FreeRADIUS InkBridge

User Management

How do I deny access to a specific user or a group of users?

You need to use the Group check item to match a group. You also need to use the Auth-Type := Reject check item to deny the selected users access. The examples below include a short message using the Reply-Message reply attribute to inform the user why they’re rejected.

This rule needs to match for all users, so it should be a DEFAULT entry. You want to apply it instead of any other authentication type, so it should be listed BEFORE any other entry which contains an Auth-Type. It doesn’t need a Fall-Through, because you’re not giving the user any permission to do anything, you’re just rejecting them.

The following entry denies access to one specific user. Note that it MUST be put before ANY other entry with an Auth-Type attribute.

foo Auth-Type := Reject
	Reply-Message = "foo is not allowed to dial-in"

The following entry denies access to a group of users. The same restrictions as above on location in the raddb/users file also apply:

DEFAULT Group == "disabled", Auth-Type := Reject
	Reply-Message = "Your account has been disabled"

Why doesn’t Simultaneous-Use work?

This method is used to prevent a user from logging in multiple times across multiple NAS boxes. The radius server calls the checkrad script when it thinks the user is already logged on on one or more other ports/terminal servers to verify that the user is indeed still online on that other port/server. If Simultaneous-Use > 1, then it might be that checkrad is called several times to verify each existing session. Follow the Troubleshooting Checklist to degug your issue and determine a solution.

Troubleshooting Checklist

  1. Check that you added your NAS to raddb/clients.conf and selected the correct NAS type. Verify the the password.

  2. Run radiusd -X and see if it parses the Simultaneous-Use line.

  3. Try to run checkrad manually; maybe you may have a wrong version of perl, don’t have cmu-snmp installed etc.

  4. Check the database. If it says no one is logged in, Simultaneous-Use won’t work.

  5. Verify that the NAS is sending accounting packets. Without accounting packets, Simultaneous-Use won’t work.

  6. Verify that the accounting packets are accepted by the database module. If the module returns "noop", it means that the accounting packets do not have enough information for the server to perform Simultaneous-Use enforcement.

  7. In case you have SQL as a database, and you have accounting records in radacct table, you’ll need to uncomment sql in session section of radiusd.conf file. Also, you’ll need to uncomment Simutaneus check query in sql.conf file.