RADIUSdesk

Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
user_guide:simultaneous_limit [2017/01/04 06:37] – created adminuser_guide:simultaneous_limit [2021/10/06 20:51] (current) – [Check if enabled] admin
Line 1: Line 1:
-====== Limiting Simultaneous Sessions ======+====== UPDATED 2021 -Limiting Simultaneous Sessions  ======
   * If you want to limit the simultaneous sessions a user can have this this page is for you.   * If you want to limit the simultaneous sessions a user can have this this page is for you.
  
 ===== Why implement it ===== ===== Why implement it =====
   * If you are driven by sales of vouchers, limiting the amount of people who can use the voucher at one time can result in more sales.   * If you are driven by sales of vouchers, limiting the amount of people who can use the voucher at one time can result in more sales.
-  * If you are very strict on limiting the amount of date a user can use, it is wise to restrict the sessions even to only one in order to ensure accurate data cap calculations.+  * If you are very strict on limiting the amount of data a user can use, it is wise to restrict the sessions even to only one in order to ensure accurate data cap calculations.
  
 ===== There is a catch ===== ===== There is a catch =====
Line 10: Line 10:
   * The back-end still thinks he is connected.   * The back-end still thinks he is connected.
   * If the person then tries to connect again and there is a limit on the sessions to e.g. 1, he will not be able to connect again.   * If the person then tries to connect again and there is a limit on the sessions to e.g. 1, he will not be able to connect again.
-  * Usually there is a reply attribute called **Idle-Timeout** which you can set to a low value to auto-disconnect the user from the Captive Portal's side.+  * Usually there is a reply attribute called **Idle-Timeout** which you can set to a low value to auto-disconnect the user from the Captive Portal's side when there is no data flow.
   * Another option is to let the Back-end auto close stale sessions by editing the Dynamic Client under **RADIUS** menu and go to **Dynamic Client** -> **Enhancements** and select **Auto Close Stale Sessions** with a time.   * Another option is to let the Back-end auto close stale sessions by editing the Dynamic Client under **RADIUS** menu and go to **Dynamic Client** -> **Enhancements** and select **Auto Close Stale Sessions** with a time.
   * These items are just a heads-up before you implement this limit.   * These items are just a heads-up before you implement this limit.
  
 +===== Check if enabled =====
 +  * Check if it is enabled in FreeRADIUS
 +<code bash>
 +vi /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
 +</code>
 +
 +  * Look for this section
 +<code bash>
 +#######################################################################
 +# Simultaneous Use Checking Queries
 +#######################################################################
 +# simul_count_query     - query for the number of current connections
 +#                       - If this is not defined, no simultaneous use checking
 +#                       - will be performed by this module instance
 +# simul_verify_query    - query to return details of current connections
 +#                               for verification
 +#                       - Leave blank or commented out to disable verification step
 +#                       - Note that the returned field order should not be changed.
 +#######################################################################
 +</code>
 +  * Lets do a bit of explanation of these two items.
 +        * In the FreeRADIUS config is a dedicated **session** section.
 +        * If this section has **sql** specified, FreeRADIUS will initiate these queries (one or both) to try and determine the amount of active sessions a user has.
 +        * We are **NOT** using  **simul_verify_query** and thus it needs to be commented out.
 +        * If **simul_verify_query** is specified the FreeRADIUS program will try and contact the nas if possible to inquire directly from it the current session count for a user. For this it uses the **checkrad** program.
 +        * We will thus comment **simul_verify_query** out to NOT use it.
 +
 +<code bash>
 +simul_count_query = "\
 +        SELECT COUNT(*) \
 +        FROM ${acct_table1} \
 +        WHERE username = '%{SQL-User-Name}' \
 +        AND acctstoptime IS NULL"
 +
 +#simul_verify_query = "\
 +#       SELECT \
 +#               radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \
 +#               callingstationid, framedprotocol \
 +#       FROM ${acct_table1} \
 +#       WHERE username = '%{SQL-User-Name}' \
 +#       AND acctstoptime IS NULL"
 +</code>
 +  * Restart if you made changes
 +<code bash>
 +#20.04
 +service freeradius stop
 +service freeradius start
 +</code>
 +
 +===== Applying the limit =====
 +  * Consider the following screenshot
 +
 +{{ :technical_discussions:simultaneous_2.png?nolink |}}
 +
 +<WRAP center round tip 100%>
 +You can also add this to a **Profile Component**
 +</WRAP>
 +
 +
 +===== See the limit in action =====
 +  * Here it is preventing a second connection
 +{{ :technical_discussions:simultaneous_1.png?nolink }}
  
  
Last modified: 2017/01/04 06:37