FreeRadius and Port-Limit=1 not working

RouterOS General
1

Hi.

The Port-Limit=1 attribute is not honored by the radius client on 5beta6 and newer.
It works for locally defined PPP secrets only. Tested with PPTP and OpenVPN clients.
Any ideas why this is not working correctly?
Is this an known issue?

This is an example of how the users groups are defined in my MySQL radius database:

mysql> select * from radgroupreply where GroupName=“Dynamic-IP”;
±—±-----------±--------------------±—±------------------------------------------+
| id | GroupName | Attribute | op | Value |
±—±-----------±--------------------±—±------------------------------------------+
| 1 | Dynamic-IP | Framed-Pool | := | VPN-Pool-Dynamic |
| 2 | Dynamic-IP | Port-Limit | = | 1 |
| 3 | Dynamic-IP | Mikrotik-Rate-Limit | := | 2048k/2048k 6144k/6144k 4096k/4096k 10/10 |
±—±-----------±--------------------±—±------------------------------------------+

mysql> select * from usergroup where GroupName=“Dynamic-IP” LIMIT 1;
±-----------±-----------±---------+
| UserName | GroupName | priority |
±-----------±-----------±---------+
| someuser | Dynamic-IP | 1 |
±-----------±-----------±---------+
1 row in set (0.00 sec)

This is the SQL query defined in the sql.conf of freeradius:
authorize_group_reply_query = “SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username
= ‘%{SQL-User-Name}’ AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id”

2 
port-limit

attribute is not supported by PPP.

Port-Limit - maximal mumber of simultaneous connections using the same username (overrides te shared-users property of the HotSpot user profile)

I assume you want to limit simultaneous access for the specific username (all usernames). You should make specific configuration on RADIUS server, for FreeRADIUS there is an option simultaneous-use. Apply correct settings for it.

Only-one from /ppp profile is not going to work either with RADIUS.

3

Simultaneous-Use works fine. But it is a check attribute, so if the RADIUS server still has an open session, it would use checkrad to verify if the NAS still has the session on its books.

I was using it with checkrad and it worked fine, but I stopped using it now that SSTP timeouts seem to be working properly.

4

YazzY,
I’m just curious: Could you enable radius logging and see if you see Port-Limit in the logging?

/system logging action add name=radius target=memory




/system logging add topics=radius action=radius

I’m wondering how I could implement a radius log parser on Mikrotik to parse this data (if it shows up). This is only a workaround, keep this in mind, it’s not a permanent solution, but may be a flexible way to implement custom attributes through RADIUS.

5

No, I cannot see Port-Limit in the logs.

6

Unfortunatelly SSTP is Windows only so it’s not an option.
I actually wonder why Mikrotik released only partial implementation of OpenVPN.

7

You and everyone else on the forum (Except MT employees, they seem to think OpenVPN sucks).

8

Could you describe in a few words how you set that up with checkrad ?
I have enabled Simultaneous-Use the way the FreeRadius docs describe it but I can still see users can log in twice.
BTW, did your setup kick out existing user connection if a new one was initiated?
Did you combine it with some Idle or Timeout values as well ?