pptp: only-one dont work with radius

maximt · August 6, 2010, 6:21am

i use pptp+radius(utm)
in ppp-profile set only-one=yes option.
but 1 ppp user can set 2 and more connection from many computers

each user has unique ip (assigned by radius)
why do two identical ip are working in vpn network?

for natting used masquarade

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.0.10.0/24

how change nat for denide two equal ip?

in other words - how make one connection from one user at same time

SurferTim · August 6, 2010, 11:08am

The best way I found, which will prevent duplicate user logins on two or more routers also, is to set “simultaneous-use=1” for that user in the radius server radcheck table.

EDIT: If the router is allowing more than one ‘connection’ per logged in user (like Windows internet connection sharing or a router using a masquerade), this won’t help. If it is allowing one user to login twice, it will help.

maximt · August 6, 2010, 1:37pm

but i have just one router
and one login can be used by two user at same time

my pptp config

/ppp profile
set default change-tcp-mss=yes comment="" dns-server=192.168.1.2 local-address=10.0.10.1 name=default only-one=yes \
    use-compression=no use-encryption=no use-vj-compression=no

	
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

	
/radius
add accounting-backup=no accounting-port=1813 address=*.*.*.* authentication-port=1812 called-id="" comment="" disabled=no domain="" realm="" secret=\
    secret service=ppp timeout=300ms
/radius incoming
set accept=no port=3799


/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.0.10.0/24

RouterOS 4.10

SurferTim · August 6, 2010, 2:49pm

I know radius, but not that good at ppp. Maybe if you post how you know the same user is logged in twice, somebody else will see the challenge. I think that would be “/ppp active”.

roadracer96 · August 6, 2010, 4:33pm

You have to have the radius server check back to the MT and see if there really is a connection active, if so, disconnect it, then allow the new connection. Only one only works for local auth. Didnt realize that until later. Works great doing it this way with SSTP radius.

maximt · August 7, 2010, 6:30am

ppp active print 
Flags: R - radius 
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING                                                                                 
 0 R user1     pptp    192.168.3.2       10.0.10.23      17h53m2s MPPE128 stateless                                                                        
 1 R user2     pptp    192.168.1.11      10.0.10.46      6h11m59s                                                                                          
 2 R user1     pptp    192.168.1.12      10.0.10.23      36s                                                                                               
 3 R user3     pptp    192.168.2.4       10.0.10.132      12s

as you see here are two login “user1” with 10.0.10.23 ip

i dont understand why there no ip address conflict

Chupaka · August 11, 2010, 2:24pm

wow! what version do you use? 3.28 says “duplicate ip” and do not allow the user to login with the same vpn ip =)

maximt · August 12, 2010, 2:39am

sorry missed to say

routerOS 4.10

maximt · August 18, 2010, 4:37am

can somebody confirm this bug?

tombrdfrd66 · September 11, 2010, 7:33am

I don’t think it’s a bug - at least in my case - but it is a problem.

I initially used PPPoE from MT CPEs to MT AP running User-Manager, but found I was being plagued by duplicate open sessions - UM would report 50-odd active sessions for only a dozen users.

So I switched to L2TP and that seemed to work fine - the only active sessions every shown were genuine and the log would show that if a used tried to connect with a session open it would be closed before the new session initiated. As far as I remember the settings were all default, as usual.

Now I’m moving to PPTP and found that with the default settings clients were being disconnected because of inactivity - and immediately re-connected. So I changed the server time-out to 0 secs. (ie don’t time the connection out) but the problem now is that clients trying to connect are being rejected because there is already a session running in their name!

Once again I seem to be finding that RouterOS is burdened with so many bells and whistles that actually achieving harmony is extraordinarily difficult. One has the ‘only one’ setting which stops a client setting up a connection if one already exists, but then one needs a way of closing connections if the client has pulled the plug on his CPE, or the network dropped the connection breaking whatever the continuity is that maintains a PPP connection.

I assume ‘session timeout’ sets a maximum time limit on a session, which I don’t want. However that leaves ‘keep-alive’ timeout and ‘idle time-out’ which to me means the same thing - one of which you define in the profile for the connection and the other for the server itself. How do they interact?

Then you have the ability to set idle time-outs in both client and server profiles. Which takes priority?

Roadracer96’s note about getting the RADIUS server to check with the client is a connection is actually running seems good, and was presumably what was happening when I was using L2TP with tunnels being closed before new ones opened, but why UM was doing it then and not now (given that all I’ve changed is the type of PPP server and client!) I’ve no idea.