The number of sessions a user can have open simultaneously can be
restricted by setting Simultaneous-Use attribute in the user's
profile LHS (see section Simultaneous-Use). By default the number
of simultaneous sessions is unlimited.
When a user with limited number of simultaneous logins authenticates
himself, Radius first counts the number of the sessions that are already
opened by this user.
If this number is equal to the value of Simultaneous-Use
attribute the authentication request is rejected.
To determine the number of open sessions, Radius scans the
`radlog/radutmp' for any open entries marked with the
user's login name section UNIX Accounting. Such entries are created
when Radius receives an Accounting-Request packet with
Acct-Status-Type attribute set to Start. An entry is
marked closed when a corresponding Accounting-Request packet arrives with
Acct-Status-Type attribute set to Stop.
Since an open entry might be a result of missing Stop packet,
Radius queries the NAS whether the session listed in the entry is
currently active. If the NAS replies positive, the session count
is incremented, if it replies negative, such entry is marked as
closed and is not counted. There may also be cases when the NAS
is unreachable due to some reasons. In such cases the Radius behavior
is determined by the value of checkrad-assume-logged in
`config' file section auth statement.
If the value is yes, Radius assumes the session is still
active and increases the session count, otherwise it proceeds as
if the NAS returned negative reply.
To query a NAS, Radius first looks up its type and additional parameters
in `naslist' file (see section NAS List -- `raddb/naslist'). If the NAS type is `true',
Radius acts as if the NAS returned 1, if the type is `false', it
acts as if the NAS returned 0, otherwise it looks up the entry
in the `nastypes' which has matching type (see section NAS Types -- `raddb/nastypes').
If such entry does not exist, Radius issues the error message and
acts accordingly to the value of configuration variable
checkrad-assume-logged.
Otherwise, Radius determines the query method to use from the second
field of this entry, and constructs its arguments by appending
arguments from the `naslist' entry to those of nastypes
entry. Please note, that the former take precedence over the
latter, and can thus be used to override default values specified
in `nastypes'.
Having determined the query method and its argument, Radius queries
NAS and analyzes its output by invoking a user-supplied
Rewrite function. The function to use
is specified by the function= argument to the method. It is
called each time a line of output is received from the NAS (for
finger queries) or a variable is received (for SNMP queries). The
process continues until the function returns 1 or the last line
of output is read or a timeout occurs whichever comes first.
If the user-function returns 1 it is taken to mean the user's session is now active at the NAS, otherwise, if it replies 0 or if the end of output is reached, it is taken to mean the user's session is not active.
The syntax conventions for user-supplied functions are described in detail in section Login Verification Functions.
Go to the first, previous, next, last section, table of contents.