Hi
I have pppoe server running in routeros 2.9 authenticating users against radius & msql server. But I can log in using single username & password from more than 1 pc simulteneously. I want a user to sign in from single pc. I know this can be done with MAC binding. But if I don’t want to do MAC authentication then is there any way of restricting multiple logins using single username & password.
Any help will be appriciated.
Thanks
You can set at PPP profile… Limit | Only One:yes
You can set at PPP profile… Limit | Only One:yes
Yeah… but it would be nice if this could be done across multiple, geographically disseperate access points. I suppose it’s really a radius server problem, but still, having the PPPoE server seperate from the hardware running the radio is not always good or even the right thing to do (but sometimes it is required).
Also… it would be nice if the PPP profile/address pool/box running the radio would talk to the RADIUS server once in a while… it’s bad enough seeing ghost/duplicates on the server itself… but seeing 4 and 5 “sessions” with radwho on the RADIUS server is also very annoying.
You can prevent multiple logins for one user even across different devices using your RADIUS server. How this is done depends on the RADIUS server software in use. Look for something like “concurrency control” or “multiple logins” in your docs…
The second question about the PPP server “talking” to the RADIUS server during the user session is active:
Do you mean something like “Interim-Update”? Using this feature, the PPP server will send interim accounting packets to your RADIUS server.
If you want to check for dead sessions where the AcctStop packet(s) haven’t reached your RADIUS server, you’ll have to use a script/tool to login to your PPP server and check the assumed-to-be-active sessions that way…
Best regards,
Christian Meis
you can prevent multiple logins for one user even across different
devices using your RADIUS server. How this is done depends on
the RADIUS server software in use.
I guess one of the problems we ran across was that on a couple of particular mikrotik configurations we have a seperate bridging radio connected to a 2 ethernet port Mikrotik box (no radio on the Mikrotik box). When client end radios disassociate from the access point (either due to signal quality issues or due to customers just turning off their equipment in odd and uniq ways), the disassociation never makes it to the PPPoE server running and their session stays up indefinetly (requiring a config on the RADIUS server that allows multiple logins)… yes, the cart is firmly in front of the horse on this one.
The problem could probably be gotten rid of with some tweaking of the PPPoE server parameters, but instead, I’m working on getting rid of this ass-backwards hardware config by replacing the access point/2 NIC Mikrotik boxes with Routerboard 500 series with an actual mini-PCI radio onboard… correct me if I’m wrong, but with an on-board radio, a client disassociation is more likely to tear down the PPPoE connection.
All of this is reenforced by the lack of stop records on the RADIUS server.
…sorry, I seemed to have hijacked this thread. I will go away now.
hi
even after specify only one=yes in ppp profile, user can log in from simultaneously.