Mikrotik & Simultaneous-Use

OrCAD · June 8, 2006, 5:15pm

Hi,
if I want to use “Simultaneous Use:=1” Dialup Admin option is necessary RB incoming telnet permission?
Exist one alternative metod to verify if any user is already connected from another my network RB (NAS)?
I see SNMP or Telnet finger type… it’s a good way?
Regards in advance..

savage · June 8, 2006, 8:50pm

Generally, rather use snmp. The checkrad script used by FreeRadius to check for duplicates doesn’t have a to well telnet agent for MT. Define your NAS type as mikrotik_snmp and read the simultaneous-use documentation on how to implement further…

OrCAD · June 8, 2006, 9:13pm

Welcome back Savage,
where to find this documentation? (/usr/share/freeradius/doc ??)

I try to enable the query_check in the sql.conf and inside table Simultaneous-Use:=2 with Dialupadmin webpanel but I’ve problem with PPP users..
Tomorrow I try to insert “return= 1” in the checkrad perl script..

my nas_type: other (is necessary define nas_type: mikrotik_snmp ?)
hold on snmp in RB with correctly parameter inside naspasswd file?
regards

savage · June 9, 2006, 5:59am

Never knew I left

Documentation is in the source tarball. Download the freeradius archive, extract it, you’ll have a doc(s) directory…

Two things happen when simultaneous use is in action…

FreeRadius queries the accounting tables to see whether there are active sessions (the query_check as you rightfully mentioned below). However, due to the nature of the UDP protocol used in Radius, packets go missing. Accounting-Stop messages can go missing, and the Radius Server might never receive the packet that actually tells it that the user logged of.

To over come this, a second step is put into place. When the Radius server suspects (via the accounting query) that a duplicate login has been detected, it wil go and poll the NAS to determine with accuracy whether or not it is the case - this is where checkrad comes into play.

clients.conf, your nas_type must be properly defined - otherwise, freeradius will not know how to call checkrad. Checkrad must also function properly, otherwise you will get false duplicate user detection, where there actually arent any. Whether you’re using SNMP or Telnet, your nas_passwd file must also be setup correctly (please ensure proper permissions on the file), so that checkrad can get the community (in the case of SNMP), or User account details (in the case of Telnet) for the login.

If you use SNMP, the Radius Server must obviously have access to query the SNMP server, if you use Telnet, the Radius Server must obviously have access to telnet to the MT.

Also a common mistake, Simultaneous-Use is a check item, not a reply…

jonmansey · June 27, 2006, 12:46am

any tips on how to prevent simultaneous login to pppoe and hotspot?

Seems the checkrad script needs some tweaks to check for more than just ifDesc entry in the mib.

jm

savage · June 27, 2006, 5:27am

I wouldn’t know about hotspot… Never used it, but I can believe that there might be some tweaking required in the script…

As to PPPoE, it’s absolutely fine to merely scan for the ifDesc in the MIB. Descriptions are , which is also the interface name - rather descriptive, and I don’t see any problem with that. Why would you need more checking? In what instances?

Main things to look out for:

Correct Attribute (Simultaneous-Use := 1) as a CHECK item
Correct definitions in clients.conf
Correct entries in nas_passwd
Radius MUST have access to the MT, either via SNMP, or Telnet

Failing that,

Run checkrad manually, test/debug see what it is doing (you can even add some debug code to the perl script if needs be)
If checkrad works, but FR seems to ignore it, please post a radius -X where a duplicate login is processed, I’d be happy to have a look

–
C

jonmansey · June 27, 2006, 5:45am

no the pppoe checking works fine by itself, but i run pppoe and hotspot on the same server with the same radius, and i need to prevent simlutaneous login on pppoe and hotspot, hence ifdesc checking isnt sufficent as hotspot connections dont create interfaces as such. i beleive there is some kind of entry in the mib for each hotspot connection, just need to research and add to checkrad’s tests. any tips or input appreciated.

savage · June 27, 2006, 5:52am

Thats what I would suspect aswell. Checkrad only checks for PPPs…

I’ll see over the weekend if I can get some code together and submit a patch for checkrad to implement something like mikrotik_hotspot or something similar. No promises though, depends on how much time I have…

–
C

jonmansey · June 27, 2006, 4:43pm

heres some input on the issue. hotspot connections appear in the MIB as follows

# /usr/bin/snmpwalk -r 1 -t 5 -v1 -c 'snmpcommunity' 10.0.0.10 1.3.6.1.4.1.9.9.150.1.1.3
SNMPv2-SMI::enterprises.9.9.150.1.1.3.1.2.2150629408 = STRING: "username1"
SNMPv2-SMI::enterprises.9.9.150.1.1.3.1.2.2150629475 = STRING: "username2"
SNMPv2-SMI::enterprises.9.9.150.1.1.3.1.2.2150629552 = STRING: "username3"
SNMPv2-SMI::enterprises.9.9.150.1.1.3.1.2.2150629593 = STRING: "username4"
SNMPv2-SMI::enterprises.9.9.150.1.1.3.1.2.2150629600 = STRING: "username5"

so i added the following code snippet to the mikrotik_snmp section of checkrad, right after it does the ifdesc check

  # we want hotspot connections
  $oid = "1.3.6.1.4.1.9.9.150.1.1.3";

  @output = snmpwalk_prog($ARGV[1], $password, "$oid");

  foreach $line ( @output ) {
    #remove newline
    chomp $line;
    #remove trailing whitespace
    ($line = $line) =~ s/\s+$//;
    if( $line =~ /"$ARGV[3]"/ ) {
      $username_seen++;
    }
  }

checkrad now correctly detects existing hotspot logins, however with around 80 hotspot users online, the snmpwalk is quite slow (10-15 secs) so this may be an obstacle to real deployment, this would make every login take at least seconds to auth, probably not acceptable. Any tips on how to speed this process up? thx

jon

savage · June 27, 2006, 6:56pm

I don’t believe this is implemented correctly. PPPoE checks works, as it scans for the virtual interfaces - not active users. The search happens based on a matching on the username (InterfaceDesc = <ppp-“username”>

Except for interface statistics, there is no reference in the MIB to active PPP or HotSpot users from MT, unless I’m missing something. Querying the MIB you specified, gives me no results…

root@netsphere:~# snmpwalk 198.18.0.33 public 1.3.6.1.4.1.9.9.150.1.1.3
root@netsphere:~#

/ppp active print oid or /ip hotspot active print oid also doesn’t return any SNMP oids to query, which makes me believe that active users per say, is not included in the MT MIB… The documentation states that it is however

savage · June 27, 2006, 6:59pm

How stupid of me

Query .iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2

root@netsphere:~# time snmpwalk 198.18.0.33 public .iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2
enterprises.9.9.150.1.1.3.1.2.2175795200 = "test"

real    0m0.155s
user    0m0.067s
sys     0m0.010s

I beg forgiveness, stupid mistake on my side - had a long day. If the above works, please let me know so I can submit the appropriate patches to the checkrad script…

Essentially, you can just change the OID for the mikrotik_snmp route from ifDesc to:

  # We want active PPP users, NOT interface descriptions
  $oid = ".iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2";

Confirmed for PPPoE, not tested on HotSpots yet, as I don’t have one

Speed seems fine - try it again see if it’s faster. I’ll patch up checkrad once I know it’s working - which should also speed up queries for PPPoE via SNMP…

jonmansey · June 27, 2006, 7:09pm

the reason for my slowness is due to the MT server being on the other side of a satellite link from the radius box, hence snmpwalk is pedestrian at best

checkrad times out after 10sec.

im now working on tweaking the telnet script, its working much faster.

the two command lines to spit out the list of users, both pppoe and hotspot are as follows

ppp active print without-paging terse

and

ip hot act pr without-paging terse

having more luck with this, the checkrad telnet solution will scale better in my high latency application.

jm

OrCAD · July 1, 2006, 2:23pm

how to modify checkrad file step by step?
another question: how to delete duplicate account in the “online users” table? I see user connected up to 5day but this user not is online…
Ragards..

ponline · July 24, 2006, 2:42pm

I dont want to start another thread so i ask for help in this one.
Can anyone point me to a step by step documentation how to prevent simultanious use, i need detailed documentation cose im new to freeradius and linux.
I configured freeradius, mysql, and a php web based billing. I started using it, but now i notce that my users can login more than once simultaniously. thats bad.
I did what documentation on freeradius sais but still nothing.
Can someone put down simple steps to prevent simultanious use?

OrCAD · July 30, 2006, 6:22pm

Hey GURU,
I want to modify my checkrad file to work with more than 20 RB in the HyperLan backbone and test if snmp is better or telnet..
steps:

enable simulcheck in sql.conf
add attribute :=1 in rad sql table
snmp=on in radiusd.conf
radutmp and SQL enable in autorization section
enable snmp in each RB
??? next?

many thanks at all