Powered by Jitbit .Net Forum free trial version. dismiss

HomeBugs

Bugs

Simultaneous-Use check 1, User logs in two devices Messages in this topic - RSS

Admin
Admin
Administrator
Posts: 4992


4.12.2017
Admin
Admin
Administrator
Posts: 4992
Can you confirm that you cannot see "TekRADIUS Service 5.3.4.16 is being started" message in TekRADIUS log?
0 link
Bernie
Bernie
Posts: 205


4.12.2017
Bernie
Bernie
Posts: 205
Correct. It writes 5.3.4.15 in log file, chinese signs and empty active session tab. Also in the unzipped file the exe file shows in properties 5.3.4.15.
0 link
Admin
Admin
Administrator
Posts: 4992


4.12.2017
Admin
Admin
Administrator
Posts: 4992
Please try https://www.kaplansoft.com/tekradius/release/TekRADIUS.exe.zip
0 link
Bernie
Bernie
Posts: 205


4.12.2017
Bernie
Bernie
Posts: 205
Ok, now it is really the version 5.3.4.16 but there is now a bigger problem.

NOW
I downgrade it back to version 5.3.4.14

BECAUSE
Today since 04.12.2017 07:49:13 no accounting data is recorded on the SQL database. This is the point of time I update to 5.3.4.15 and for some minutes to 5.3.4.16 but there are absoulte nothing recorded in the database.

NOW
I went back to 5.3.4.14 and accounting works fine in SQL database! Active sessions tab in TekRADIUS Manager works fine! You got the log file as mail.
0 link
Admin
Admin
Administrator
Posts: 4992


5.12.2017
Admin
Admin
Administrator
Posts: 4992
I have fixed the problem with Accounting and added a couple of improvments. Here is another update https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip (5.3.4.17)

I'll be waiting for your feedback.

Best regards,

Yasin KAPLAN
0 link
Bernie
Bernie
Posts: 205


6.12.2017
Bernie
Bernie
Posts: 205
Hi,

so first thing: accounting and active sessions tab works again with version 5.3.4.17.

But the main problem still exists, users can use more the one device at same time.

Log file I have mailed you.

Best reguards
Bernie

0 link
Admin
Admin
Administrator
Posts: 4992


6.12.2017
Admin
Admin
Administrator
Posts: 4992
Here is another update https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip (5.3.4.19)



Best regards,


Yasin KAPLAN
0 link
Bernie
Bernie
Posts: 205


7.12.2017
Bernie
Bernie
Posts: 205
Hi,
thanks for your update but simultaneous limit does not work.
You will recieve log file by mail.

Best reguards
Bernie

0 link
Admin
Admin
Administrator
Posts: 4992


7.12.2017
Admin
Admin
Administrator
Posts: 4992
Hi,


Here is another update https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip (5.3.4.20)


This will not solve the problem but will provide additional diagnostic output to solve the problem.


Best regards,


Yasin KAPLAN
0 link
Bernie
Bernie
Posts: 205


8.12.2017
Bernie
Bernie
Posts: 205
Hi,

yesterday I have installed the update 5.3.4.20 an set logging level to "debug".
But today the guys are not here. Maybe it was a double login aorund midnight. You will recieve log file as mail.

Best reguards
Bernie
0 link
Admin
Admin
Administrator
Posts: 4992


8.12.2017
Admin
Admin
Administrator
Posts: 4992
No problem. I'll be waiting for your feedback.
0 link
Bernie
Bernie
Posts: 205


12.12.2017
Bernie
Bernie
Posts: 205
Hi,

at this time I see not real double logins. But I think I know what the problem could be.

For both users it is possible to login to the SSID "UMA" and also "BEWOHNER3259". But SSID "BEWOHNER3259" should be forbidden for this users because they don't belong to the active dircetory group "AD-WLAN_BEWOHNER". You will recieve the log files and excel tables as mail. In the excel tables you see in red color how they use the wrong SSID.

At same time in log file you find messages like:
10.12.2017 11:43:31.036 - EAP-PEAP Authentication commencing for user 'sukwinder' [3 (182)]

10.12.2017 11:43:31.036 - TLS Session has been established [TLS_RSA_WITH_AES_256_CBC_SHA, TLS version: 1.2] (Group: Default, User: 'sukwinder').

10.12.2017 11:43:31.036 - PEAP Challenge sent for user 'sukwinder' [4 (182), 907bdad86d8cbd446ead19bacd34fe99].

10.12.2017 11:43:31.067 - PEAP Response received.

I think it is a bug because 'sukwinder' is not a real logon name. But Default group allows really "BEWOHNER3259" that is correct.


Background informations:
- SSIDs "UMA" and "BEWOHNER3259" are timed active.
- That Default group allows "BEWOHNER3259" is a workaround, because it is not possible in active directory for the AD group "AD-WLAN_BEWOHNER" that this group is the only primary group!

Best reguards
Bernie
0 link
Admin
Admin
Administrator
Posts: 4992


12.12.2017
Admin
Admin
Administrator
Posts: 4992
Hi,


Here is another update https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip (5.3.4.21)


This update should use the correct group.


Best regards,


Yasin KAPLAN
0 link
Bernie
Bernie
Posts: 205


13.12.2017
Bernie
Bernie
Posts: 205
Hi,

the update I have installed todays morning around 7:30am. After installing and restarting I did as always: In TekRADIUS manager -> mark active sessions “Clear with accounting stop”. Sessions tab was empty. After a short time I have seen the picture I mail you now: Singh.Jasvinder has a double login in the SSID UMA which should not be allowed AND before I did a “Clear with accounting stop” Singh.Jasvinder’s and feyerabendt.antonia’s session was not visible in active sessions. Here you get the log file from today.

Picture is from today around 7:30am.

Best regards
Bernie
0 link
Admin
Admin
Administrator
Posts: 4992


13.12.2017
Admin
Admin
Administrator
Posts: 4992
Hi,


Can you increase interim update period for 10.9.5.3 from 300 to 350 in TekRADIUS Manager / Clients tab? You do not change any settings in
your access controller or access point.


TekRADIUS clears an active session entry for station "A" if it does not receive an accounting interim update for the active session of station "A" specified in TekRADIUS Manager / Clients tab.
Another station "B" can connect when an active session entry is cleared. TekRADIUS re-creates active session entry if timed out checkpoint packet is received for station "A" but
session of station "B" stays active.


I can implement a new feature to disconnect station "B" in such cases if your system supports RADIUS packet of disconnect.


Best regards,


Yasin KAPLAN
0 link
Bernie
Bernie
Posts: 205


15.12.2017
Bernie
Bernie
Posts: 205
Hi,

I have increase for all Clients in TekRADIUS manager to 350 interim update period. Ok, I have understood with station "A" and "B".

You spoke about nwe feature disconnect station "B". This means TekRADIUS sends a packet to station "B"?

Now with interim update period 350 and version 5.3.4.21 I have a new case with double login for singh.jasvinder. Session ID 827eaaf1396-3985778282 and session ID 10d38a8fbb1d-3997640919 are in the same time today after 6:18am. TekRADIUS said:

15.12.2017 06:18:39.838 - RadAcct req. from : 10.9.5.3:9295 [UDP]Size : 213 / 213Identifier : 21Attributes : NAS-Port-Id = 4 NAS-Port = 4 Calling-Station-Id = 10-D3-8A-8F-BB-1D NAS-Port-Type = Wireless Acct-Status-Type = Start Acct-Session-Id = 10d38a8fbb1d-3997640919 NAS-Identifier = WLAN-KIRSCH2 User-Name = Singh.Jasvinder@dbjw.local Called-Station-Id = 0A-A0-57-25-0C-EF:UMA NAS-IP-Address = 10.9.5.315.12.2017 06:18:39.838 - Simultaneous session counter for user 'singh.jasvinder@dbjw.local' set to 2.


Why does TekRADIUS set it to 2???

And to a second problem. I see in log file much entries like 15.12.2017 03:53:53.444 - EAP-PEAP Authentication commencing for user 'jasvinder' [3 (243)]15.12.2017 03:53:53.444 - TLS Session has been established [TLS_RSA_WITH_AES_256_CBC_SHA, TLS version: 1.2] (Group: Default, User: 'jasvinder').

The SSID UMA isn't present over the night. Jasvinder's device has saved credentials with username 'jasvinder' and tries to login. I missing log entries like: PEAPv0-MS-CHAP v2 failed for user 'jasvinder', sending Access-Reject (Group: Default).

You recieve log file and excel file as mail.

Best regards,
Bernie
0 link
Admin
Admin
Administrator
Posts: 4992


15.12.2017
Admin
Admin
Administrator
Posts: 4992
Hi,


Please see following RADIUS accounting request;


15.12.2017 06:18:25.913 - RadAcct req. from : 10.9.5.3:13603 [UDP]


Size : 255 / 255
Identifier : 8
Attributes :


NAS-IP-Address = 10.9.5.3
Calling-Station-Id = 10-D3-8A-8F-BB-1D
Called-Station-Id = 0A-A0-57-25-0C-EF:UMA
NAS-Port-Id = 3
Acct-Output-Octets = 290236
Acct-Input-Octets = 312846
NAS-Port = 3
Acct-Status-Type = Stop
Acct-Session-Time = 6162
Acct-Session-Id = 10d38a8fbb1d-2116807970
NAS-Identifier = WLAN-KIRSCH2
Acct-Terminate-Cause = User-Request
NAS-Port-Type = Wireless
Framed-IP-Address = 192.168.183.171
User-Name = Singh.Jasvinder@dbjw.local


15.12.2017 06:18:25.913 - Simultaneous session counter for user 'singh.jasvinder@dbjw.local' set to 0.


Session for Singh.Jasvinder@dbjw.local @ 10-D3-8A-8F-BB-1D is terminated at 15.12.2017 06:18:25.913


Singh.Jasvinder@dbjw.local starts another session at 15.12.2017 06:18:27.905 from 10-D3-8A-8F-BB-1D


15.12.2017 06:18:27.905 - RadAcct req. from : 10.9.5.3:15841 [UDP]


Size : 213 / 213
Identifier : 18
Attributes :


NAS-Port-Id = 3
NAS-Port = 3
Calling-Station-Id = 48-27-EA-AF-13-96
NAS-Port-Type = Wireless
Acct-Status-Type = Start
Acct-Session-Id = 4827eaaf1396-3985778282
NAS-Identifier = WLAN-KIRSCH2
User-Name = Singh.Jasvinder@dbjw.local
Called-Station-Id = 0A-A0-57-25-0C-EF:UMA
NAS-IP-Address = 10.9.5.3


15.12.2017 06:18:27.905 - Simultaneous session counter for user 'singh.jasvinder@dbjw.local' set to 1.


TekRADIUS receives another RADIUS Accounting star for Singh.Jasvinder@dbjw.local from 10-D3-8A-8F-BB-1D without authentication;


15.12.2017 06:18:39.838 - RadAcct req. from : 10.9.5.3:9295 [UDP]


Size : 213 / 213
Identifier : 21
Attributes :


NAS-Port-Id = 4
NAS-Port = 4
Calling-Station-Id = 10-D3-8A-8F-BB-1D
NAS-Port-Type = Wireless
Acct-Status-Type = Start
Acct-Session-Id = 10d38a8fbb1d-3997640919
NAS-Identifier = WLAN-KIRSCH2
User-Name = Singh.Jasvinder@dbjw.local
Called-Station-Id = 0A-A0-57-25-0C-EF:UMA
NAS-IP-Address = 10.9.5.3


15.12.2017 06:18:39.838 - Simultaneous session counter for user 'singh.jasvinder@dbjw.local' set to 2.


TekRADIUS checks simultaneous sessions when it receives an authentication request. TekRADIUS increases session count since it receives
an accounting start packet. I think your access controller validates user connection with cached credentials and accepts login request.
You should change this behavior of your access controller.


TekRADIUS rejects authentication request for singh.jasvinder@dbjw.local from 10-D3-8A-8F-BB-1D at 15.12.2017 06:21:13.429


15.12.2017 06:21:13.429 - RadAuth req. from : 10.9.5.3:13393 [UDP]


Size : 239 / 239
Identifier : 24
Attributes :


NAS-IP-Address = 10.9.5.3
Calling-Station-Id = 10-D3-8A-8F-BB-1D
Called-Station-Id = 0A-A0-57-25-0C-EF:UMA
WLAN-RF-Band = 2
WLAN-Group-Cipher = 1027076
NAS-Port = 4
Connect-Info = CONNECT 72 Mbps 802.11g/n
NAS-Identifier = WLAN-KIRSCH2
Framed-MTU = 1500
NAS-Port-Type = 19
NAS-Port-Id = 4
WLAN-AKM-Suite = 1027073
WLAN-Pairwise-Cipher = 1027076
User-Name = singh.jasvinder@dbjw.local
Service-Type = 2


15.12.2017 06:21:13.445 - EAP-PEAP Authentication commencing for user 'singh.jasvinder@dbjw.local' [1 (24)]


15.12.2017 06:21:13.445 - Checking active session count [2] for user 'singh.jasvinder@dbjw.local' @ 10-D3-8A-8F-BB-1D [1, Group: 1].


15.12.2017 06:21:13.445 - Fetching Failure-Reply items for user 'singh.jasvinder@dbjw.local' - Start.


15.12.2017 06:21:13.445 - Fetching Failure-Reply items for user 'singh.jasvinder@dbjw.local' - Stop.


15.12.2017 06:21:13.445 - Generating Reply Packet - Start.


15.12.2017 06:21:13.445 - Generating Reply Packet - Stop.


15.12.2017 06:21:13.445 - RadAuth reply to : 10.9.5.3:13393 (Success)
Size : 100
Identifier : 24
Attributes :


User-Name = singh.jasvinder@dbjw.local
Reply-Message = Simultaneous limit reached


Please also update https://www.kaplansoft.com/tekradius/release/TekRADIUS-Update.zip (5.3.4.22)


Best regards,


Yasin KAPLAN
0 link
Bernie
Bernie
Posts: 205


15.12.2017
Bernie
Bernie
Posts: 205
You mailed me a link on wednesday to version 5.3.4.22 and today also version 5.3.4.22??? But exe files have different size.
0 link
Admin
Admin
Administrator
Posts: 4992


15.12.2017
Admin
Admin
Administrator
Posts: 4992
There was a problem with built number. Please apply it.
0 link
Bernie
Bernie
Posts: 205


15.12.2017
Bernie
Bernie
Posts: 205
Ok, I have installed it.

15.12.2017 06:18:27.905 - RadAcct req. from : 10.9.5.3:15841 [UDP]


Size : 213 / 213
Identifier : 18
Attributes :


NAS-Port-Id = 3
NAS-Port = 3
Calling-Station-Id = 48-27-EA-AF-13-96
NAS-Port-Type = Wireless
Acct-Status-Type = Start
Acct-Session-Id = 4827eaaf1396-3985778282
NAS-Identifier = WLAN-KIRSCH2
User-Name = Singh.Jasvinder@dbjw.local
Called-Station-Id = 0A-A0-57-25-0C-EF:UMA
NAS-IP-Address = 10.9.5.3


15.12.2017 06:18:27.905 - Simultaneous session counter for user 'singh.jasvinder@dbjw.local' set to 1.


TekRADIUS receives another RADIUS Accounting star for Singh.Jasvinder@dbjw.local from 10-D3-8A-8F-BB-1D without authentication;


NO, it did with authentication:

15.12.2017 06:18:27.156 - EAP-PEAP Authentication commencing for user 'Singh.Jasvinder@dbjw.local' [7 (17)]

15.12.2017 06:18:27.156 - Validating Active Directory group membership for user 'Singh.Jasvinder@dbjw.local' (AD-WLAN_JH-Chemnitz, dbjw.local).

15.12.2017 06:18:27.156 - Getting Active Directory group membership information for user 'Singh.Jasvinder@dbjw.local' (ad-wlan_jh-chemnitz, dbjw.local).

15.12.2017 06:18:27.532 - Active Directory group membership validation successful for user 'Singh.Jasvinder@dbjw.local'.

15.12.2017 06:18:27.547 - Check items control for user 'Singh.Jasvinder@dbjw.local' - Start (Group: AD-WLAN_JH-Chemnitz) [PEAP].

15.12.2017 06:18:27.547 - Check items control for user 'Singh.Jasvinder@dbjw.local' - Stop (AD-WLAN_JH-Chemnitz).

15.12.2017 06:18:27.547 - Windows authentication successfull for user 'Singh.Jasvinder@dbjw.local'

15.12.2017 06:18:27.547 - Fetching Success-Reply items for user 'Singh.Jasvinder@dbjw.local' - Start.

15.12.2017 06:18:27.547 - Fetching Success-Reply items for user 'Singh.Jasvinder@dbjw.local' - Stop.

15.12.2017 06:18:27.547 - Generation of WPA Session Keys - Start (PEAP / TLS).

15.12.2017 06:18:27.547 - Generation of WPA Session Keys - Stop.

15.12.2017 06:18:27.547 - Generating Reply Packet - Start.

15.12.2017 06:18:27.547 - Generating Reply Packet - Stop.

15.12.2017 06:18:27.547 - RadAuth reply to : 10.9.5.3:16329 (Success)
Size : 200
Identifier : 17
Attributes :

User-Name = Singh.Jasvinder@dbjw.local
Idle-Timeout = 300
MS-MPPE-Send-Key = 809AD762E647D3FBFDC10D72FB6FC9A92C953EA8D5ADB01BAE0AA9396C4708F54F6C1DB6DC2CB8CC5D9BCB7F579B6E08A9CC
Session-Timeout = 300
MS-MPPE-Recv-Key = 809B89BDEE211270013B33C5EF8B3FEBD83E4804DB8940E6D545A83116B9933AECDD723856ED6882019A54B3D8F268AC7273

15.12.2017 06:18:27.905 - RadAcct req. from : 10.9.5.3:15841 [UDP]

Size : 213 / 213
Identifier : 18
Attributes :

NAS-Port-Id = 3
NAS-Port = 3
Calling-Station-Id = 48-27-EA-AF-13-96
NAS-Port-Type = Wireless
Acct-Status-Type = Start
Acct-Session-Id = 4827eaaf1396-3985778282
NAS-Identifier = WLAN-KIRSCH2
User-Name = Singh.Jasvinder@dbjw.local
Called-Station-Id = 0A-A0-57-25-0C-EF:UMA
NAS-IP-Address = 10.9.5.3

15.12.2017 06:18:27.905 - Simultaneous session counter for user 'singh.jasvinder@dbjw.local' set to 1.

0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software