Re[2]: limiting sessions
On Thursday 09 November 2006 11:00, Andrew Long wrote: Here is the output from radiusd -X regarding the answer to an auth-request from one of the properties where I changed session-timeout to 1800. It does not look to me like the session-timeout attribute is being sent... any suggestions? Where are you setting Session-Timeout? If it is being added by an sql entry, run the queries shown in your debug output to verify the rows returned from the database are correct. What are the check and reply items for the section that contains the Session-Timeout attribute? Are they matching attributes in the Access-Request packet you sent? Kevin Bonner I grabbed the response from radius to an auth-request from aroma and it does not appear to include the session timeout attr-value pair, but it did authorize. So, I ran the query that the module ran (grabbed from the -x output) SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '4aroma70370' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id and found that it came up with a null set for that user when run against radgroupreply,usergroup (session-timout is in radgroupreply). Next, I looked in usergroup with SELECT `usergroup`.`UserName`, `usergroup`.`creationdate`, `usergroup`.`GroupName` from usergroup where username like '%aroma%' order by creationdate desc limit 1000; and found no pairs for recent aroma usernames and no entry for '4aroma70370'. also ran SELECT `usergroup`.`UserName`, `usergroup`.`creationdate`, `usergroup`.`GroupName` from usergroup where username = '4aroma70370'; and that also comes up null... Does it make sense that radius is not recognizing the usernames as belonging to the group 'aroma', thus not assigning the group-reply? This is my current thought on this, but I'm not sure why it would still authorize the request, unless it's not necessary that users be part of group. I am thinking that some usernames were created and added to the radcheck table but were overlooked in usergroup... -- Regards, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: limiting sessions
On Thursday 09 November 2006 11:34, Andrew Long wrote: also ran SELECT `usergroup`.`UserName`, `usergroup`.`creationdate`, `usergroup`.`GroupName` from usergroup where username = '4aroma70370'; and that also comes up null... Does it make sense that radius is not recognizing the usernames as belonging to the group 'aroma', thus not assigning the group-reply? Yes, because the radius server does what you configure it to do. You should have control over the usergroup table, so it shouldn't be difficult to add the missing records. If you're still stuck, try sending relevant output from all of your sql tables. The actual row data should be good enough, unless you've mangled the table structure to suit local needs. This is my current thought on this, but I'm not sure why it would still authorize the request, unless it's not necessary that users be part of group. It isn't necessary. The cleartext password needed for CHAP was provided by a module (users, sql, ??), so the access request was accepted. Kevin Bonner I have verified that there are indeed username-password pairs in radreply where those unsernames do not exist in 'usergroups'. Here is what I propose and I'd like confirmation that my thinking is accurate before I do it... First, I grabbed all the usernames from radcheck for the given property. Then I write a script to insert them into usergroup (with other appropriate values), which I run after clearing the usergroup table of all records where the group is the one I am interested in. DELETE FROM radius.usergroup WHERE GroupName = 'aroma' THEN... INSERT INTO radius.usergroup (UserName, CreationDate, GroupName) VALUES ('username0001', (CURRENT_DATE), 'aroma'); repeated for all 500 usernames... I think this should work, as all the usernames in use are stored in radcheck and I'm not touching that table at all. Worst case scenario, users continue to authenticate without a session limit and I go back to work... DOES THIS SOUND RIGHT? Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: limiting sessions
Andrew Long [EMAIL PROTECTED] wrote: I need to boot users at one property after a specified time period. We have adjusted the max-daily-session to 1800 (30 minutes), but users still seem to be staying on. Can someone point me in the right direction. The NAS is a Colubris cn3000. Why use Max-Daily-Session? What's wrong with Session-Timeout? Alan DeKok. My understanding from reading the Radius book made it sound like session-timeout will allow the user to re-connect. Am I wrong here? The hotspot is a cafe. We provide them a list of passwords (actually usernames) which their customers use to authenticate with our radius server. Right now, they recycle that list. Any way I can impose the limit so the user can not use the same code to log in again, at least in that day? If I have to create more codes, that's fine... I don't care about that, just about getting these sessions terminated so they don't have customers lounging... Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html