HomeForumsOpen-Source SoftwareCoovaAP Firmware

Blocking multiple sessions by same user?

Fri, 11/16/2007 - 21:49 — NathanielBass

I'm using the latest version of CoovaAP with the latest stable release of FreeRADIUS for authentication, with CoovaAP up and running as an "Internal HotSpot."

CoovaAP is allowing multiple login sessions by the same UserName from multiple computers at a time. As an example, this is the information I get from the HotSpot Status page.

MAC Address IP Address Session ID Username Session Time Idle Time
00-E0-4C-XX-XX-XX 192.168.1.2 473df0a600000002 NathanielBass 389/0 225/0 logout
00-0E-A6-XX-XX-XX 192.168.1.5 473df10000000001 NathanielBass 410/0 0/0 logout

Is there anyway to restrict users to one session at a time per registered account? I don't want one person sharing their login information for other clients to gain free access to our internet services. If this is configurable on the FreeRADIUS side of things and not CoovaAP, what RADIUS attributes do I need to set for those user accounts? Any advice is welcome, THANK YOU!

‹ AnyIP config Block Ports ›
Tue, 11/20/2007 - 01:50 — NathanielBass

Re: Blocking multiple sessions by same user?

Thank you, that was the problem. I'm happy with the results of that. :)

http://coova.org/wiki/index.php/CoovaChilli/RADIUS/AttributesTable

WISPr attributes are supported and I have the dictionary file installed, so I'm not sure what's up with that either. Thanks for your help with blocking multiple logins. :)

Mon, 11/19/2007 - 11:20 — Beone

Re: Blocking multiple sessions by same user?

Did you uncomment the entry in sql.conf?

<br />
# Uncomment simul_count_query to enable simultaneous use checking<br />
        simul_count_query = "SELECT COUNT(*) FROM ...<br />
        simul_verify_query = "SELECT RadAcctId, AcctSessionId, ...<br />

EDIT: just noticed in your config, Simultaneous-Use:=1 should be in radgroupCHECK, not in radgroupREPLY !

I don't know if coovachilli supports the Wispr-redirection attrib (it is supported in regular chilli though, so I think it shouldn't be a problem)
I don't like it myself to get redirected to some website after hotspot logins, so I don't use it ;-)

Kind regards

Sun, 11/18/2007 - 19:29 — NathanielBass

Re: Blocking multiple sessions by same user?

Thank you for your response! I gave it a try, but the system still lets me login as the same user from multiple systems at a time.

I know my group settings are working, because I receive other group messages in my response, but I don't see the Simultaneous-Use variable when testing. When I use radtest, I recieve the reply:

<br />
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=83, length=57        WISPr-Redirection-URL = "http://www.northshorewisp.com"<br />

This is what my radgroupreply and radacct look like as I tested.

<br />
mysql> mysql> SELECT * FROM radgroupreply;<br />
+----+-----------+-----------------------+----+-------------------------------+<br />
| id | GroupName | Attribute             | op | Value                         |<br />
+----+-----------+-----------------------+----+-------------------------------+<br />
|  1 | WISP      | WISPr-Redirection-URL | := | <a href="http://www.northshorewisp.com" title="http://www.northshorewisp.com">http://www.northshorewisp.com</a> |<br />
|  2 | WISP      | Simultaneous-Use      | := | 1                             |<br />
+----+-----------+-----------------------+----+-------------------------------+<br />
2 rows in set (0.00 sec)</p>
<p>mysql> SELECT RadAcctId,AcctSessionID,UserName,AcctStartTime,<br />
AcctStopTime,AcctSessionTime,AcctTerminateCause,FramedIPAddress FROM radacct;<br />
+-----------+------------------+---------------+---------------------+<br />
| RadAcctId | AcctSessionID    | UserName      | AcctStartTime       |<br />
+-----------+------------------+---------------+---------------------+<br />
|        27 | 47406e6500000001 | NathanielBass | 2007-11-18 11:58:09 |<br />
|        28 | 47406e5c00000002 | NathanielBass | 2007-11-18 11:58:37 |<br />
+-----------+------------------+---------------+---------------------+<br />
+---------------------+-----------------+--------------------+-----------------+<br />
| AcctStopTime        | AcctSessionTime | AcctTerminateCause | FramedIPAddress |<br />
+---------------------+-----------------+--------------------+-----------------+<br />
| 0000-00-00 00:00:00 |             606 |                    | 192.168.1.122   |<br />
| 0000-00-00 00:00:00 |             605 |                    | 192.168.1.2     |<br />
+---------------------+-----------------+--------------------+-----------------+<br />
2 rows in set (0.00 sec)<br />

As a side note, I can't seem to get CoovaAP to use my redirect URL either. When users successfully login, they are still redirected to the site they last attempted to access instead. In the case of a user logging out by visiting http://1.1.1.1 and then logging back in, this redirects them to http://1.1.1.1 consequently putting them in a login->logout loop until they login again by first attempting to access a different website. Is this a bug?

Sun, 11/18/2007 - 13:28 — Beone

Re: Blocking multiple sessions by same user?

You can add simultaneous-use := 1 as a check item to the radcheck (or radgroupcheck) table of freeradius.

Kind regards