> > When a user logs in 23 hours and 59 minutes after the first
> > connection, I expected freeradius to return the Session-Timeout
> > attribute in the access-accept (with value 60).
> >
> > Actually it does not, so the user can stay connected well after the 24
> > hours limit.
>
> So... what does the server respond with? What does debugging mode say?
I'ill give 2 detailed examples of what happens. We use the SQL schema
given with freeradius, and the configuration is a very easy one :
radius=> select * from usergroup;
id | username | groupname
----+----------+-----------
2 | joachim | users
The requests for authorization, accounting and so on are the one in
original postgresql.conf, we did not modify them.
Let's assume we are on 2005 March 29, 10:50:00. In radcheck we put :
radius=> select * from radcheck;
id | username | attribute | op | value
----+----------+------------+----+----------------------
2 | joachim | PASSWORD | == | pwd_joachim
12 | joachim | Expiration | := | 28 Mar 2005 23:50:00
Then with NTradping we send an authentication request to our
freeradius, which answers as we guessed : Access-Reject,
Reply-Message=Password has expired.
If we now set :
radius=> select * from radcheck;
id | username | attribute | op | value
----+----------+------------+----+----------------------
2 | joachim | PASSWORD | == | pwd_joachim
12 | joachim | Expiration | := | 29 Mar 2005 23:50:00
and resend an authentication request, we only get an Access-Accept,
with no attribute. This is where we expected to see a Session-Timeout
attribute, just like what happens when we set Login-Time in the
radcheck table.
You'll find what debugging mode says in this last example, at the end
of this mail. I'm sorry for the dump, but I could not guess whether
the request would be useful. I did not find any hint of what goes
wrong, but maybe this is just a normal behavior.
Joachim
Here's what debugging mode says for example where :
radius=> select * from radcheck;
id | username | attribute | op | value
----+----------+------------+----+----------------------
2 | joachim | PASSWORD | == | pwd_joachim
12 | joachim | Expiration | := | 29 Mar 2005 23:50:00
and assuming the current date is 2005 March 29, 10:50:00
rad_recv: Access-Request packet from host 192.168.1.1:1571, id=17, length=53
User-Name = "joachim"
User-Password = "pwd_joachim"
NAS-Port = 5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
radius_xlat: 'joachim'
rlm_sql (sql): sql_set_user escaped user --> 'joachim'
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM
radcheck ??WHERE Username = 'joachim' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'joachim' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'joachim' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'joachim' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM
radreply ??WHERE Username = 'joachim' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radreply ??WHERE Username = 'joachim' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op
??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'joachim'
AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY
radgroupreply.id'
rlm_sql_postgresql: query: SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute,
??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup
??WHERE usergroup.Username = 'joachim' AND usergroup.GroupName =
radgroupreply.GroupName ??ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 16
modcall: group authorize returns ok for request 16
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [joachim] (from client private-network-1 port 5)
Sending Access-Accept of id 17 to 192.168.1.1:1571
Finished request 16
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 16 ID 17 with timestamp 4249299b
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
