Re: Session-Timeout anomalies
Alan, Being a moderator does NOT give you moral license to treat people like children. You're a rude man. Please ban me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Again Alan, read between the lines. I've been scanning these emails
from this group for about year through google searches.
What I've learned from this mailing list is that you routinely castigate
people who ask questions on here. That's rude. Your tone is arrogant.
And that's rude.
Yes, I'm being condescending but it's in order to point out your
rudeness -- hopefully in an entertaining way. You're apparently a
hopeless case where that's concerned.
What it seems to me that this thread needs is a set of discussions that
don't include a staple diet of questioner-castigation, as you've done
here to me. OF course I expected it, even counted on it, to make the
point I'm making here. No one is being led down the wrong path. You
just need to lighten up and be a little less arrogant. A little nicer.
A human being.
And the whole thing sailed right over your arrogant head. Read this
exchange, and I rest my case right there.
I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
That is completely the wrong approach. You are misleading everyone
else by suggesting that method.
Stop it.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
I figured that it was hopeless to get you to follow the existing
documentation. So maybe if I spoon-fed it to you in pieces you might
think about it, and follow instructions.
By the way Alan, I didn't need that spoon fed to me. I'm drawing out
information for the benefit of others and frankly, just seeing if you
have anything in your repertoire that doesn't include trying to belittle
people who are asking for help. Jury is still out on that one, but
wearing a frown as they deliberate. :)
Now for the useful stuff.
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime >= 1 ORDER BY AcctStartTime LIMIT 1} ->
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module. Looks like
the place to start.
Stay tuned, film at 11.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
On 02/08/2013 09:50 AM, Alan DeKok wrote:
Bill Isaacs wrote:
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
Well... your question about "where does radclient get that value from"
is entirely missing the point. It gets it from the RADIUS server. I've
said this. I have no idea how to convince you it's true.
Alan, you're so much more fun when you're not being myopic. lol Of
course it's getting the answer from the radius server. You really think
I don't know that?
And the *only* way to debug the RADIUS server is to look at the debug
output.
And no, your original message did *not* say you had run the server in
debugging mode. There's only a reference to creating an account for
debugging purposes. There's no "radiusd -X" output.
You're quite right Alan, it didn't. NOR did I say that it did. To
paraphrase you, "You're staring at the first sentence, wondering where
the debug output is. That's a mistake". :D
What I DID say was "I'm researching this anomaly myself in all the
documentation, but thought it would also be helpful /both to me and to
others/ to post the problem here." (emphasis added).
What I implied in the ensuing message was that it would be posted here
once I tracked the message down, but that posting it and the solution
in nice digestible pieces for those not familiar at all with radius
would be helpful to them. I suspect if you went to decaf and quit
asking 'why' others don't just do what should be done, you would have
understood that.
Take a deep breath. Read between the lines, and realize that if others
understood radius the way you do, you'd be out of a job (at least on the
board here). I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
... why I'm
getting annoyed.
See "decaf" above.
If you want to track down the issue to a specific module, update the
config to do:
update reply {
Reply-Message += "A %{reply:Session-Timeout}"
}
Cut & paste that through various pieces of authorize, post-auth, etc.
Change the "A" to "B", "C", etc. You should see 10-20 Reply-Messages
in the Access-Accept. Each with a value for Session-Timeout. That lets
you track *what* the value is, and *where* in the config the value is
coming from.
Then once you know it's a particular module, you can figure out how to
fix that module.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is "Session-Timeout" getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list. There is no excuse for refusing to do that. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout anomalies
Hello all,
I'm researching this anomaly myself in all the documentation, but
thought it would also be helpful both to me and to others to post the
problem here.
SYMPTOM: Some "Access-Period" accounts (accounts which have X number of
seconds to continue logging in and out starting from the very first
login) are giving too much time -- that is, at some point they reload
the full value of the account type and restart the count down. I
discovered it while developing some interface code for our customer
service dept. So far, this DOES NOT seem to be happening to all
accounts. Moreover, the database info and radclient results are
inconsistent on these accounts that ARE showing the anomaly.
Here is an example of one such account, a development test account which
I created for debugging purposes. It's value is 30 days (2592000 seconds)
Radclient result:
===
# echo User-Name="cgitest",User-Password="cgitest" | radclient -c 1 -n 3
-r 3 -t 3 -x 127.0.0.1:1812 auth -S shared
Sending Access-Request of id 24 to 127.0.0.1 port 1812
User-Name = "cgitest"
User-Password = "cgitest"
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24,
length=26
Session-Timeout = 2366393
===
sql query:
SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) FROM
radacct WHERE UserName='cgitest' ORDER BY AcctStartTime LIMIT 1 \g
+-+
| IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) |
+-+
| 1447012 |
+-+
===
Ok, the problem here should be obvious but I'll explain these results
for those who are impatient. The "Session-Timeout" number is way too
large. As I stated previously, this is a 30 day account. It was counting
down with no problems until a few days ago. It then mysteriously began
reporting in the popup window which I was working on that it had 29.9
days left on it, after it had already counted down to something like 15
days. It simply seems to have reloaded itself, even though the sql query
reports the accurate number of seconds which have actually expired.
(1447012). So if we do the math: 2592000-1447012=1144988 (or roughly
13.25 days) should be the remaining time on this account. Not 27.38 days.
Here is the sql counter from sqlcounter.conf:
sqlcounter accessperiod {
counter-name = Max-Access-Period-Time
check-name = Access-Period
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = never
query = “SELECT UNIX_TIMESTAMP() – UNIX_TIMESTAMP(AcctStartTime) FROM
radacct WHERE UserName = ‘%{%k}’ ORDER BY AcctStartTime LIMIT 1″
}
(Before anyone bitches about the sql query being different, save your
pixels -- no matter which style of query is used, the account reports
that it began at the same time, there is truly no issue here that I can
see).
ALSO, BEFORE YOU ASK: There is only 1 radius server and only 1 sql
server on the system. Besides, I have tested this exhaustively using
different things like the public IP, the fqdn, etc etc. Results are the
same - that is to say, wrong. lol
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left? Where is
"Session-Timeout" getting this information? Why is it only doing it on
some accounts and not others?
Any insights would be greatly appreciated. I will post the resolution
here (unless one of you smart lads or lasses beats me to it ;) ).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
