Re[2]: limiting sessions

2006-11-09 Thread Andrew Long 
 On Thursday 09 November 2006 11:00, Andrew Long wrote:
 Here is the output from radiusd -X regarding the answer to an
 auth-request from one of the properties where I changed
 session-timeout to 1800. It does not look to me like the
 session-timeout attribute is being sent... any suggestions?

 Where are you setting Session-Timeout?  If it is being added by an sql entry,
 run the queries shown in your debug output to verify the rows returned from
 the database are correct.

 What are the check and reply items for the section that contains the 
 Session-Timeout attribute?  Are they matching attributes in the 
 Access-Request packet you sent?

 Kevin Bonner

I grabbed the response from radius to an auth-request from aroma and
it does not appear to include the session timeout attr-value pair,
but it did authorize.

So, I ran the query that the module ran (grabbed from the -x output)

SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '4aroma70370'
AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id

and found that it came up with a null set for that user when run
against radgroupreply,usergroup (session-timout is in radgroupreply).

Next, I looked in usergroup with

SELECT
`usergroup`.`UserName`,
`usergroup`.`creationdate`,
`usergroup`.`GroupName`
from usergroup
where username like '%aroma%'
order by creationdate desc
limit 1000;

and found no pairs for recent aroma usernames and no entry for
'4aroma70370'.

also ran

SELECT
`usergroup`.`UserName`,
`usergroup`.`creationdate`,
`usergroup`.`GroupName`
from usergroup
where username = '4aroma70370';

and that also comes up null...

Does it make sense that radius is not recognizing the usernames as
belonging to the group 'aroma', thus not assigning the group-reply?
This is my current thought on this, but I'm not sure why it would
still authorize the request, unless it's not necessary that users be
part of group.

I am thinking that some usernames were created and added to the
radcheck table but were overlooked in usergroup...
  

-- 
Regards,
Andrew

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: limiting sessions

2006-11-09 Thread Andrew Long 

 On Thursday 09 November 2006 11:34, Andrew Long wrote:
 also ran

 SELECT
 `usergroup`.`UserName`,
 `usergroup`.`creationdate`,
 `usergroup`.`GroupName`
 from usergroup
 where username = '4aroma70370';

 and that also comes up null...

 Does it make sense that radius is not recognizing the usernames as
 belonging to the group 'aroma', thus not assigning the group-reply?

 Yes, because the radius server does what you configure it to do.  You should
 have control over the usergroup table, so it shouldn't be difficult to add
 the missing records.

 If you're still stuck, try sending relevant output from all of your sql
 tables.  The actual row data should be good enough, unless you've mangled the
 table structure to suit local needs.

 This is my current thought on this, but I'm not sure why it would
 still authorize the request, unless it's not necessary that users be
 part of group.

 It isn't necessary.  The cleartext password needed for CHAP was provided by a
 module (users, sql, ??), so the access request was accepted.

 Kevin Bonner

I have verified that there are indeed username-password pairs in
radreply where those unsernames do not exist in 'usergroups'. Here is
what I propose and I'd like confirmation that my thinking is accurate
before I do it...

First, I grabbed all the usernames from radcheck for the given
property. Then I write a script to insert them into usergroup (with
other appropriate values), which I run after clearing the usergroup
table of all records where the group is the one I am interested in.

DELETE FROM radius.usergroup WHERE GroupName = 'aroma'

THEN...

INSERT INTO radius.usergroup (UserName, CreationDate, GroupName)
VALUES ('username0001', (CURRENT_DATE), 'aroma');

repeated for all 500 usernames...

I think this should work, as all the usernames in use are stored in
radcheck and I'm not touching that table at all. Worst case scenario,
users continue to authenticate without a session limit and I go back
to work...

DOES THIS SOUND RIGHT?

Andrew



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: limiting sessions

2006-11-07 Thread Andrew Long 
 Andrew Long [EMAIL PROTECTED] wrote:
 I need to boot users at one property after a specified time period.
 We have adjusted the max-daily-session to 1800 (30 minutes),
 but users still seem to be staying on. Can someone point me in the
 right direction. The NAS is a Colubris cn3000.

   Why use Max-Daily-Session?  What's wrong with Session-Timeout?

   Alan DeKok.


My understanding from reading the Radius book made it sound like
session-timeout will allow the user to re-connect.

Am I wrong here?

The hotspot is a cafe. We provide them a list of passwords (actually
usernames) which their customers use to authenticate with our radius
server. Right now, they recycle that list. Any way I can impose the
limit so the user can not use the same code to log in again, at least
in that day? If I have to create more codes, that's fine... I don't
care about that, just about getting these sessions terminated so they
don't have customers lounging...

  Andrew Long

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html