe to the portmaster-radius mailing list at http://www.livingston.com/tech/archive/ Secondly, what your asking is not simple. For example there's a couple of Reply attributes out there that might work - Port-Limit and MultLink Flag, but these are not standard. You must check your NAS documentation to see if it recognizes them and applies them to ISDN multilink calls. Further they only work if you only have a single NAS. The usual method of doing what your wanting to do is to use a RADIUS server such as cistron that has support for setting multiple login limits. The way these servers work is if you only permit a single session for a user they will authenticate the first session then deny all other auth attempts as long as that session is logged in. Therein is the difficulty, however, because RADIUS is a stateless protocol and as such there's no direct connection between the radius server and the NAS that the radius server can use to synchronize a database of who is logged in and who isn't. What some people do to track logins is to depend on the start and stop records, they increment a counter when they get a start record and decrement it when they get a stop record. This works OK for small NAS with just a few ports, there's a radius daemon at http://yardradius.on.openave.net/ that works quite well for that. However, for anything significant (more than 20 ports or so) you run into synchronization problems. Some NAS have piss-poor accounting record control, Portmasters have been known under heavy load to not bother sending start accounting records or sending duplicates. Also RADIUS is UDP so you could lose the packet anyway. Then you get into a situation where the radius server thinks a user is logged on when they really arent thus the next time they call in the NAS won't let them logon. More sophisticated servers like cistron get around this problem by issuing an SNMP query to the NAS every time they see what they think is a simultaneous login attempt, to check and see if the first login is really there. This requires some fooling around with scripts and ucd-snmp. Also it's very NAS dependent - if you have a collection of NAS from different manufacturer then your going to really be hosed and some NAS (USR for example) don't give out that data via SNMP so you have to do other scripting with Telnet scripts. At our site we started out with the free radius 2.01 daemon Livingston handed out then finally dumped it for YARD because of the simultaneous use thing. But I only lasted about 8 months with dealing with that because of the problems of keeping the radius daemon in sync with a big nas with many T1's coming into it. I finally scrapped all that and went to ICradius (ftp://ftp.innercite.com/pub/icradius) which is a modified cistron that runs on a mysql server. It also has several web-based interfaces to it which helped greatly because we have admins that I don't trust with UNIX command line access. Also having all the accounting in a SQL server is extremely useful, beforehand we used to have to futz with all these icky perl scripts to attempt to get reporting off the monthly detail files which were huge. Now we can query usage on the fly which helps with troubleshooting as well as the customers that call up claiming they never used the service and why are we billing them. There's also some other tiered billing things that become possible with SQL queries that I won't get into. But I will warn you, although it's a great radius server it's very complicated and not simple to setup on FreeBSD. It's easy to see why the commercial radius servers like Steel Belted Radius are selling so well. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Panagiotis >Skoulikaritis >Sent: Friday, July 20, 2001 12:14 AM >To: FreeBSD Questions >Subject: need help configuring radius > > >Hello > >I need help with configuring my radius server. >I would like to distinguish on how my users log in depending on their >contract with either 64 kbps isdn or 128 kbps isdn. So far I' m using >the attribute NAS-Port-Type = ISDN, but this way every user that has >this attribute can use both channels of the isdn even though they >haven't subscribe for that. Any help would be appreciated. > >Thanks > >Panagiotis > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message