Re: [Radiusplugin-users] Is this a bug or what?

[Ralf Lübben]

This is not controlled by the plugin, OpenVPN triggers a authentication and 
the plugin executes it. The time interval is controlled by the Openvpn option 
"--reneg-sec n". 

Also the plugin could authenticate the user without doing new RADIUS 
authentication, because the plugin detects that it is a reykeying, but the 
this intermediate authentication guarantees that the user is disconnected 
after at least the re-negotiation interval, e.g. because the user is disabled, 
a bandwidth limitation is exceeded, etc.





Am Sonntag, 30. Mai 2010 10:01:26 schrieb yegle:
> well...this is exactly the workaround I'm using :-)
> 
> So why there is re-authentication?
> 
> On Sun, May 30, 2010 at 3:58 PM, Ralf Lübben <address@hidden> wrote:
> > Hi,
> >
> > the problem occurs because of the re-authentication.
> >
> > The reply-message (You are already logged in - access denied) is a
> > RADIUS- ATTRIBUTE which is created by the RADIUS server.
> >
> > One possible solution can be based on the "session-id" attribute, which
> > is a
> > per session unique id created by the plugin.
> >
> > The SQL statement could similar to:
> >
> > simul_count_query = "SELECT COUNT(*) \
> >                             FROM ${acct_table1} \
> >                             WHERE username = '%{SQL-User-Name}' \
> >                              AND acctstoptime IS NULL \
> >                             AND sessionid != '%{SQL-Session-Id}'
> >
> > When a reykeying occurs "simul_count_query" equals zero. If the same user
> > opens a new session, it equals one.
> >
> >
> > Regards
> > Ralf
> >
> > Am Sonntag, 30. Mai 2010 05:14:11 schrieben Sie:
> > > Hi,
> > >
> > > Sorry forgot to use reply all...
> > >
> > > Here's my verb7 log: http://pastebin.com/JMJA5Jah
> > >
> > > And I'm using radiusplugin 2.1 beta9
> > >
> > > Yes I set acct-Interim-Interval to 600
> > >
> > > On Sun, May 30, 2010 at 2:06 AM, Ralf Lübben <address@hidden> wrote:
> > > > Hi,
> > > >
> > > > I don't think it is a bug. The current version of the plugin should
> > > > be able to
> > > > handle simultaneous logins.
> > > >
> > > > Which plugin version do you use?
> > > >
> > > > At the reykeying the plugin re-authenticates the user, you should see
> > > > RADIUS
> > > > ACCESS-REQUEST packets but no  RADIUS ACCOUNTING packets.
> > > >
> > > > Do you have configured the RADIUS attribute "Acct-Interim-Interval"?
> >
> > Then
> >
> > > > you
> > > > should see periodic RADIUS accounting messages, but they are not
> >
> > related
> >
> > > > to reykeying event.
> > > >
> > > >
> > > > Which instance does create the message "already log in"? Is it the
> > > > plugin? (It
> > > > should contain the prefix PADIUSPLUGIN ...)
> > > >
> > > > Can you send me the OpenVPN log file? The verbosity level should be
> > > > at
> >
> > 7,
> >
> > > > so
> > > > the plugin also writes debugging information to the log file.
> > > >
> > > > Regards
> > > > Ralf
> > > >
> > > > Am Freitag, 28. Mai 2010 13:46:42 schrieb yegle:
> > > > > Hi list,
> > > > >
> > > > > I'm using OpenVPN radiusplugin, and I found this problem days ago.
> > > > >
> > > > > Every hour openvpn server will attempt to rekey to client, at this
> >
> > time
> >
> > > > > radiusplugin will made an Accounting-Request to openvpn server.
> > > > > But I have set up Simultaneous-Use,thus the plugin will get an
> >
> > "already
> >
> > > > log
> > > >
> > > > > in" reply message.
> > > > >
> > > > > So openvpn client will disconnect every hour and ping-restart
> > > > > itself.
> > > > >
> > > > > The default SQL to check Simultaneous-Use is:
> > > > >
> > > > >     simul_count_query = "SELECT COUNT(*) \
> > > > >                              FROM ${acct_table1} \
> > > > >                              WHERE username = '%{SQL-User-Name}' \
> > > > >                              AND acctstoptime IS NULL"
> > > > >
> > > > > which definately will cause problem if radiusplugin post
> > > >
> > > > Accounting-Request
> > > >
> > > > > when rekeying.
>