Re: refresh variable after exec module
Ok. It's working...thanks a lot!! If I execute my script in wait-program-exec then all it's right and I can get out the variable but if I call an external script in exec module, no. Although I put the same sentence to get my goal...thanks for the lesson...curious :-) Alan DeKok escribió: bLn wrote: Because I do an update into radgroupreply but now I'm doing a "select" and save the result into a variable, like this: REPLY_MESSAGE="$(mysql -Ns -h$HOST -u$USER -p$PASS -e "SELECT Value FROM radgroupreply WHERE Attribute='Reply-Message' AND GroupName='$GROUP_NAME'" $BD)" That won't work. The environment variables are NOT passed back to the server when the script exits. The file program scripts/exec-program-wait contains examples of how to pass variables from the script to FreeRADIUS. but the results keep into the script and I don't know how I could get it out. The documentation and examples say how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: refresh variable after exec module
Because I do an update into radgroupreply but now I'm doing a "select" and save the result into a variable, like this: REPLY_MESSAGE="$(mysql -Ns -h$HOST -u$USER -p$PASS -e "SELECT Value FROM radgroupreply WHERE Attribute='Reply-Message' AND GroupName='$GROUP_NAME'" $BD)" Butt this varibale I can't escape the script. I follow the man of "exec echo" where says "Should we escape the envioronment variables?" and I introduce 3 arguments: program = "/usr/local/freeradius/etc/raddb/pre_script.sh %{User-Name} %{Reply-Message} %{Session-Timeout}" but the results keep into the script and I don't know how I could get it out. In the past post, also I said that I'm trying to play with Exit-Program or Exit-Program-Wait. Is it possible? For example, If I put "exit 2" (fail) or "exit 1" (reject), etc. thanks Ivan Kalik escribió: My script sets into radgroupreply 2 differents values Session-Timeout or Reply-Message, when the script or exec module is finished. Then, in Post-Auth section I do the "update" Why? Why are you writing them to the database and then trying to retrieve them? Why don't you assign them to attributes in the script? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: refresh variable after exec module
Hi, I've reviewed those manuals (users and unlang) and I think I've got the same way. My script sets into radgroupreply 2 differents values Session-Timeout or Reply-Message, when the script or exec module is finished. Then, in Post-Auth section I do the "update", like this: post-auth{ . exec update reply { Session-Timeout:="%{reply:Session-Timeout}" } } Post-Auth-Type REJECT { attr_filter.access_reject update reply { Reply-Message := "%{reply:Reply-Message}" } sql } I've set in all places (op into radgroupreply and those sentences) with ":=" operator mysql> select * from radgroupreply; ++---+-+++--+ | id | GroupName | Attribute | op | Value | prio | ++---+-+++--+ | 1 | Navega Gratis | Idle-Timeout| := | 300|0 | | 2 | Navega Gratis | Mikrotik-Rate-Limit | := | 128k/512k |0 | | 4 | Navega12meses | Idle-Timeout| := | 300|0 | | 5 | Navega12meses | Mikrotik-Rate-Limit | := | 128k/6M|0 | | 7 | NavegaMes | Idle-Timeout| := | 300|0 | | 8 | NavegaMes | Mikrotik-Rate-Limit | := | 128k/3M|0 | | 10 | Navega Hoy| Idle-Timeout| := | 300|0 | | 11 | Navega Hoy| Mikrotik-Rate-Limit | := | 128k/3M|0 | | 13 | Navega24horas | Idle-Timeout| := | 300|0 | | 14 | Navega24horas | Mikrotik-Rate-Limit | := | 128k/3072k |0 | | 3 | Navega Gratis | Session-Timeout | := | 1800 |0 | | 15 | Navega24horas | Session-Timeout | := | 8938 |0 | | 9 | NavegaMes | Reply-Message | := | NULL |0 | | 16 | Navega24horas | Reply-Message | := | NULL |0 | | 12 | Navega Gratis | Reply-Message | := | NULL |0 | | 17 | Navega12meses | Reply-Message | := | NULL |0 | | 18 | Navega Hoy| Reply-Message | := | NULL |0 | ++---+-+++--+ but the value is the same, the before one I've got a dude.I've proved Reply-Message:="%{reply:Reply-Message}}" but "%{reply:Reply-Message}}" is not the new value in Reply-Message I think, my problem is the new value is being saved into database and it's impossible get it again without a "select" query and I don't know how I can exit the value out the script. I'm trying to salve this value into a variable "Reply-Message" (however into the script is REPLY_MESSAGE). Also I'm playing with the return value of the program run, ie:with exit 1 (reject), exit 2 (fail)...and then I'll do a conditional if with Exit-Program...but unsuccessfully too Alan DeKok escribió: bLn wrote: My script returns 2 possible values: a) If all is correct (ie: an user has time and money to connect) then I set in Session-Timeout with the time available to this user b) If not, then I set Reply-Message with the exactly error. Both of them are in radgroupreply in my database. For that, the value is previously cached in auth section and I can't refresh or update the new value after, in post-auth section Yes, you can. See the documentation on the operators in "man users", or "man unlang". The ":=" operator is likely what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: refresh variable after exec module
Good morning, My script returns 2 possible values: a) If all is correct (ie: an user has time and money to connect) then I set in Session-Timeout with the time available to this user b) If not, then I set Reply-Message with the exactly error. Both of them are in radgroupreply in my database. For that, the value is previously cached in auth section and I can't refresh or update the new value after, in post-auth section Alan DeKok escribió: bLn wrote: but if I wanna update it with a variable that I got from external script and I put this: update reply { Reply-Message := "%{reply:Reply-Message}" Uh... that says "set the Reply-Message to the value of the Reply-Message". What do you *really* want to do? What does the script return? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: refresh variable after exec module
Ok, I'm back with another cuestion. now, if I put the variable in this way, I send the Reply-Message (pepe) with Access-Reject connections update reply { Reply-Message := "pepe" } Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> copaz...@prueba.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated ++[reply] returns updated Sending Access-Reject of id 46 to 192.168.1.10 port 32925 Reply-Message = "pepe" but if I wanna update it with a variable that I got from external script and I put this: update reply { Reply-Message := "%{reply:Reply-Message}" +- entering group post-auth {...} [exec] expand: %{User-Name} -> copaz...@prueba.com [exec] expand: %{Reply-Message} -> Exec-Program output: VALOR 1(Username) ES copaz...@prueba.com El usuario ya esta cnectado El usuario ya esta conectado Exec-Program-Wait: plaintext: VALOR 1(Username) ES copaz...@prueba.com El usuario ya esta cnectado El usuario ya esta conectado Exec-Program: returned: 255 ++[exec] returns fail Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> copaz...@prueba.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated expand: %{reply:Reply-Message} -> NULL ++[reply] returns updated Is it correct this way? Reply-Message := "%{reply:Reply-Message}" thanks bLn escribió: Good morning, I back with the same problem. I've seeing past post for last week but I have any wrong because those solutions don't work for me. I have a script in exec module which set 2 values: Session-Timeout if everything is correct for each user and it calculate his remaining time to connect, and Reply-Message if there is any problem, to show this message to the user I've seen these values are cached before when mysql runs the queries to radcheck, radgroupchek, radreply, etc...in authtorize section and when I execute my script in post-auth module the new values aren't replaced and sent together with Access-Accept or Access-Reject I've done an update in post-auth section, like you said in last posts, in two different modes: first example: Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "%{reply:Reply-Message}" } sql reply_log } Second example: Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "pepe" } sql reply_log } I've set Reply-Message := "pepe" to try without a variable but unsuccessfully because I'm not sure if I've set the variable correctly but if I put the value of variable and this is not send neither it is because my value is not replaced by the before one, ok? why? Post-Auth section post-auth { # Get an address from the IP Pool. #main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql # # Instead of sending the query to the SQL server, # write it into a log file. # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # #ldap exec update outer.reply { Session-Timeout:="%{reply:Session-Timeout}" } # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "pepe" } sql reply_log } } I try with "update reply" too. I don't understand the different between both modes. Can you say me where I can read the neccesary doc to find this difference? thanks in advance and I'm sorry to repeat this issue again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
refresh variable after exec module
Good morning, I back with the same problem. I've seeing past post for last week but I have any wrong because those solutions don't work for me. I have a script in exec module which set 2 values: Session-Timeout if everything is correct for each user and it calculate his remaining time to connect, and Reply-Message if there is any problem, to show this message to the user I've seen these values are cached before when mysql runs the queries to radcheck, radgroupchek, radreply, etc...in authtorize section and when I execute my script in post-auth module the new values aren't replaced and sent together with Access-Accept or Access-Reject I've done an update in post-auth section, like you said in last posts, in two different modes: first example: Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "%{reply:Reply-Message}" } sql reply_log } Second example: Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "pepe" } sql reply_log } I've set Reply-Message := "pepe" to try without a variable but unsuccessfully because I'm not sure if I've set the variable correctly but if I put the value of variable and this is not send neither it is because my value is not replaced by the before one, ok? why? Post-Auth section post-auth { # Get an address from the IP Pool. #main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql # # Instead of sending the query to the SQL server, # write it into a log file. # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # #ldap exec update outer.reply { Session-Timeout:="%{reply:Session-Timeout}" } # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "pepe" } sql reply_log } } I try with "update reply" too. I don't understand the different between both modes. Can you say me where I can read the neccesary doc to find this difference? thanks in advance and I'm sorry to repeat this issue again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with eap-tls between FR and XP client
hi forum, I'm trying to connect a Windows XP client (also I'm trying with Vista) with freeradius with EAP-TLS. I made my set of certificates (from this site http://www.linuxjournal.com/node/8095/print) and now, I have: CA, radius_cert.pem, radius_key.pem, radius_keycert.pemradius_req.pem, cliente_cert.p12, cliente_key.pem, cliente_cert.pem, cliente_req.pem, dh, random, xpextensions, xpclient_ext, xpserver_ext I've configured eap.conf of this way: tls { certdir = ${confdir}/certs2 cadir = ${confdir}/certs2 private_key_password = *** private_key_file = ${certdir}/radius_keycert.pem certificate_file = ${certdir}/radius_keycert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" And I've installed my cacert.pem and cliente_cert.p12 into mmc into Trusted Root Certification Authorities and Personal - certificates, respectively. When I try to connect with freeradius my log is this: (it's too long because I see the same request again and again) rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=159, length=199 User-Name = "carlosg...@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x021a016361726c6f7367617269407769746563682e636f6d Message-Authenticator = 0xc6247c05f7aae962aecbc459c9416907 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosg...@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosg...@realmprueba.com [sql] sql_set_user escaped user --> 'carlosg...@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosg...@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosg...@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 159 to 10.0.0.1 port 3072 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x84a02e6384a123686383961ecc8fb910 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=160, length=191 User-Name = "carlosg...@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x84a02e6384a123686383961ecc8fb910 Message-Authenticator = 0xe9335e399fadf61413fddd7e717c778f +- entering group authorize {...
Re: refresh Session-Timeout in Access-Accept
t...@kalik.net escribió: Hi again, I use that operator := [exec] expand: %{User-Name} -> be...@wifiya.com Exec-Program output: VALOR 1(Username) ES be...@wifiya.com Session-Timeout = 79845 Exec-Program-Wait: plaintext: VALOR 1(Username) ES be...@wifiya.com *Session-Timeout = 79845* Exec-Program: returned: 0 Let's try again: use := as operator!!! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html this *Session-Timeout = 79845* is just an echo from my script. In my database, I have := as operator. echo "Session-Timeout = $CONEXION_SEG" exit 0 If you want I´ll post my script too but I think, rlm_sql is executed before exec module and for that it send the value from sql query, but I´m not sure - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: refresh Session-Timeout in Access-Accept
t...@kalik.net escribió: Hi again, I use that operator := Post the debug then. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hi again, I post my debug: ** Ready to process requests. rad_recv: Access-Request packet from host xx.xx.xx.xx port 27230, id=27, length=212 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:15:C5:72:9E:D2" Called-Station-Id = "hotspot1" NAS-Port-Id = "ether2" User-Name = "be...@wifiya.com" NAS-Port = 2156920840 Acct-Session-Id = "8098" Framed-IP-Address = 192.168.10.5 Mikrotik-Host-IP = 192.168.10.5 CHAP-Challenge = 0xcfb6c69e706cf277bacb734dbab2d57c CHAP-Password = 0x80ade15e6b644f755e95c481630aee5393 Service-Type = Login-User WISPr-Logoff-URL = "http://192.168.1.1/logout"; NAS-Identifier = "pruebas wiloc" NAS-IP-Address = 192.168.1.11 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [sql] expand: %{User-Name} -> be...@wifiya.com [sql] sql_set_user escaped user --> 'be...@wifiya.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'be...@wifiya.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'be...@wifiya.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega24horas' ORDER BY id [sql] User found in group Navega24horas [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega24horas' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "be...@wifiya.com" with CHAP password [chap] Using clear text password "***" for user be...@wifiya.com authentication. [chap] chap user be...@wifiya.com authenticated succesfully ++[chap] returns ok Login OK: [be...@wifiya.com/] (from client malditaprueba port 2156920840 cli 00:15:C5:72:9E:D2) +- entering group post-auth {...} [sql] expand: %{User-Name} -> be...@wifiya.com [sql] sql_set_user escaped user --> 'be...@wifiya.com' [sql] expand: %{User-Password} -> [sql] expand: %{Chap-Password} -> 0x80ade15e6b644f755e95c481630aee5393 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'be...@wifiya.com', '0x80ade15e6b644f755e95c481630aee5393', 'Access-Accept', '2009-01-26 13:11:49') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'be...@wifiya.com', '0x80ade15e6b644f755e95c481630aee5393', 'Access-Accept', '2009-01-26 13:11:49') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok [sql_log] Processing sql_log_postauth [sql_log] expand: %{User-Name} -> be...@wifiya.com [sql_log] expand: %{%{User-Name}:-DEFAULT} -> be...@wifiya.com [sql_log] sql_set_user escaped user --> 'be...@wifiya.com' [sql_log] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_log] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO
Re: refresh Session-Timeout in Access-Accept
Marinko Tarlac escribió: Hi... Can you help me please How did you set-up exec module ? In FR1.1.7 it is enough to add Exec in acct_users and to call script on Start, Stop and Interim-Update packet but the same trick in fr 2.1.3 doesn't work (at least for me). I really don't know because my script is very simple. It follows different roads (if-then-else) and executes queries in my database depends of the client. I set up in exec module exec { wait = yes program = "/usr/local/freeradius/etc/raddb/pre_script.sh %{User-Name}" input_pairs = request shell_escape = yes output = reply } Regards PS: Thanks Ivan, I can't put my debug now but thanks anyway. I'll put it as soon as possible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: refresh Session-Timeout in Access-Accept
Hi again, I use that operator := regards t...@kalik.net escribió: My problem is the next: I have a script, executed in exec module, that calculate the variable "Session-Timeout" for each user, and another different cases. Well, in the debug of freeradius I see that exec is executed after sql queries (radgroupreply in this case) and if I change Session-Timeout variable, in my script, and previously freeradius has read Session-timeout from the database when freeradius sends Access-Accept to the NAS the value of Session-Timeout is not the recent value if not the previous data saved in the field Session-Timeout before have executed the script Use Session-Timeout := ... not =. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
refresh Session-Timeout in Access-Accept
Hi everyone! I have another problem with freeradius. I´m working with freeradius-server-2.1.3 and mysql-5.0. My problem is the next: I have a script, executed in exec module, that calculate the variable "Session-Timeout" for each user, and another different cases. Well, in the debug of freeradius I see that exec is executed after sql queries (radgroupreply in this case) and if I change Session-Timeout variable, in my script, and previously freeradius has read Session-timeout from the database when freeradius sends Access-Accept to the NAS the value of Session-Timeout is not the recent value if not the previous data saved in the field Session-Timeout before have executed the script There are any way to refresh this value??? I've try to do a commit or flush without success. I guess, the value is stored in the cache and if there isn't any way I'm gonna try to change this value, through a trigger, in the moment of close the connection in radacct, for give an example. Thanks in advance bLn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html