> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 11:52 AM
> To: [EMAIL PROTECTED]
> Subject: Session/Time Limits - how?
>
>
>
> Hi...
>
> Wondering how people here are doing session limits for their
> radius users
> (i.e. 4 hour hard limit, etc), and how they are terminating sessions
> manually (at the moment I'm doing it from an interface on the NAS).
>
You can use the 'counter' module in radiusd.conf. There is an example of
'daily', and you can define your own. Read the comment there.
You need to have this counter module defined in
'instantiate', 'authorize', and 'accounting' sections of radiusd.conf.
Essentially, you defined a 'key' as the key reference to database look up.
the default is the 'User-Name' attribute.
Then you define what attribute to use as the counter in 'count-attribute'.
By default it is the 'Acct-Session-Time'. This attribute has to be defined
in the RFC because it is part of the protocol exchange.
You also define what kind of service type to look to trigger the counter in
'allowed-servicetype'. This is the value of the standard RFC attribute
'Service-Type'.
The allowable names are defined in the 'dictionary'' file.
Finally you define your own attribute name in the 'check-name' item in
counter
configuration block that contains the limit you want to set.
This attribute is user defined, e.g. 'Max-Daily-Session' in the example.
If everybody has the same limit, e.g. 3600 seconds, you can define the
following
in 'users'.
DEFAULT Max-Daily-Session := 3600
If the values differ from user to user, you will have different entries,
e.g.
Foo Max-Daily-Session := 3600
Bar Max-Daily-Session := 2400
Or if you use DB, e.g. MySQL, for the backend, you put these in 'radcheck'
table
mysql> select * from radcheck;
++--+---++-+
| id | UserName | Attribute | op | Value |
++--+---++-+
| 1 | Foo | User-Password | == | footest |
| 2 | Foo | Max-Daily-Session | := | 3600|
| 3 | Bar | User-Password | == | bartest |
| 4 | Bar | Max-Daily-Session | := | 2400|
++--+---++-+
4 rows in set (0.00 sec)
When a user logs in, the counter module will insert a reply of
'Session-Timeout = ' in the message. The value of '' comes
from the limit you set, e.g. 'Max-Daily-Session'.
Each time an 'accounting stop' request is sent to the server. The value of
counter-attribute, i.e. 'Acct-Session-Time', is subtracted from this
max value if it is an integer, or just 1 if that attribute is not an
integer.
When the max value finally reaches 0 and the user tries to log in again,
access will be denied to that user.
To reset the counter, you define the 'reset' item in counter configuration
block to
whatever behavior you like.
It does not matter how the client session ends, as long as the 'accounting
stop'
request contains the following attributes.
1. User-Name matches the same user that sends the previous
'accounting-start' request.
2. Acct-Session-Id matches.
3. Acct-Session-Time specifies the duration of the session.
4. Service-Type matches the 'allowed-servicetype' in the counter
configuration.
> Can this be done from within freeradius (I'm auth'ing realms/users out
> of a mysql DB) per group or per user, or are there 3rd party apps to
> do this?
>
> In the case of the latter, what exactly needs to be done to
> end a session
> if I was to write my own script to do this? I'm in the
> middle of writing
> a centralised GPL'ed web interface for ISP's, and wish to use
> freeradius
> for this.
>
> Thankyou
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
