Additionally, because of the way RADIUS accounting works, it's entirely possible and even probable that a RADIUS server will have an internal list of who is currently logged on that is d
Trang 1Recall from Chapter 1 that RADIUS is a stateless protocol
Additionally, because of the way RADIUS accounting works, it's entirely possible and even probable that a RADIUS server will have an internal list of who is currently logged on that is
different than the actual state of the RADIUS client portsin
other words, your RADIUS server may think users are logged on when they really aren't, and vice versa Fortunately, most NAS equipment includes some mechanism by which the
administrator (or the RADIUS daemon servicing authentication requests) can query it to find out which user is assigned to what port This could be done through Telnet, the deprecated finger protocol, or even the Simple Network Monitoring Protocol
(SNMP)
This ability is especially important when attempting to control multiple logins at the same time from the same user There
exists a utility to tell FreeRADIUS to check on the terminal
server first to see if a user is already logged on before denying his request to log on, thereby compensating for the RADIUS accounting discrepancies The best way to do this is by
installing two modulesthe SNMP_Session and BER modulesfrom
the popular traffic-monitoring program MRTG (These are core Perl modules, actually.) Having those modules installed lets a
utility included in FreeRADIUS, the checkrad script,
communicate with the terminal server equipment directly using the SNMP protocol You can obtain more information and
download these modules from the "SNMP Support for Perl 5" web site at http://www.switch.ch/misc/leinen/snmp/perl/
If you have USR/3Com Total Control terminal server gear and you want
to make use of the checking routine, you will need the Net::Telnet
module for Perl 5 This can be obtained from the CPAN archive at
http://www.perl.com/CPAN/
Trang 2parameter to either an individual user's entry or a DEFAULT
entry in the RADIUS users file (/etc/raddb/users) The value of
the Simultaneous-Use attribute is the number of sessions that
can occur at the same time with the same username To enforce
a restriction on user awatson, for example, of two simultaneous
connections, I would configure a user entry for her similar to
the following:
Awatson Auth-Type := System, Simultaneous-Use := 2
Service-Type = Framed User
<continue attribute listing>
You can also define a certain group of usersfor example, a
multilink group that can have two logins concurrentlywhile the
rest of the user base can only have one simultaneous session
To achieve this, use the following DEFAULT entries and the fall-through feature:
DEFAULT Group == "multilink", Simultaneous-Use := 2 Fall-Through = 1
DEFAULT Simultaneous-Use = 1
Fall-Through = 1
Once this is configured, the server now knows to use the
checkrad script (located at either /usr/local/sbin/checkrad or
/usr/sbin/checkrad) When does it invoke the script? When a
user connects, FreeRADIUS looks in its list of currently active
users, which is kept in /var/log/radutmp (Executing radwho at
a command prompt will display the contents of this file on the
screen.) If it finds that the username associated with the
pending request is already listed in radutmp, then it will
execute the checkrad script The checkrad script then
communicates with the NAS gear via finger, Telnet, or SNMP
and determines whether that user is indeed logged on It then
either accepts or denies the request for a concurrent session
based on the value of the Simultaneous-Use attribute as
configured in the users file.
Trang 3can be quite significant and can affect not only the RADIUS server but also busy RADIUS client machines.
Table 6-6, which can also be found on the FreeRADIUS web site (http://www.freeradius.org), lists the types of terminal servers supported, the method by which FreeRADIUS can communicate with them, what software module support it needs, and whether
it requires an entry in the /etc/raddb/naspasswd file.
Table 6-6 NAS compatibility with checkrad.pl
Vendor Naslist
type
Checkrad method Modules required
Naspasswdentry required?
Password: community
Computone Computone Finger Finger command No
Digitro Digitro Rusers Rusers command No
Livingston livingston SNMP SNMP/BER, ComOS 3.5 or
later with SNMP No
Lucent Max40xx finger Finger command No
Various portslave finger Finger command No
Trang 4Cyclades pathras telnet Net::Telnet Yes
Cyclades Pr3000 SNMP Snmpwalk command No
Cyclades Pr4000 SNMP Snmpwalk command No
USR/3Com netserver telnet Net::Telnet Yes
6.6.1 When It Goes Pear Shaped
When your simultaneous use enforcement doesn't seem to work right, try the following troubleshooting steps:
1 Make sure the NAS machine is contained in the naslist
file and that its type is identified correctly.
Check the naspasswd file and make sure all is well.
Use the -sx flag when starting FreeRADIUS and look at the output to determine if it is seeing the Simultaneous-Use line
Run radcheck.pl manually and see if it executes This
eliminates Perl version problems and module presence failures
There are also some equipment-specific bugs that may be
interfering with the functionality
6.6.1.1 3Com and US Robotics equipment
Trang 5calculate SNMP object ID values There is a workaround for this,
however First, make sure the HiPerArc software is updated to
at least Version 4.2.32 To prevent simultaneous logins, you
need to issue the following command on the NAS machine:
set pbus reported_port_density 256
Also, look at the checkrad program on the RADIUS server and
comment out the following line, found under the subroutine
sub_usrhiper:
($login) = /^.*\"([^"]+)".*$/;
6.6.1.2 Ascend equipment
You may see the following error entry in your log files:
Wed Jun 19 15:41:04 2002: Error: Check-TS: timeout waiting for checkrad
This problem usually occurs with MAX 4048 machines To
correct this, make sure that the NAS is correctly set up as a
max40xx in the naslist file and double-check that Finger is
enabled on the NAS machine It can be found by going to the
Ethernet menu, selecting Mod Config and setting Finger to Yes.
6.6.1.3 Cisco equipment
You may see the following error entry in your log files:
Wed Jun 19 17:09:16 2002: Error: Check-TS: timeout waiting for checkrad
This problem is mainly caused by not having SNMP enabled on
the Cisco machine Make sure the following line is present in the
configuration file:
Trang 6Replace 33 with the access list that distinguishes machines that
can access SNMP information from those that can't For
example, the following access list does this:
access-list 33 permit 192.168.0.1
That line allows the machine at 192.168.0.1 to access the
community information
Trang 7In an ideal world, we wouldn't have to use authentication of any type to gain access to anything But as long as free enterprise exists and access to private resources is sold, authentication will exist
You may have experienced authentication as recently as an
hour ago, when you used a dial-up Internet account to log on and surf the Web for the latest headlines You may have
checked your corporate email on your PalmPilot to see if your biggest client had returned your message about the newest
proposal And this weekend, when you use a VPN to connect to your office network so you can revise that presentation that's due early Monday morning, you'll have to authenticate yourself
But what goes on behind the scenes when you prove your
identity to a computer? After all, the computer has to have a set of processes and protocols to verify that you are indeed who you say you are, find out what you are allowed to access, and finally, tell you all of this There's one protocol that does this all: the Remote Access Dialin User Service, or RADIUS
RADIUS, originally developed by Livingston Enterprises, is an access-control protocol that verifies and authenticates users based on the commonly used challenge/response method (I'll talk more about challenge/response authentication later.) While RADIUS has a prominent place among Internet service
providers, it also belongs in any environment where central
authentication, regulated authorization, and detailed user
accounting is needed or desired