Usage of Session-Timeout
Hi,
we upgraded a freeradius setup from 1.x to 2.1.10+dfsg-2+squeeze1 on Debian
Squeeze.
Within the old version, we used a database config for groups with an attribute
Session-Timeout and the value `%{expr:06:00}`
With new version freeradius send an error while looking in debug mode like:
Tue Oct 1 16:15:23 2013 : Info: [sql] expand: 06:00 - 06:00
Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00
Tue Oct 1 16:15:23 2013 : Info: [sql] expand: %{expr:06:00} -
Can you explain why this value isnt working with new version or what we have to
change to set the Session-Timeout that user get disconnected e.g. at 06:00 am?
Regards,
Volker Lieder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Session-Timeout
Volker Lieder wrote:
Within the old version, we used a database config for groups with an
attribute Session-Timeout and the value `%{expr:06:00}`
Which never worked. 06:00 isn't a number. You can't just invent
syntax and use i.
With new version freeradius send an error while looking in debug mode like:
Tue Oct 1 16:15:23 2013 : Info: [sql]expand: 06:00 - 06:00
Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00
Tue Oct 1 16:15:23 2013 : Info: [sql]expand: %{expr:06:00} -
Can you explain why this value isnt working with new version or what we have
to change to set the Session-Timeout that user get disconnected e.g. at 06:00
am?
It didn't work in the old version, either. It just didn't complain.
You should use the Expiration attribute:
bob Cleartext-Password := hello, Expiration := 06:00
That should work.
Or, calculate the Session-Timeout manually.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On 2013-04-27 02:46, David Peterson wrote: Sorry about that, they say its 16 bit. I have seen this once with a HUAWEI nas. The max value for 16bit unsigned integer is 65535. it's about 18 hours. BR, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
It would depend on your NAS. What does the manual of the NAS say? The maximum number is the unsigned 32bit integer max of 4billion which is just a few years ;) so I don't really expect you want that. On Apr 27, 2013 10:06 AM, David Peterson dav...@wirelessconnections.net wrote: What is the largest integer that can be used for the Session-Timeout attribute? ** ** | *David Peterson* | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 | *www.*wirelessconnections.net http://www.wirelessconnections.net/* *| | 166 Milan Ave | Norwalk OH 44857 | ** ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Session-Timeout
They say | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 | http://www.wirelessconnections.net/ www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Peter Lambrechtsen Sent: Friday, April 26, 2013 6:30 PM To: FreeRadius users mailing list Subject: Re: Session-Timeout It would depend on your NAS. What does the manual of the NAS say? The maximum number is the unsigned 32bit integer max of 4billion which is just a few years ;) so I don't really expect you want that. On Apr 27, 2013 10:06 AM, David Peterson dav...@wirelessconnections.net wrote: What is the largest integer that can be used for the Session-Timeout attribute? | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 tel:419.660.6100%20ext%202287 | Cell: 419.706.7355| Fax: 419.668.4077 | http://www.wirelessconnections.net/ www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Session-Timeout
Sorry about that, they say its 16 bit. From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Peter Lambrechtsen Sent: Friday, April 26, 2013 6:30 PM To: FreeRadius users mailing list Subject: Re: Session-Timeout It would depend on your NAS. What does the manual of the NAS say? The maximum number is the unsigned 32bit integer max of 4billion which is just a few years ;) so I don't really expect you want that. On Apr 27, 2013 10:06 AM, David Peterson dav...@wirelessconnections.net wrote: What is the largest integer that can be used for the Session-Timeout attribute? | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 tel:419.660.6100%20ext%202287 | Cell: 419.706.7355| Fax: 419.668.4077 | http://www.wirelessconnections.net/ www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] How to control the authentication session timeout
Hello All, We are using EAP-MSCHAPV2 for authentication with LDAP and using version 2.2.0. So actually who control the session validity for how long the client will be authenticate after connecting to the wireless AP? So for example i key in my username / password in Windows popup, then how long do i need to key in the credential again? Is this control by Radius or by the AP or by the Windows client? Thanks in advance and sorry for this newbie question :) -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Alan, In which config files do i need to look / edit / add the session timeout in freeradius? Thanks Danny On Tue, Apr 23, 2013 at 3:11 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
In which config files do i need to look / edit / add the session timeout
in freeradius?
that would depend on how your configuration is done and what options and methods
you are using. 'users' file is basic way, SQL tables are another, unlang is yet
another way...eg
update reply {
Session-Timeout : = 7200
}
stick this into the post-auth section of raddb/sites-available/default (if thats
your virtual server in use)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks Alan, let me try that. So i can apply this only if the Wireless AP
is sending packet with Session-Timeout too right? I don't see this setting
in Meraki Wireless AP.
I'm using ldap and all the authentication just simple username / password
from ldap. Is the the exact syntax to apply with?
or we should use update reply-message{
Session-Timeout : = 7200
}
Thanks in advance
Danny
On Tue, Apr 23, 2013 at 8:55 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
In which config files do i need to look / edit / add the session
timeout
in freeradius?
that would depend on how your configuration is done and what options and
methods
you are using. 'users' file is basic way, SQL tables are another, unlang
is yet
another way...eg
update reply {
Session-Timeout : = 7200
}
stick this into the post-auth section of raddb/sites-available/default (if
thats
your virtual server in use)
alan
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
Thanks Alan, let me try that. So i can apply this only if the Wireless AP
is sending packet with Session-Timeout too right? I don't see this setting
in Meraki Wireless AP.
as i said, depends on your settings and what the NAS is willing to take from
the
RADIUS server - you'll have to try it and see - or contact your vendor for
technical advice/support.
I'm using ldap and all the authentication just simple username / password
from ldap. Is the the exact syntax to apply with?
?? this is just authentication - how you apply policy is a different issue
or we should use update reply-message{
Session-Timeout : = 7200
}
?? you could try making things up. but it wont get you anywhere.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks again Alex, i will try your syntax.
Thanks
Danny
On Tue, Apr 23, 2013 at 9:25 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thanks Alan, let me try that. So i can apply this only if the
Wireless AP
is sending packet with Session-Timeout too right? I don't see this
setting
in Meraki Wireless AP.
as i said, depends on your settings and what the NAS is willing to take
from the
RADIUS server - you'll have to try it and see - or contact your vendor for
technical advice/support.
I'm using ldap and all the authentication just simple username /
password
from ldap. Is the the exact syntax to apply with?
?? this is just authentication - how you apply policy is a different issue
or we should use update reply-message{
Session-Timeout : = 7200
}
?? you could try making things up. but it wont get you anywhere.
alan
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, Thanks again Alex, i will try your syntax. do you deliberately change words? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
What you mean? Sorry i think you might mis-understand my previous 2
message. I mean 2 ask what is the correct syntax for update reply
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
I will search the documentation again for my question and apply it inside
Post Auth. Sorry for not searching the documentation before asking, i was
trying to find a quick solution :)
Thanks
Danny
On Tue, Apr 23, 2013 at 11:08 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thanks again Alex, i will try your syntax.
do you deliberately change words?
alan
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi,
What you mean?
see bottom of email
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
no, its exactly liek I typed. if you add spaces like you have then the server
wont like it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Danny,
On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote:
What you mean? Sorry i think you might mis-understand my previous 2
message. I mean 2 ask what is the correct syntax for update reply
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
It should be:
post-auth {
update reply {
Session-Timeout := 7200
}
}
(e.g. no space between : and =)
HTH,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks all.
-Danny
On Tue, Apr 23, 2013 at 11:59 PM, Matthew Newton m...@leicester.ac.ukwrote:
Hi Danny,
On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote:
What you mean? Sorry i think you might mis-understand my previous 2
message. I mean 2 ask what is the correct syntax for update reply
Is it exactly like what you said in previous email or else :
update reply {
Session-Timeout : = 7200
}
It should be:
post-auth {
update reply {
Session-Timeout := 7200
}
}
(e.g. no space between : and =)
HTH,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Being a moderator does NOT give you moral license to treat people like children. The only moral issue here is you admitting you came here with the intention of trolling. The only purpose of this list is to help people solve problems. If that means reminding them to read the docs, so be it. If you want a friend, go somewhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout anomalies
Hello all,
I'm researching this anomaly myself in all the documentation, but
thought it would also be helpful both to me and to others to post the
problem here.
SYMPTOM: Some Access-Period accounts (accounts which have X number of
seconds to continue logging in and out starting from the very first
login) are giving too much time -- that is, at some point they reload
the full value of the account type and restart the count down. I
discovered it while developing some interface code for our customer
service dept. So far, this DOES NOT seem to be happening to all
accounts. Moreover, the database info and radclient results are
inconsistent on these accounts that ARE showing the anomaly.
Here is an example of one such account, a development test account which
I created for debugging purposes. It's value is 30 days (2592000 seconds)
Radclient result:
===
# echo User-Name=cgitest,User-Password=cgitest | radclient -c 1 -n 3
-r 3 -t 3 -x 127.0.0.1:1812 auth -S shared
Sending Access-Request of id 24 to 127.0.0.1 port 1812
User-Name = cgitest
User-Password = cgitest
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24,
length=26
Session-Timeout = 2366393
===
sql query:
SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) FROM
radacct WHERE UserName='cgitest' ORDER BY AcctStartTime LIMIT 1 \g
+-+
| IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) |
+-+
| 1447012 |
+-+
===
Ok, the problem here should be obvious but I'll explain these results
for those who are impatient. The Session-Timeout number is way too
large. As I stated previously, this is a 30 day account. It was counting
down with no problems until a few days ago. It then mysteriously began
reporting in the popup window which I was working on that it had 29.9
days left on it, after it had already counted down to something like 15
days. It simply seems to have reloaded itself, even though the sql query
reports the accurate number of seconds which have actually expired.
(1447012). So if we do the math: 2592000-1447012=1144988 (or roughly
13.25 days) should be the remaining time on this account. Not 27.38 days.
Here is the sql counter from sqlcounter.conf:
sqlcounter accessperiod {
counter-name = Max-Access-Period-Time
check-name = Access-Period
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = never
query = “SELECT UNIX_TIMESTAMP() – UNIX_TIMESTAMP(AcctStartTime) FROM
radacct WHERE UserName = ‘%{%k}’ ORDER BY AcctStartTime LIMIT 1″
}
(Before anyone bitches about the sql query being different, save your
pixels -- no matter which style of query is used, the account reports
that it began at the same time, there is truly no issue here that I can
see).
ALSO, BEFORE YOU ASK: There is only 1 radius server and only 1 sql
server on the system. Besides, I have tested this exhaustively using
different things like the public IP, the fqdn, etc etc. Results are the
same - that is to say, wrong. lol
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left? Where is
Session-Timeout getting this information? Why is it only doing it on
some accounts and not others?
Any insights would be greatly appreciated. I will post the resolution
here (unless one of you smart lads or lasses beats me to it ;) ).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list. There is no excuse for refusing to do that. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote:
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
Alan, take a deep breath. Of course I've looked at the debug output.
Note my opening sentence, ol' pardner. ;)
Well... your question about where does radclient get that value from
is entirely missing the point. It gets it from the RADIUS server. I've
said this. I have no idea how to convince you it's true.
And the *only* way to debug the RADIUS server is to look at the debug
output.
And no, your original message did *not* say you had run the server in
debugging mode. There's only a reference to creating an account for
debugging purposes. There's no radiusd -X output.
My frustration here is that the documentation and my messages cannot
possibly be any more clear. Yet you're wandering around doing
everything *but* what the documentation says, and then wondering why I'm
getting annoyed.
Run the server in debugging mode. Really. Do it. I mean it.
If you want to track down the issue to a specific module, update the
config to do:
update reply {
Reply-Message += A %{reply:Session-Timeout}
}
Cut paste that through various pieces of authorize, post-auth, etc.
Change the A to B, C, etc. You should see 10-20 Reply-Messages
in the Access-Accept. Each with a value for Session-Timeout. That lets
you track *what* the value is, and *where* in the config the value is
coming from.
Then once you know it's a particular module, you can figure out how to
fix that module.
Right now, you're staring at the radclient output, wondering why the
server isn't working. That's a mistake.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
On 02/08/2013 09:50 AM, Alan DeKok wrote:
Bill Isaacs wrote:
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
Well... your question about where does radclient get that value from
is entirely missing the point. It gets it from the RADIUS server. I've
said this. I have no idea how to convince you it's true.
Alan, you're so much more fun when you're not being myopic. lol Of
course it's getting the answer from the radius server. You really think
I don't know that?
And the *only* way to debug the RADIUS server is to look at the debug
output.
And no, your original message did *not* say you had run the server in
debugging mode. There's only a reference to creating an account for
debugging purposes. There's no radiusd -X output.
You're quite right Alan, it didn't. NOR did I say that it did. To
paraphrase you, You're staring at the first sentence, wondering where
the debug output is. That's a mistake. :D
What I DID say was I'm researching this anomaly myself in all the
documentation, but thought it would also be helpful /both to me and to
others/ to post the problem here. (emphasis added).
What I implied in the ensuing message was that it would be posted here
once I tracked the message down, but that posting it and the solution
in nice digestible pieces for those not familiar at all with radius
would be helpful to them. I suspect if you went to decaf and quit
asking 'why' others don't just do what should be done, you would have
understood that.
Take a deep breath. Read between the lines, and realize that if others
understood radius the way you do, you'd be out of a job (at least on the
board here). I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
... why I'm
getting annoyed.
See decaf above.
If you want to track down the issue to a specific module, update the
config to do:
update reply {
Reply-Message += A %{reply:Session-Timeout}
}
Cut paste that through various pieces of authorize, post-auth, etc.
Change the A to B, C, etc. You should see 10-20 Reply-Messages
in the Access-Accept. Each with a value for Session-Timeout. That lets
you track *what* the value is, and *where* in the config the value is
coming from.
Then once you know it's a particular module, you can figure out how to
fix that module.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Alan, you're so much more fun when you're not being myopic. lol Of course it's getting the answer from the radius server. You really think I don't know that? I can only read what you write. You asked *twice* why radclient had that Session-Timeout. The second time, after I told you to look at the server. You then said you HAD mentioned you looked at the server output, when your messages made no such reference. I'm asking you to communicate clearly and honestly. If you can't do that, then you won't solve the problem. What I DID say was I'm researching this anomaly myself in all the documentation, but thought it would also be helpful /both to me and to others/ to post the problem here. (emphasis added). (a) looking at radclient, and (b) looking at the config, and NOT looking at the debug output. There are messages every day saying POST THE DEBUG OUTPUT. You didn't do that. You have failed the basic netiquette we ask for here. And then to top it off, get condescending to me when I point this out. What I implied in the ensuing message was that it would be posted here once I tracked the message down, You've failed to understand the need for the debug output. It is nearly everything you need to (a) debug, and (b) solve the problem. You don't post it here after you've come up with a solution. You post it here so that people with a clue can read it, and help you. but that posting it and the solution in nice digestible pieces for those not familiar at all with radius would be helpful to them. Nonsense. Again, you make it clear you don't understand. What is helpful is a *solution*. You posted a problem. You posted the wrong information about the problem. You are suggesting that people use the wrong *method* to track the problem down. You're wasting everyone's time. You're misleading future people, who will find your post, and potentially go down the wrong path. I suspect if you went to decaf and quit asking 'why' others don't just do what should be done, you would have understood that. I think you're being condescending and rude. Stop it. Take a deep breath. Read between the lines, and realize that if others understood radius the way you do, you'd be out of a job (at least on the board here). It doesn't take a rocket scientist to read the documentation, and post the debug output as suggested in the FAQ, man page, web pages, and daily on this list. You didn't do that. I really don't care why. The entire reason I'm an expert is that I'm willing to learn from others. I read the documentation, and I follow instructions. It's not hard. You don't do that. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Again Alan, read between the lines. I've been scanning these emails
from this group for about year through google searches.
What I've learned from this mailing list is that you routinely castigate
people who ask questions on here. That's rude. Your tone is arrogant.
And that's rude.
Yes, I'm being condescending but it's in order to point out your
rudeness -- hopefully in an entertaining way. You're apparently a
hopeless case where that's concerned.
What it seems to me that this thread needs is a set of discussions that
don't include a staple diet of questioner-castigation, as you've done
here to me. OF course I expected it, even counted on it, to make the
point I'm making here. No one is being led down the wrong path. You
just need to lighten up and be a little less arrogant. A little nicer.
A human being.
And the whole thing sailed right over your arrogant head. Read this
exchange, and I rest my case right there.
I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
That is completely the wrong approach. You are misleading everyone
else by suggesting that method.
Stop it.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
I figured that it was hopeless to get you to follow the existing
documentation. So maybe if I spoon-fed it to you in pieces you might
think about it, and follow instructions.
By the way Alan, I didn't need that spoon fed to me. I'm drawing out
information for the benefit of others and frankly, just seeing if you
have anything in your repertoire that doesn't include trying to belittle
people who are asking for help. Jury is still out on that one, but
wearing a frown as they deliberate. :)
Now for the useful stuff.
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} -
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module. Looks like
the place to start.
Stay tuned, film at 11.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote:
Again Alan, read between the lines. I've been scanning these emails
from this group for about year through google searches.
What I've learned from this mailing list is that you routinely castigate
people who ask questions on here. That's rude. Your tone is arrogant.
And that's rude.
Yes, I'm being condescending but it's in order to point out your
rudeness -- hopefully in an entertaining way. You're apparently a
hopeless case where that's concerned.
What it seems to me that this thread needs is a set of discussions that
don't include a staple diet of questioner-castigation, as you've done
here to me. OF course I expected it, even counted on it, to make the
point I'm making here. No one is being led down the wrong path. You
just need to lighten up and be a little less arrogant. A little nicer.
A human being.
And the whole thing sailed right over your arrogant head. Read this
exchange, and I rest my case right there.
I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
That is completely the wrong approach. You are misleading everyone
else by suggesting that method.
Stop it.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
I figured that it was hopeless to get you to follow the existing
documentation. So maybe if I spoon-fed it to you in pieces you might
think about it, and follow instructions.
By the way Alan, I didn't need that spoon fed to me. I'm drawing out
information for the benefit of others and frankly, just seeing if you
have anything in your repertoire that doesn't include trying to belittle
people who are asking for help. Jury is still out on that one, but
wearing a frown as they deliberate. :)
Now for the useful stuff.
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} -
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module. Looks like
the place to start.
Stay tuned, film at 11.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote:
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} -
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module.
All of this nonsense could have been prevented if you had posted this
in your first message. The debug output is clear:
1) it runs a query:
SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1
2) the query returns 231238
You can verify this by running the query manually. That's why it's
printed out in debugging mode.
3) 2592000 - 231238 = 2360762
This is maybe grade 5 math.
4) sqlcounter returns 2370762.
FreeRADIUS is working correctly.
5) Instead of following instructions, you wasted everyones time by
ignoring the documentation, and then arguing about it
6) you still blame FreeRADIUS, *despite* the pretty clear debug output
above. It doesn't take a RADIUS expert to figure it out.
7) Despite your poor attitude, I'm *still* trying to help you
8) If you respond by blaming me or putting me down, you will be
unsubscribed and banned from this list.
If you keep your messages technical, there's no problem. If you read
the documentation, there's no problem. If you follow instructions,
there's no problem.
The entire problem is you refusing to follow instructions, and then
arguing about it. You have this weird idea that I'm being rude for
telling you to FOLLOW THE DOCUMENTATION.
The only problem here is you. Fix your attitude, or you will be
unsubscribed and banned. There are hundreds of people a month who post
questions and get answers without any problem. Choose to be one of them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Alan, Being a moderator does NOT give you moral license to treat people like children. You're a rude man. Please ban me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
Hi, We want to force Session-Timeout for all our users. Authorization and authentication are made by LDAP. Is it possible to add Session-Timeout in a file or config file to apply it to all our users ? BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Yes. You could do it simply with users file, use unlang in post-auth or add it to LDAP as 3 places to start with (just one way is enough!) And you'll need to ensure tour NAS kit follow/honours the value you provide. If you are proxying a la eduroam then the remote site providing the service will decide what to do. They may honour your value, they may filter it out or they may override it with their chosen value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Le 18/01/2013 12:26, Emmanuel BILLOT a écrit : Hi, We want to force Session-Timeout for all our users. Authorization and authentication are made by LDAP. Is it possible to add Session-Timeout in a file or config file to apply it to all our users ? BR, More question about it : I saw that interim-update was a partial report of what was done during the session, fixed on interval for not losing all data if connexion fail for accounting. Ok, but i knew there was regular re-auth session to keep the connexion alive, right ? If it is right, what could be the attribut to increase interval between two checks ? BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On 18.01.2013 12:26, Emmanuel BILLOT wrote:
Hi,
We want to force Session-Timeout for all our users. Authorization and
authentication are made by LDAP.
Is it possible to add Session-Timeout in a file or config file to apply
it to all our users ?
Add the following at the begining of the users file
DEFAULT
Session-Timeout :=
and be sure to call the file module in authorize
OR
in authorize, add
update reply {
Session-Timeout :=
}
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 17:20, schrieb Klaus Klein: Am 26.07.2012 16:16, schrieb Matthew Newton: On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. I was afraid it would go down that road. :-( And it did. But not too far. A newer firmware (BETA, hmm...) fix the problem. Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. ... Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP On 26.7.2012 16:08, Klaus Klein wrote: Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 16:29, schrieb Marinko Tarlać: Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP AP No.1 Netgear WG602v3 with dd-wrt v24_micro_generic.bin AP No.2 Siemens Gigaset SE515dsl Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 16:16, schrieb Matthew Newton: On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. I was afraid it would go down that road. :-( Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? I'm just tracing the wpa_supplicant and noticed a message Cancelling authentication timeout Unfortunately, it's not clear what or which side (AP or Client) is causing this message. Is there any way a client could cancel a session timeout? Or why would a AP do so? Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: All the information of the users that connect and dc, is stored in the db.daily file I suppose. But I can not open the file with notepad and see which user had how many seconds of active sessions. That's not how computers work. Do you open MP3s in Notepad to play them? I configured a user to use 1 hour per day. The user used 20 min of his 1 hour limit. Now where can I see that users remaining time to spent during that day?? I am not using regular accounting tables of the FR. I suppose that information is located that db.daily file but I can not see inside of it. Can you help me? See the rad_counter.pl file which is distributed with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
Thank you Alan, I couldnt find that perl file in my machine. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5696811.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On Wed, May 9, 2012 at 3:54 PM, yagizozen yagizo...@yahoo.com wrote: Thank you Alan, I couldnt find that perl file in my machine. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. Short version: No. Long version: did you look at rad_counter.pl, as Alan mentioned? If you did, you'd notice that it's a perl script, which uses GDBM_File module. Both should be available on windows (active perl, cygwin, etc). Or you could use some other program which supports gdbm (e.g. php). But since you didn't even bother looking at that file, my guess is you won't be able to find the applications required to look at it's content. So no, you won't be able to do so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On Wed, May 9, 2012 at 3:54 PM, yagizozen yagizo...@yahoo.com wrote: Thank you Alan, I couldnt find that perl file in my machine. It's available on FR source code, as mentioned already by Alan: http://freeradius.org/download.html Or read the latest development version directly from github: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_counter/rad_counter.pl -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: I couldnt find that perl file in my machine. That's not a good response. The file is distributed with FreeRADIUS. Go look in the FreeRADIUS distribution archive for it. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. I have no idea. I don't use Windows. The tools distributed with FreeRADIUS work. Use them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
You are right Sir, I could not find it in my server because it didnt installed I guess when I install FR with yum install freeradius2 freeradius2-utils -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697104.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
I do not have the modules folder under /usr/src. How can I install the modules folder to my machine but do not change any other file contents under /etc or /var/log/radius -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697169.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: I do not have the modules folder under /usr/src. How can I install the modules folder to my machine but do not change any other file contents under /etc or /var/log/radius Download the tar file from our FTP site. See http://www.freeradius.org/ Or, read the link that Fajar sent out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On 05/09/2012 07:17 AM, yagizozen wrote: You are right Sir, I could not find it in my server because it didnt installed I guess when I install FR with yum install freeradius2 freeradius2-utils The reason the rad_counter.pl is only in a source distribution is because it's not installed via the install target in the Makefile. If rad_counter.pl is meant to be a user utility it should be installed as part of make install. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
John Dennis wrote: The reason the rad_counter.pl is only in a source distribution is because it's not installed via the install target in the Makefile. If rad_counter.pl is meant to be a user utility it should be installed as part of make install. That's probably a good idea. I'll go add that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
helloo everyone, I manage to do it finally :) THANK YOU Very much -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697405.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout Monitoring from db.daily
Hello guys,
I am using counter module as follows:
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
cache-size = 5000
}
All the information of the users that connect and dc, is stored in the
db.daily file I suppose. But I can not open the file with notepad and see
which user had how many seconds of active sessions. I configured a user to
use 1 hour per day. The user used 20 min of his 1 hour limit. Now where can
I see that users remaining time to spent during that day?? I am not using
regular accounting tables of the FR. I suppose that information is located
that db.daily file but I can not see inside of it.
Can you help me?
Thank you very much
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): starting 5
rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
rlm_sql_mysql: Starting connect to MySQL server for #5
rlm_sql (sql): Connected new DB handle, #5
rlm_sql (sql): starting 6
rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
rlm_sql_mysql: Starting connect to MySQL server for #6
rlm_sql (sql): Connected new DB handle, #6
rlm_sql (sql): starting 7
rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
rlm_sql_mysql: Starting connect to MySQL server for #7
rlm_sql (sql): Connected new DB handle, #7
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 7
rlm_sql (sql): Read entry
nasname=80.26.102.157,shortname=NataliWifi,secret=sj6bo5RdYsmME@uyf8yuTq9x4SVb39
rlm_sql (sql): Adding client 80.26.102.157 (NataliWifi, server=none) to
clients list
rlm_sql (sql): Read entry
nasname=0.0.0.0/0,shortname=FaberWifi,secret=62p@%5RdYsmME@uyf8yuTq9x4SVb39
rlm_sql (sql): Adding client 0.0.0.0 (FaberWifi, server=none) to clients
list
rlm_sql (sql): Read entry
nasname=213.0.2.116,shortname=WifiPoint,secret=Mb6xUH14yXK27F1d
rlm_sql (sql): Adding client 213.0.2.116 (WifiPoint, server=none) to
clients list
rlm_sql (sql): Read entry
nasname=80.36.217.106,shortname=PamadiWifi,secret=mk5mk5RdYsmME@uyf8yuTq9x4SVb39
rlm_sql (sql): Adding client 80.36.217.106 (PamadiWifi, server=none) to
clients list
rlm_sql (sql): Read entry
nasname=213.97.154.93,shortname=PamadiWifiArenas,secret=mk6ml5RdYsmME@uyf8yuTq9x4SVb39
rlm_sql (sql): Adding client 213.97.154.93 (PamadiWifiArenas, server=none)
to clients list
rlm_sql (sql): Released sql socket id: 7
Module: Linked to module rlm_sqlcounter
Module: Instantiating module unuso from file
/etc/freeradius/sql/mysql/counter.conf
sqlcounter unuso {
counter-name = One-All-Session-Time
check-name = One-All-Session
reply-name = Session-Timeout
key = User-Name
sqlmod-inst = sql
query = SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime) FROM
radacct
WHERE UserName='%{%k}' ORDER BY AcctStartTime LIMIT 1
reset = never
safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
}
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute One-All-Session-Time is number 11273
rlm_sqlcounter: Check attribute One-All-Session is number 11274
rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Next reset 0
[2012-02-03 12:00:00]
rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Prev reset 0
[2012-02-03 12:00:00]
Module: Instantiating module noresetcounter from file
/etc/freeradius/sql/mysql/counter.conf
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
reply-name = Session-Timeout
key = User-Name
sqlmod-inst = sql
query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
UserName='%{%k}'
reset = never
safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
}
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11275
rlm_sqlcounter: Check attribute Max-All-Session is number 11276
rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Next reset 0
[2012-02-03 12:00:00]
rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Prev reset 0
[2012-02-03 12:00:00]
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module acct_unique from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module attr_filter.accounting_response from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = /etc/freeradius/attrs.accounting_response
key
Re: Problems sending session-timeout
tonimanel wrote: I'm having problems configuring authentication attributes which were send to the NAS. I don't know why FreeRADIUS doesn't check attributes that NAS sends - only check called-stattion-id (maybe I should to complete the configuration... I don't know how). Learn how to ask good questions. You keep talking about a solution you've implemented. Don't do that. It's clear you don't understand the server, and you don't understand what you've implemented. Instead, describe what you want to do. Describe what information you see in an Access-Request, and what information you want to see in an Access-Accept. Describe how you want to use the information in the Access-Request to make decisions. You are having major difficulties configuring the server. The ONLY reason for this is that you don't know what you want it to do. I don't have clear what I should to do. I would like to get that when a user login to the NAS, NAS has to send some attributes like radius location name, radius location id, called station id and then FreeRADIUS compare with database. The NAS sends whatever it wants to send. It doesn't have to send anything. And what do you mean by FreeRADIUS compare with database? Compare WHAT? With WHAT? WHY is it doing the comparison? Now, called station id functions correctly. After that, FreeRADIUS has to send to the NAS the user's time session. What's a user's time session? You need to talk about what's actually happening. Using the correct words is a requirement. Using vague confusing words just makes your life more difficult. In my case, these attributes were not sent/received and I can't to get a complete functionality. You haven't described what you want the server to do. All you've said is the server receives packets and sends replies. But it doesn't work Those kind of comments are content-free, and unhelpful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi, I'm having problems configuring authentication attributes which were send to the NAS. I don't know why FreeRADIUS doesn't check attributes that NAS sends - only check called-stattion-id (maybe I should to complete the configuration... I don't know how). FreeRADIUS will check whatever you tell it to check - eg in check table, or using unlang etc I don't have clear what I should to do. I would like to get that when a user login to the NAS, NAS has to send some attributes like radius location name, radius location id, called station id and then FreeRADIUS compare with database. Now, called station id functions correctly. After that, FreeRADIUS has to send to the NAS the user's time session. rad reply table alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
I think that I have not explained very well. I disagree Alan Dekok. Sorry if you think that I'm talking about my implementation, but I think that is correct to explain (or at least try) what happen in my case. I think that another users could have these problems. Or if you configure some service and it works fine, but something you don't know how works, what would you do? I'm using Mikrotik's field names, sorry. So I would like to know why if FreeRADIUS reads from radgroupcheck an attribute, it is not compared with NAS' attibute. In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? I have added dictionary. Any idea? Thanks. Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5453735.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
On Fri, Feb 3, 2012 at 7:54 PM, tonimanel
antoniofernan...@fabergames.com wrote:
I think that I have not explained very well.
I disagree Alan Dekok. Sorry if you think that I'm talking about my
implementation, but I think that is correct to explain (or at least try)
what happen in my case. I think that another users could have these
problems. Or if you configure some service and it works fine, but something
you don't know how works, what would you do?
I'm using Mikrotik's field names, sorry. So I would like to know why if
FreeRADIUS reads from radgroupcheck an attribute, it is not compared with
NAS' attibute. In my case, I have configured in Mikrotik a location name
that in radgroupcheck is WISPr-Location-Name, why these values were not
compared? And another problem that I'm having is that when user login seems
that NAS (Mikrotik in my case) does nor receive session time left
(Session-Timeout). Why? Have I to configure something? I have added
dictionary. Any idea?
Back up a bit.
I'm going to be blunt here. At this point I HIGHLY suggest you try to
implement a BASIC freeradius installation, from a FRESH installation
(either source or package is fine). Don't forget to read the
documentation. Create users in sql, then run the server in debug mode.
Test authentication (radtest is fine). Observe what happens.
That would give you an idea how freeradius works, without the
complexity of additional/advanced modules/configuration. You REALLY
need to understand how it works. Cause to tell the truth, you're
bordering annoying right now. I know you don't mean to, but you keep
on using your own terms, and insisting things don't work, when in fact
it might be just a simple configuration problem.
Seriously. Spend some time to learn the basics. It will help you
phrase your questions, and it will help others from giving answers you
can understand.
Now back to your question.
For the question of why these values were not compared in sql, you
need to learn about operators and tables. Since you seem to be using
debian or derivaties, start with /usr/share/doc/freeradius/rlm_sql.gz.
Especially read about the flow and operators. Make SURE you understand
them before asking more question.
As for why your sqlcounter not working, I'd start with looking at this
line from the debug log
[unuso] expand: %{sql:SELECT
UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime)
FROM radacct WHERE UserName='e58ARw' ORDER BY AcctStartTime LIMIT 1} -
rlm_sqlcounter: No integer found in string
Check:
- did you customize the queries? If yes, revert it. Unless you REALLY
know what you're doing. The defaults work fine in most cases, and
often user modification butchered it.
- if it's still the default query, or you've changed it but you REALLY
know what you're doing, look at that query from debug log. Execute it
directly in your db's sql prompt.
A quick glance says you've modified the query (since the default query
all have SUM in the SELECT statement) and the modification made
sqlcounter stop working because your modified query does not return an
integer.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I disagree Alan Dekok. Sorry if you think that I'm talking about my implementation, I never said that. I think that another users could have these problems. Or if you configure some service and it works fine, but something you don't know how works, what would you do? I would listen to people after asking their advice. You are not doing that. Follow the instructions posted here. Or you will be unsubscribed. It's that simple. I'm using Mikrotik's field names, sorry. So I would like to know why if FreeRADIUS reads from radgroupcheck an attribute, it is not compared with NAS' attibute. Your question makes it clear that you HAVE NOT READ the existing documentation. The rlm_sql documentation describes how it works. Why are you wasting our time (and yours) by asking questions which are already answered in the documentation? In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? You were TOLD WHAT TO DO. Follow the instructions posted here. Or you will be unsubscribed. I have added dictionary. Any idea? You are asking for help and ignoring the answers. Stop it. It's rude. It WILL cause you to be banned from this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Sorry. I wouldn't like to be ban of list. Thanks for your help. I will read again the configuration and then I will try to configure it. I had copied an old configuration, for this reason appears this error in sql query. Thanks for your help and sorry again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5453949.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi, NAS' attibute. In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? I have added radiusd -X and watch what is happening. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi again, I don't know why my FreeRADIUS server doesn't send session-timeout and another attributes like radius-location-name or radius-location-id (all in Mikrotik NAS). In FreeRADIUS older versions, I think that this attributes were sent automatically with the dictionary activation. Anybody can tell me how could I do to send all attributes automatically without adding one per one in counter.sql file? Thanks for your help. Best regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5449960.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I don't know why my FreeRADIUS server doesn't send session-timeout and another attributes like radius-location-name or radius-location-id (all in Mikrotik NAS). In FreeRADIUS older versions, I think that this attributes were sent automatically with the dictionary activation. No. Anybody can tell me how could I do to send all attributes automatically without adding one per one in counter.sql file? What's a counter.sql file? If you want the server to send an attribute in an Access-Accept, you MUST configure it to send that attribute. The server has ALWAYS worked this way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi Alan, Thanks for your reply. I wanted to say counter.conf. In that file we can define counters that theorically sends attributes to the NAS, in my case Mikrotik. I have enabled Mikrotik's dictionary. So, I should to add all attributes inside of counter.conf file in all directives defined , ¿that's correct? Thanks for your attention. Best regards, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5450548.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I wanted to say counter.conf. Which one? In that file we can define counters that theorically sends attributes to the NAS, in my case Mikrotik. I have enabled Mikrotik's dictionary. So, I should to add all attributes inside of counter.conf file in all directives defined , ¿that's correct? No. You haven't spent time reading the documentation to see how the server works. Or, you haven't bothered to *accurately* describe what you're doing. Your messages are short, and nearly content free. You keep repeating counter and Mikrotik. So? Do you know how to use FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
First sorry for the inconvenience of my consultations. I think that I have been clear. When a user wants access to my FreeRADIUS, user tries login, and then FreeRADIUS service checks session time of username, make some actions and lastly replies with attributes to the NAS (in my case Mikrotik). NAS, in my case, should receives session timeout, radius-id-location... If I must to configure freeradius to replies with these attributes, I should to add it inside of sql/mysql/counter.conf (a file that contains noresetcounter, monthly or daily directives), that's correct? If I'm wrong or I have some mistakes, please, sorry. I think that it's clear (I think). I could put the output result but maybe it isn't necessary. Thank you very much for your answers and your time. Regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5451234.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I think that I have been clear. When a user wants access to my FreeRADIUS, user tries login, and then FreeRADIUS service checks session time of username, make some actions and lastly replies with attributes to the NAS (in my case Mikrotik). NAS, in my case, should receives session timeout, radius-id-location... If I must to configure freeradius to replies with these attributes, I should to add it inside of sql/mysql/counter.conf (a file that contains noresetcounter, monthly or daily directives), that's correct? No. Modules are configured in the raddb/modules directory. Look *there* for the counter configuration. That file also contains *extensive* documentation on how the module works. This includes when/where Session-Timeout is sent. Go read that and configure the server as it suggest. THEN post the debug output if it still doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi Alan, Thanks again for your reply. I will check later. I will report news here ... Regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5451438.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Thanks for your answer. Sorry if my question was a lot of basic ... I have solved this adding reply-name (reply-name = Session-Timeout) in all modules defined in counter.sql. Thank you very much. Best regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5434802.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems sending session-timeout
Hi guys,
I have a problem with my freeradius service. I would like to get that
freeradius sends to my NAS the session-timeout attribute. Can you tell my
how could I get it?
This is the output result:
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010
at 20:41:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/cui
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 50
reject_delay = 3
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
radiusd: Loading Clients
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Re: Problems sending session-timeout
On Thu, Jan 26, 2012 at 10:14 PM, tonimanel antoniofernan...@fabergames.com wrote: Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? Just put it it radreply :) I think you meant this though: http://wiki.freeradius.org/Rlm_sqlcounter Read it, especially the parts that mention check-name and counter-name. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
Have you tried setting the proper timeout from the auth section?
Session-Timeout :=
`/script/that/returns/minimum/of/1-hour/or/remaining-time` ?
On 9/12/2011 20:52, denzx wrote:
Hi, I am new in this mailing list.
I have similar situation too, I need counting something before decide to
send session-timeout to NAS in accounting section. The purpose is disconnect
online-user by updating his current Session-Timeout with lower value.
Unfortunately, its still not working.
My question is, is it possible to send reply Session-Timeout in accounting
section?
I put same in accounting section:
update reply {
Session-Timeout := `/path/to/my/super/awesome/sessiontimeout/script
-myarguments`
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4796996.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
On Tue, Sep 13, 2011 at 10:52 AM, denzx dennyzulfi...@gmail.com wrote: My question is, is it possible to send reply Session-Timeout in accounting section? From http://www.ietf.org/rfc/rfc2865.txt 5.27. Session-Timeout Description This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge. So no, you shouldn't be able to send reply Session-Timeout in accounting section -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
Hi All again, thanks a lot for your answers. it's now clear to me that I must try other ways to perform disconnection of users. BR//Denny -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4797640.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
if you use mpd5 you can check 'drop-user', it is vendor specific for mpd5, but works fine! check last documentation for mpd5 13.09.2011, 12:40, denzx dennyzulfi...@gmail.com: Hi All again, thanks a lot for your answers. it's now clear to me that I must try other ways to perform disconnection of users. BR//Denny -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4797640.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
Hi, I am new in this mailing list.
I have similar situation too, I need counting something before decide to
send session-timeout to NAS in accounting section. The purpose is disconnect
online-user by updating his current Session-Timeout with lower value.
Unfortunately, its still not working.
My question is, is it possible to send reply Session-Timeout in accounting
section?
I put same in accounting section:
update reply {
Session-Timeout := `/path/to/my/super/awesome/sessiontimeout/script
-myarguments`
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4796996.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom function to update Session-Timeout
Hi All, I am new to developing for Freeradius and i was hoping one of you can direct me into the right direction. I would like to have a program update the Session-Timeout on authentication request or on disconnect so that when the user receives the access accept it receives the updated Session-TImeout. What is the correct way of doing this and is there some sort of example that i can read. I have been searching in the mailing list and in google but so far no luck. Regards, Ivo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
On 7 Sep 2011, at 21:28, Ivaylo Petkov wrote:
Hi All,
I am new to developing for Freeradius and i was hoping one of you can direct
me into the right direction. I would like to have a program update the
Session-Timeout on authentication request or on disconnect so that when the
user receives the access accept it receives the updated Session-TImeout. What
is the correct way of doing this and is there some sort of example that i can
read. I have been searching in the mailing list and in google but so far no
luck.
Put this in the post-auth section of raddb/sites-available/default
update reply {
Session-Timeout := `/path/to/my/super/awesome/sessiontimeout/script
-myarguments`
}
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post Logout/Session timeout SQL
I'm using freeradius with coova-chilli. Works fine and dandy, but I'm trying to enforce some policy which I can do with some scripts, but it would be much cleaner to do with radius (IMHO). What I want to happen is when user session timeout or bandwidth restriction has been hit, update a database field. right now on session timeout accounting_update_query appears to be run. I would like to run an additional query as well, to disable the account (I've added a disabled field to the radcheck and updated my auth query to check that). Is this something that can be configured, or is there some better way to accomplish what I'm trying to do? R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Logout/Session timeout SQL
On Sat, 2011-03-26 at 15:01 -0500, Marc Phillips wrote: I'm using freeradius with coova-chilli. Works fine and dandy, but I'm trying to enforce some policy which I can do with some scripts, but it would be much cleaner to do with radius (IMHO). What I want to happen is when user session timeout or bandwidth restriction has been hit, update a database field. right now on session timeout accounting_update_query appears to be run. I would like to run an additional query as well, to disable the account (I've added a disabled field to the radcheck and updated my auth query to check that). Is this something that can be configured, or is there some better way to accomplish what I'm trying to do? Why not define a trigger in the database to run the additional query or a function that can perform the necessary checks and the execute a query. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Logout/Session timeout SQL
Why not define a trigger in the database to run the additional query or
a function that can perform the necessary checks and the execute a
query.
I'll take a look at some triggers and stored procedures to go along
with it. Would be useful for cleaning up stuff anyway (running
radius and chilli on a wireless router, so space is at a premium).
I got the inital criteria done by doing an inner join on the
accounting_stop_query = \
UPDATE ${acct_table2} INNER JOIN ${authcheck_table} USING (username)
SET \
${acct_table2}.acctstoptime = '%S', \
${acct_table2}.acctsessiontime= '%{Acct-Session-Time}', \
${acct_table2}.acctinputoctets=
'%{%{Acct-Input-Gigawords}:-0}' 32 | \
'%{%{Acct-Input-Octets}:-0}', \
${acct_table2}.acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' 32 | \
'%{%{Acct-Output-Octets}:-0}', \
${acct_table2}.acctterminatecause = '%{Acct-Terminate-Cause}', \
${acct_table2}.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
${acct_table2}.connectinfo_stop = '%{Connect-Info}', \
${authcheck_table}.disabled = 1 \
WHERE ${acct_table2}.acctsessionid = '%{Acct-Session-Id}' \
AND ${acct_table2}.username = '%{SQL-User-Name}' \
AND ${acct_table2}.nasipaddress = '%{NAS-IP-Address}'
R. Marc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout and expiration problem
Fazal Ahmed Malik wrote:
I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I
am having trouble with session-timeout ,expiration. On dialup_admin i
have correct information for both attributes like user can login for 0
seconds and similarly for expiration like account expired. But users can
still logon even after expiration date passed. For session timeout user
get disconnected right after alocated quota but here again user can
login. Both attribute are setup from dialupadmin with = operator for
session timeout and := for expiration
You can set up rules in post-auth to reject anyone who has less than 5
minutes of time:
...
if (reply:Session-Timeout 300) {
reject
}
...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-timeout and expiration problem
Hi, I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I am having trouble with session-timeout ,expiration. On dialup_admin i have correct information for both attributes like user can login for 0 seconds and similarly for expiration like account expired. But users can still logon even after expiration date passed. For session timeout user get disconnected right after alocated quota but here again user can login. Both attribute are setup from dialupadmin with = operator for session timeout and := for expiration Please help if i am missing some thing in config. Best regards, Fazal Ahmed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
You need sqlcounter (counter.conf) for that. Found. but no UPDATE query in it. Oddly enough, counter doesn't update anything - it COUNTS. It counts how much time has been used in current period (on previous logins) and deducts that from the limit. You can choose the reset period (daily counter resets every day, weekly every week etc.) and the limit. You set the limit by placing attribute configured as check_name in radcheck table with the value of max allowed time in seconds. Example, for daily limit of 1 hour you would enter: username Max-Daily-Session := 3600 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 12:51 PM, Ivan Kalik::
You need sqlcounter (counter.conf) for that.
Found. but no UPDATE query in it.
Oddly enough, counter doesn't update anything - it COUNTS.
OK,
Attached is my 'default' file, and the 'freeradius -X' output.
the counter (in counter.conf) is:
sqlcounter dailycounter
{
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - \
GREATER((%b - AcctStartTime::ABSTIME::INT4), ...
}
What is wrong?
freeradius does not start because SQL Counter modules
aren't allowed in 'accounting' sections.
It is told to put it in 'accounting'...
--
Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche Developpement
+261 34 29 155 34
FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at
17:42:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/postgresql/dialup.conf
including configuration file /etc/freeradius/sql/postgresql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 41.204.0.0/16 {
require_message_authenticator = no
secret = testing123-2
shortname = quarante-un-deux-cent-quatre
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_sqlcounter
Module: Instantiating dailycounter
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
key = User-Name
sqlmod-inst = sql
query = SELECT SUM(AcctSessionTime - GREATER((%b -
AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE
UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 +
AcctSessionTime '%b'
reset = daily
safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
}
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11273
rlm_sqlcounter: Check attribute Max-Daily-Session is number 11274
rlm_sqlcounter: Current Time: 1253282691 [2009-09-18 14:04:51], Next
Re: using SQL, where is Session-Timeout updated?
sqlcounter dailycounter
{
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - \
GREATER((%b - AcctStartTime::ABSTIME::INT4), ...
}
What is wrong?
freeradius does not start because SQL Counter modules
aren't allowed in 'accounting' sections.
It is told to put it in 'accounting'...
No, you weren't told to put it there. Read again my message about where
are you supposed to list it.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 05:41 PM, Ivan Kalik::
sqlcounter dailycounter
{
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - \
GREATER((%b - AcctStartTime::ABSTIME::INT4), ...
}
What is wrong?
freeradius does not start because SQL Counter modules
aren't allowed in 'accounting' sections.
It is told to put it in 'accounting'...
No, you weren't told to put it there. Read again my message about where
are you supposed to list it.
from stock radiusd.conf, arround line #1488:
# [...]
# The module should be added in the instantiate, authorize and
# accounting sections. [...]
Ivan, I merged your explanation with what is in the documentation.
Of course you did not tell me accounting but, I read it in radiusd.conf.
Should I remove it from accounting {...} or move it elsewhere?
When I think about it, placing it in accounting is a bit useless, because the
counter call occurs when radreply (after authentication).
It seems logical not to have to put it in here...
But as well as I begin with RADIUS in general,...
Your advices are welcome.
--
Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche Developpement
+261 34 29 155 34
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 05:41 PM, Ivan Kalik::
sqlcounter dailycounter
{
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - \
GREATER((%b - AcctStartTime::ABSTIME::INT4), ...
}
What is wrong?
freeradius does not start because SQL Counter modules
aren't allowed in 'accounting' sections.
It is told to put it in 'accounting'...
No, you weren't told to put it there. Read again my message about where
are you supposed to list it.
from stock radiusd.conf, arround line #1488:
# [...]
# The module should be added in the instantiate, authorize and
# accounting sections. [...]
That's instruction for counter, not sqlcounter module. That's not the same
thing.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout for unlimited?
Hi, (Using freeRadius v2) We have prepaid users, where the freeradius server should answer with some non null integer Session-Timeout. We have also postpaid users, where the session should be unlimited. What is the Session-Timeout value corresponding to unlimited? Thank you. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout for unlimited?
Hi, We have prepaid users, where the freeradius server should answer with some non null integer Session-Timeout. We have also postpaid users, where the session should be unlimited. What is the Session-Timeout value corresponding to unlimited? If you don't send Session-Timeout at all, the session will not be timing out. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Am 08.07.2009 um 20:05 schrieb Gong Cheng: Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. I suppose that with 2.1.7, the stable version in GIT is meant, see: http://git.freeradius.org/ Have a nice day! Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access- Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access- Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session- Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Alan, They most certainly do! I just debugged a case where the Cisco 1200 takes the 30s Session-Timeout that the Microsoft IAS server sends and treats it as a response timeout. (It then aborts the authentication, which I believe is wrong, but that's another story) When doing a SecurID authentication with user input of a 60s token OTP, the default 30s is inadequate. Cisco does document the way to extend or override this behavior. The Session-Timeout on Access-Challenges for EAP should be a separate design somehow. In the older MS RasEap API, it was crudely based on on the type of Send action the EAP server used. In the newer MS EAPHost API, the EAP server code has direct control. I don't know how your EAP modules interface to the RADIUS server proper, but a method that is expecting interactive user control _will_ want to create some slack here. Not all EAP methods complete in short time. Dave. On Jul 8, 2009, al...@deployingradius.com wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Just checked hostapd and it seems to implement this too:
hostapd/ieee802_1x.c:
case RADIUS_CODE_ACCESS_CHALLENGE:
sm-eap_if-aaaEapReq = TRUE;
if (session_timeout_set) {
/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
sm-eap_if-aaaMethodTimeout = session_timeout;
Gong Cheng wrote:
Hi Alan, thanks for the answer. (and thanks to David too).
I can't seem to find 2.1.7 yet, but I will keep this in mind.
Just as an FYI, I do see commercial NAS code that implements this.
Alan DeKok-2 wrote:
Gong Cheng wrote:
Hi,
I wonder if there is a way
- not to include Session-Timeout value intended for Access-Accept in
Access-Challenge messages?
In 2.1.7, see raddb/sites-available/default. Look for
Access-Challenge. There is sample configuration.
- or to configure a different Session-Timeout value for
Access-Challenges
(which contain EAP-Message)?
This is about the following section in RFC3579 where Session-Timeout in
Access-Challenge is used to influence EAP retransmission behavior.
I'm not sure any AP supports that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24397046.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout in Access-Challenge (that contains EAP-Message)
Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. http://tools.ietf.org/html/rfc3579#section-2.3 thanks! -gong -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24383664.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: First Session-Timeout response error
Yes I need all of them.
Is it a problem?
Le 09-06-29 à 16:31, Guillaume Brenaut a écrit :
Hello,
after looking for a solution in different forums and on this mailing
list without any success I decide to post my problem here.
I'm having trouble to get the good Session-Timeout at the first
request.
Example: one user with Max-All-Session:=900 try to connect:
r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret
Sending Access-Request of id 197 to 127.0.0.1 port 1812
User-Name = jalmjdm
User-Password = nqbnmwcp
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812,
id=197, length=78
WISPr-Redirection-URL = http://www.google.ca;
WISPr-Bandwidth-Max-Up = 128000
WISPr-Bandwidth-Max-Down = 512000
Session-Timeout = 2537321
But the next request give the good answer:
r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret
Sending Access-Request of id 174 to 127.0.0.1 port 1812
User-Name = jalmjdm
User-Password = nqbnmwcp
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812,
id=174, length=78
WISPr-Redirection-URL = http://www.google.ca;
WISPr-Bandwidth-Max-Up = 128000
WISPr-Bandwidth-Max-Down = 512000
Session-Timeout = 886
I heard about a conflict problem with authorize parameters but I
haven't figured out how to fix it. Here is my config:
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='%{%k}'
}
#AUHTORIZE SECTION
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253
bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
expr
noresetcounter
expiration
logintime
}
authorize {
preprocess
suffix
chap
mschap
sql
files
noresetcounter
hourlycounter
dailycounter
monthlycounter
weeklycounter
yearlycounter
totaloctetyearlycounter
totaloctetmonthlycounter
totaloctethourlycounter
totaloctetdaylycounter
outputyearlycounter
outputmonthlycounter
outputhourlycounter
outputdaylycounter
inputyearlycounter
inputmonthlycounter
inputhourlycounter
inputdaylycounter
}
Thanks for your help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First Session-Timeout response error
Hello,
after looking for a solution in different forums and on this mailing
list without any success I decide to post my problem here.
I'm having trouble to get the good Session-Timeout at the first request.
Example: one user with Max-All-Session:=900 try to connect:
r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret
Sending Access-Request of id 197 to 127.0.0.1 port 1812
User-Name = jalmjdm
User-Password = nqbnmwcp
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=197,
length=78
WISPr-Redirection-URL = http://www.google.ca;
WISPr-Bandwidth-Max-Up = 128000
WISPr-Bandwidth-Max-Down = 512000
Session-Timeout = 2537321
But the next request give the good answer:
r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret
Sending Access-Request of id 174 to 127.0.0.1 port 1812
User-Name = jalmjdm
User-Password = nqbnmwcp
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=174,
length=78
WISPr-Redirection-URL = http://www.google.ca;
WISPr-Bandwidth-Max-Up = 128000
WISPr-Bandwidth-Max-Down = 512000
Session-Timeout = 886
I heard about a conflict problem with authorize parameters but I
haven't figured out how to fix it. Here is my config:
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='%{%k}'
}
#AUHTORIZE SECTION
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
expr
noresetcounter
expiration
logintime
}
authorize {
preprocess
suffix
chap
mschap
sql
files
noresetcounter
hourlycounter
dailycounter
monthlycounter
weeklycounter
yearlycounter
totaloctetyearlycounter
totaloctetmonthlycounter
totaloctethourlycounter
totaloctetdaylycounter
outputyearlycounter
outputmonthlycounter
outputhourlycounter
outputdaylycounter
inputyearlycounter
inputmonthlycounter
inputhourlycounter
inputdaylycounter
}
Thanks for your help-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: First Session-Timeout response error
after looking for a solution in different forums and on this mailing
list without any success I decide to post my problem here.
I'm having trouble to get the good Session-Timeout at the first request.
Example: one user with Max-All-Session:=900 try to connect:
r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret
Sending Access-Request of id 197 to 127.0.0.1 port 1812
User-Name = jalmjdm
User-Password = nqbnmwcp
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=197,
length=78
WISPr-Redirection-URL = http://www.google.ca;
WISPr-Bandwidth-Max-Up = 128000
WISPr-Bandwidth-Max-Down = 512000
Session-Timeout = 2537321
Post the debug for such request.
But the next request give the good answer:
r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret
Sending Access-Request of id 174 to 127.0.0.1 port 1812
User-Name = jalmjdm
User-Password = nqbnmwcp
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=174,
length=78
WISPr-Redirection-URL = http://www.google.ca;
WISPr-Bandwidth-Max-Up = 128000
WISPr-Bandwidth-Max-Down = 512000
Session-Timeout = 886
It might be of use to see debug of this too.
I heard about a conflict problem with authorize parameters but I
haven't figured out how to fix it. Here is my config:
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='%{%k}'
}
#AUHTORIZE SECTION
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
expr
noresetcounter
expiration
logintime
}
authorize {
preprocess
suffix
chap
mschap
sql
files
noresetcounter
hourlycounter
dailycounter
monthlycounter
weeklycounter
yearlycounter
totaloctetyearlycounter
totaloctetmonthlycounter
totaloctethourlycounter
totaloctetdaylycounter
outputyearlycounter
outputmonthlycounter
outputhourlycounter
outputdaylycounter
inputyearlycounter
inputmonthlycounter
inputhourlycounter
inputdaylycounter
}
You actually use *all* these counters?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto: Session-Timeout for DTAG (Zwangstrennung)
Hello list,
This might be interesting for users in germany, since there is a
disconnect each 24h if you are working with products from Deutsche
Telekom (DTAG). The disconnect will be forced, if the session is up for
more than 24h. So the job was to set the session-timeout so that logout
will ocur each day at the same time.
I solved it with freeradius/postgres with an internal sql-function. Its
a quick hack and there might be 100 better ways to solve. Here we go:
The function for postgres:
CREATE FUNCTION sessionto(character varying(64)) RETURNS integer AS'
DECLARE
user ALIAS FOR $1;
timeout INTEGER;
BEGIN
IF (select time from disctime where username=user and time is not NULL)
extract(epoch from (localtime)) THEN
select into timeout round((select time from disctime where username=user
and time is not NULL) - extract(epoch from (localtime)));
ELSE
select into timeout round((86400 + (select time from disctime where
username=user and time is not NULL) - extract(epoch from (localtime;
END IF;
if (timeout is NULL) THEN
timeout:=86399;
END IF;
RETURN timeout;
END;
' LANGUAGE 'plpgsql';
disctime is a table which has fields for username and time in seconds
since 0:00 of the day.
The session-timeout can be set via sql xlat from reply module as an
dynamic value:
attribute,op, value
Session-Timeout = `%{sql: select sessionto('%{User-Name}') }`
BR
Uwe
--
kiste lat: 54.322684, lon: 10.13586
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto: Session-Timeout for DTAG (Zwangstrennung)
Am Montag, 20. April 2009 19:13:08 schrieb Uwe Kastens: Hello list, This might be interesting for users in germany, since there is a disconnect each 24h if you are working with products from Deutsche Telekom (DTAG). The disconnect will be forced, if the session is up for more than 24h. So the job was to set the session-timeout so that logout will ocur each day at the same time. I solved it with freeradius/postgres with an internal sql-function. Its a quick hack and there might be 100 better ways to solve. Here we go: (...) hi, thanks for the posting. Good to know the technics behind the scenes even for large providers. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout for disconnecting user
Hi all, I am using Freeradius 2.1.3 to authenticate my users from AP via Active Directory. I have defined the time span that all users may login to the system in the users file: DEFAULT Login-Time := Wk0630-0130,Wk1020-1033,Wk1240-1351,Wk1555-2359,Sa,Su The logintime module calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. How can i include Session-Timeout in the Access-Accept packet? Best Regards, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout for disconnecting user
I am using Freeradius 2.1.3 to authenticate my users from AP via Active Directory. I have defined the time span that all users may login to the system in the users file: DEFAULT Login-Time := Wk0630-0130,Wk1020-1033,Wk1240-1351,Wk1555-2359,Sa,Su The logintime module calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. Is this in inner'tunnel (debug would help)? How can i include Session-Timeout in the Access-Accept packet? If logintime works in inner-tunnel you need to enable use_tunneled_reply in (peap and/or ttls section) eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
