Mikrotik + Freeradius 3.0 and Simultaneous Use setup

kwkeim · Wed Apr 12, 2023 3:05 am

I am running a virtual setup on GNS3 trying to get everything setup correctly before we implement the new changes to the live environment. In GNS3 I am running a CHR with ROS v6.48. I have FreeRADIUS 3.0 setup on a virtual Ubuntu 22.04 server using MariaDB for SQL and a Daloradius web interface.

Currently I am trying to setup the Simultaneous-Use := 1 functionality to limit users to one session. I currently am trying to do it where it just queries the SQL session database in the radacct table. I have ucommented the following sql entries in the sections from /etc/freeradius/3.0/sites-enabled/default

accounting {
sql
}
session {
sql
}

I also uncommented the simul_count_query in /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf

simul_count_query = "\
	SELECT COUNT(*) \
 	FROM ${acct_table1} \
 	WHERE username = '%{SQL-User-Name}' \
 	AND acctstoptime IS NULL"

This sets the accounting data to be stored in the radacct table in SQL and to query from there to check for current sessions of users. I believe this is working correctly within FreeRADIUS as it should be becuase if I run a radtest it is working as intended as shown here.

root@radius:/# radtest 00:50:79:66:68:04 Accept 127.0.0.1 1812 testing123
Sent Access-Request Id 60 from 0.0.0.0:44564 to 127.0.0.1:1812 length 87
	User-Name = "00:50:79:66:68:04"
	User-Password = "Accept"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "Accept"
Received Access-Reject Id 60 from 127.0.0.1:1812 to 127.0.0.1:44564 length 63
	Reply-Message = "You are already logged in - access denied"
(0) -: Expected Access-Accept got Access-Reject

The problem is coming in however when I try to connect to the radius server with a VPC and a Mikrotik router in GNS3 that are configured with the same MAC address. The user info is set up via MAC authorization so they both are requesting with the same User-Name = '00:50:79:66:68:04'. I can have one connect fine and it receives and IP address and when I try to connect with the second device instead of getting rejected from the Simultaneous-Use := 1 check attribute like the radtest it connects and receives an IP address. I now have two devices that are assigned the same IP. I have determined that part of the problem is that when the second device sends it's request it is not an Access-Request. Below are the request entries from the freeradius -X (debugging) output.

(0) Received Access-Request Id 145 from 100.x.x.x:46068 to 100.x.x.y:1812 length 207
(1) Received Accounting-Request Id 146 from 100.x.x.x:54130 to 100.x.x.y:1813 length 229
(2) Received Accounting-Request Id 147 from 100.x.x.x:34431 to 100.x.x.y:1813 length 235
(3) Received Accounting-Request Id 148 from 100.x.x.x:44071 to 100.x.x.y:1813 length 229

Entry 0 and 1 are the VPC doing an Access-Request and then the Accounting-Request. Entry 2 and 3 are the mikrotik router sending it's requests but they are both Accounting-Requests. This then by skipping the Access-Request doesn't perform any of the simultaneous-use queries or checking and only updates the accounting info in SQL. Also this by doing two accounting requests somehow it closes the session in SQL showing that it has stopped even though it has not and there are two devices with one IP. Is there some setting in the Mikrotik router (the one setup as the NAS client to Radius) that I need to change so it properly sends an Access-Request instead of just initiating an Accounting-Request?

Attached I have the full outputs of my Freeradius -X debugging.

Mikrotik + Freeradius 3.0 and Simultaneous Use setup

Mikrotik + Freeradius 3.0 and Simultaneous Use setup

Who is online