Re: [Radiusplugin-users] Problems with OpenVPN TLS renegotation (reneg-sec) and Radius Simultaneous-Use := 1

[KingLiang Gu]

Thanks for your attention，But I've solved This Problem by myself.
if you do like this http://lists.nongnu.org/archive/html/radiusplugin-users/2010-05/msg00003.html

it is not enough.
you must disable the radutmp / the file session Module

For example edit the config files in sites-enabled and then comment before “radutmp ”Module in the session definition。I comment all the  “radutmp ” and "files"  .

After it is done this Query is verified to work well

>         simul_count_query = "SELECT COUNT(*) \
>
>                              FROM ${acct_table1} \
>                              WHERE username = '%{SQL-User-Name}' \
>                              AND acctstoptime IS NULL AND acctsessionid != '%{Acct-Session-Id}'"

 

在 2011年5月26日 下午3:48，KingLiang Gu <address@hidden>写道：

Hello everyone，I have some problems whith radiusplugin.
The version of radiusplugin that I use is  radiusplugin_v2.1 （down from http://web.cvs.savannah.gnu.org/viewvc/radiusplugin/?root=radiusplugin&sortby=rev#dirlist )

I set the radius attribute  " Simultaneous-Use := 1" to limit the access number of users. But I found some Problems when OpenVPN TLS renegotation happened. To speed up the whole process,I set "reneg-sec 60" in  OpenVPN client config file manually，then I connect to my OpenVPN server ，just suppose that the freeradius session id (acctsessionid ) is "0940BCC61E10734712759C787723A2E6" , then,ather waiting for 60 seconds, I find that when OpenVPN TLS renegotation happened，The radiusplugin try to communicate to freeradius server to auth user's identity。But I set “Simultaneous-Use := 1” in my freradius server（at this time i'm  actually already logged in ）which caused the freeradius server reply that I'm already logged in, and then cleaned the session of previous connection of openVPN（which session id is "0940BCC61E10734712759C787723A2E6" that I've mentioned above）. At this time, I am offline,and I can't communication through the OpenVPN 。This is not just the only problem. The problem is that ,if I did'nt close the openVPN client in the second "60 seconds",and I will online again the next "60 seconds" when the  OpenVPN TLS renegotation happened again。But in freeradius, I'm offline, in the OpenVPN Status Log File I'm online. I will online forever in the next times (unless I disconnect from the Server) and without the freeradius server to accounting online time and date traffic.

I've tried it again and again,and it happened just like that every time.

I think this is a serious Problem . If I use "reneg-sec 0" in the config file of OpenVPN server and client,Everything is OK. But you know that users can modify the client config file by themselves。

Does anybody have some any idea?

 FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  5 2010 at 02:49:11
OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010

This is the log file when the TLS renegotation happened the first time.

Wed May 25 23:33:25 2011 RADIUS-PLUGIN: FOREGROUND THREAD: isAuthenticated()1Wed May 25 23:33:25 2011 RADIUS-PLUGIN: FOREGROUND THREAD: isAcct()1Wed May 25 23:3
3:26 2011 RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
Wed May 25 23:33:26 2011 RADIUS-PLUGIN: BACKGROUND AUTH: Reply-Message:
You are already logged in - access denied