Usage of Session-Timeout
Hi, we upgraded a freeradius setup from 1.x to 2.1.10+dfsg-2+squeeze1 on Debian Squeeze. Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` With new version freeradius send an error while looking in debug mode like: Tue Oct 1 16:15:23 2013 : Info: [sql] expand: 06:00 - 06:00 Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00 Tue Oct 1 16:15:23 2013 : Info: [sql] expand: %{expr:06:00} - Can you explain why this value isnt working with new version or what we have to change to set the Session-Timeout that user get disconnected e.g. at 06:00 am? Regards, Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Session-Timeout
Volker Lieder wrote: Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` Which never worked. 06:00 isn't a number. You can't just invent syntax and use i. With new version freeradius send an error while looking in debug mode like: Tue Oct 1 16:15:23 2013 : Info: [sql]expand: 06:00 - 06:00 Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00 Tue Oct 1 16:15:23 2013 : Info: [sql]expand: %{expr:06:00} - Can you explain why this value isnt working with new version or what we have to change to set the Session-Timeout that user get disconnected e.g. at 06:00 am? It didn't work in the old version, either. It just didn't complain. You should use the Expiration attribute: bob Cleartext-Password := hello, Expiration := 06:00 That should work. Or, calculate the Session-Timeout manually. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On 2013-04-27 02:46, David Peterson wrote: Sorry about that, they say its 16 bit. I have seen this once with a HUAWEI nas. The max value for 16bit unsigned integer is 65535. it's about 18 hours. BR, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
It would depend on your NAS. What does the manual of the NAS say? The maximum number is the unsigned 32bit integer max of 4billion which is just a few years ;) so I don't really expect you want that. On Apr 27, 2013 10:06 AM, David Peterson dav...@wirelessconnections.net wrote: What is the largest integer that can be used for the Session-Timeout attribute? ** ** | *David Peterson* | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 | *www.*wirelessconnections.net http://www.wirelessconnections.net/* *| | 166 Milan Ave | Norwalk OH 44857 | ** ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Session-Timeout
They say | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 | http://www.wirelessconnections.net/ www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Peter Lambrechtsen Sent: Friday, April 26, 2013 6:30 PM To: FreeRadius users mailing list Subject: Re: Session-Timeout It would depend on your NAS. What does the manual of the NAS say? The maximum number is the unsigned 32bit integer max of 4billion which is just a few years ;) so I don't really expect you want that. On Apr 27, 2013 10:06 AM, David Peterson dav...@wirelessconnections.net wrote: What is the largest integer that can be used for the Session-Timeout attribute? | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 tel:419.660.6100%20ext%202287 | Cell: 419.706.7355| Fax: 419.668.4077 | http://www.wirelessconnections.net/ www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Session-Timeout
Sorry about that, they say its 16 bit. From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Peter Lambrechtsen Sent: Friday, April 26, 2013 6:30 PM To: FreeRadius users mailing list Subject: Re: Session-Timeout It would depend on your NAS. What does the manual of the NAS say? The maximum number is the unsigned 32bit integer max of 4billion which is just a few years ;) so I don't really expect you want that. On Apr 27, 2013 10:06 AM, David Peterson dav...@wirelessconnections.net wrote: What is the largest integer that can be used for the Session-Timeout attribute? | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 tel:419.660.6100%20ext%202287 | Cell: 419.706.7355| Fax: 419.668.4077 | http://www.wirelessconnections.net/ www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] How to control the authentication session timeout
Hello All, We are using EAP-MSCHAPV2 for authentication with LDAP and using version 2.2.0. So actually who control the session validity for how long the client will be authenticate after connecting to the wireless AP? So for example i key in my username / password in Windows popup, then how long do i need to key in the credential again? Is this control by Radius or by the AP or by the Windows client? Thanks in advance and sorry for this newbie question :) -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Alan, In which config files do i need to look / edit / add the session timeout in freeradius? Thanks Danny On Tue, Apr 23, 2013 at 3:11 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, In which config files do i need to look / edit / add the session timeout in freeradius? that would depend on how your configuration is done and what options and methods you are using. 'users' file is basic way, SQL tables are another, unlang is yet another way...eg update reply { Session-Timeout : = 7200 } stick this into the post-auth section of raddb/sites-available/default (if thats your virtual server in use) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks Alan, let me try that. So i can apply this only if the Wireless AP is sending packet with Session-Timeout too right? I don't see this setting in Meraki Wireless AP. I'm using ldap and all the authentication just simple username / password from ldap. Is the the exact syntax to apply with? or we should use update reply-message{ Session-Timeout : = 7200 } Thanks in advance Danny On Tue, Apr 23, 2013 at 8:55 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, In which config files do i need to look / edit / add the session timeout in freeradius? that would depend on how your configuration is done and what options and methods you are using. 'users' file is basic way, SQL tables are another, unlang is yet another way...eg update reply { Session-Timeout : = 7200 } stick this into the post-auth section of raddb/sites-available/default (if thats your virtual server in use) alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, Thanks Alan, let me try that. So i can apply this only if the Wireless AP is sending packet with Session-Timeout too right? I don't see this setting in Meraki Wireless AP. as i said, depends on your settings and what the NAS is willing to take from the RADIUS server - you'll have to try it and see - or contact your vendor for technical advice/support. I'm using ldap and all the authentication just simple username / password from ldap. Is the the exact syntax to apply with? ?? this is just authentication - how you apply policy is a different issue or we should use update reply-message{ Session-Timeout : = 7200 } ?? you could try making things up. but it wont get you anywhere. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks again Alex, i will try your syntax. Thanks Danny On Tue, Apr 23, 2013 at 9:25 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thanks Alan, let me try that. So i can apply this only if the Wireless AP is sending packet with Session-Timeout too right? I don't see this setting in Meraki Wireless AP. as i said, depends on your settings and what the NAS is willing to take from the RADIUS server - you'll have to try it and see - or contact your vendor for technical advice/support. I'm using ldap and all the authentication just simple username / password from ldap. Is the the exact syntax to apply with? ?? this is just authentication - how you apply policy is a different issue or we should use update reply-message{ Session-Timeout : = 7200 } ?? you could try making things up. but it wont get you anywhere. alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, Thanks again Alex, i will try your syntax. do you deliberately change words? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, What you mean? Sorry i think you might mis-understand my previous 2 message. I mean 2 ask what is the correct syntax for update reply Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } I will search the documentation again for my question and apply it inside Post Auth. Sorry for not searching the documentation before asking, i was trying to find a quick solution :) Thanks Danny On Tue, Apr 23, 2013 at 11:08 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thanks again Alex, i will try your syntax. do you deliberately change words? alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi, What you mean? see bottom of email Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } no, its exactly liek I typed. if you add spaces like you have then the server wont like it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Danny, On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote: What you mean? Sorry i think you might mis-understand my previous 2 message. I mean 2 ask what is the correct syntax for update reply Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } It should be: post-auth { update reply { Session-Timeout := 7200 } } (e.g. no space between : and =) HTH, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Thanks all. -Danny On Tue, Apr 23, 2013 at 11:59 PM, Matthew Newton m...@leicester.ac.ukwrote: Hi Danny, On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote: What you mean? Sorry i think you might mis-understand my previous 2 message. I mean 2 ask what is the correct syntax for update reply Is it exactly like what you said in previous email or else : update reply { Session-Timeout : = 7200 } It should be: post-auth { update reply { Session-Timeout := 7200 } } (e.g. no space between : and =) HTH, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Being a moderator does NOT give you moral license to treat people like children. The only moral issue here is you admitting you came here with the intention of trolling. The only purpose of this list is to help people solve problems. If that means reminding them to read the docs, so be it. If you want a friend, go somewhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout anomalies
Hello all, I'm researching this anomaly myself in all the documentation, but thought it would also be helpful both to me and to others to post the problem here. SYMPTOM: Some Access-Period accounts (accounts which have X number of seconds to continue logging in and out starting from the very first login) are giving too much time -- that is, at some point they reload the full value of the account type and restart the count down. I discovered it while developing some interface code for our customer service dept. So far, this DOES NOT seem to be happening to all accounts. Moreover, the database info and radclient results are inconsistent on these accounts that ARE showing the anomaly. Here is an example of one such account, a development test account which I created for debugging purposes. It's value is 30 days (2592000 seconds) Radclient result: === # echo User-Name=cgitest,User-Password=cgitest | radclient -c 1 -n 3 -r 3 -t 3 -x 127.0.0.1:1812 auth -S shared Sending Access-Request of id 24 to 127.0.0.1 port 1812 User-Name = cgitest User-Password = cgitest rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24, length=26 Session-Timeout = 2366393 === sql query: SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) FROM radacct WHERE UserName='cgitest' ORDER BY AcctStartTime LIMIT 1 \g +-+ | IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) | +-+ | 1447012 | +-+ === Ok, the problem here should be obvious but I'll explain these results for those who are impatient. The Session-Timeout number is way too large. As I stated previously, this is a 30 day account. It was counting down with no problems until a few days ago. It then mysteriously began reporting in the popup window which I was working on that it had 29.9 days left on it, after it had already counted down to something like 15 days. It simply seems to have reloaded itself, even though the sql query reports the accurate number of seconds which have actually expired. (1447012). So if we do the math: 2592000-1447012=1144988 (or roughly 13.25 days) should be the remaining time on this account. Not 27.38 days. Here is the sql counter from sqlcounter.conf: sqlcounter accessperiod { counter-name = Max-Access-Period-Time check-name = Access-Period reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never query = “SELECT UNIX_TIMESTAMP() – UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = ‘%{%k}’ ORDER BY AcctStartTime LIMIT 1″ } (Before anyone bitches about the sql query being different, save your pixels -- no matter which style of query is used, the account reports that it began at the same time, there is truly no issue here that I can see). ALSO, BEFORE YOU ASK: There is only 1 radius server and only 1 sql server on the system. Besides, I have tested this exhaustively using different things like the public IP, the fqdn, etc etc. Results are the same - that is to say, wrong. lol Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Any insights would be greatly appreciated. I will post the resolution here (unless one of you smart lads or lasses beats me to it ;) ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list. There is no excuse for refusing to do that. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? From the RADIUS server. This isn't magic. radclient doesn't invent attributes in reply packets. It receives them from the RADIUS server. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) Well... your question about where does radclient get that value from is entirely missing the point. It gets it from the RADIUS server. I've said this. I have no idea how to convince you it's true. And the *only* way to debug the RADIUS server is to look at the debug output. And no, your original message did *not* say you had run the server in debugging mode. There's only a reference to creating an account for debugging purposes. There's no radiusd -X output. My frustration here is that the documentation and my messages cannot possibly be any more clear. Yet you're wandering around doing everything *but* what the documentation says, and then wondering why I'm getting annoyed. Run the server in debugging mode. Really. Do it. I mean it. If you want to track down the issue to a specific module, update the config to do: update reply { Reply-Message += A %{reply:Session-Timeout} } Cut paste that through various pieces of authorize, post-auth, etc. Change the A to B, C, etc. You should see 10-20 Reply-Messages in the Access-Accept. Each with a value for Session-Timeout. That lets you track *what* the value is, and *where* in the config the value is coming from. Then once you know it's a particular module, you can figure out how to fix that module. Right now, you're staring at the radclient output, wondering why the server isn't working. That's a mistake. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
On 02/08/2013 09:50 AM, Alan DeKok wrote: Bill Isaacs wrote: Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? From the RADIUS server. This isn't magic. radclient doesn't invent attributes in reply packets. It receives them from the RADIUS server. Well... your question about where does radclient get that value from is entirely missing the point. It gets it from the RADIUS server. I've said this. I have no idea how to convince you it's true. Alan, you're so much more fun when you're not being myopic. lol Of course it's getting the answer from the radius server. You really think I don't know that? And the *only* way to debug the RADIUS server is to look at the debug output. And no, your original message did *not* say you had run the server in debugging mode. There's only a reference to creating an account for debugging purposes. There's no radiusd -X output. You're quite right Alan, it didn't. NOR did I say that it did. To paraphrase you, You're staring at the first sentence, wondering where the debug output is. That's a mistake. :D What I DID say was I'm researching this anomaly myself in all the documentation, but thought it would also be helpful /both to me and to others/ to post the problem here. (emphasis added). What I implied in the ensuing message was that it would be posted here once I tracked the message down, but that posting it and the solution in nice digestible pieces for those not familiar at all with radius would be helpful to them. I suspect if you went to decaf and quit asking 'why' others don't just do what should be done, you would have understood that. Take a deep breath. Read between the lines, and realize that if others understood radius the way you do, you'd be out of a job (at least on the board here). I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) ... why I'm getting annoyed. See decaf above. If you want to track down the issue to a specific module, update the config to do: update reply { Reply-Message += A %{reply:Session-Timeout} } Cut paste that through various pieces of authorize, post-auth, etc. Change the A to B, C, etc. You should see 10-20 Reply-Messages in the Access-Accept. Each with a value for Session-Timeout. That lets you track *what* the value is, and *where* in the config the value is coming from. Then once you know it's a particular module, you can figure out how to fix that module. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Alan, you're so much more fun when you're not being myopic. lol Of course it's getting the answer from the radius server. You really think I don't know that? I can only read what you write. You asked *twice* why radclient had that Session-Timeout. The second time, after I told you to look at the server. You then said you HAD mentioned you looked at the server output, when your messages made no such reference. I'm asking you to communicate clearly and honestly. If you can't do that, then you won't solve the problem. What I DID say was I'm researching this anomaly myself in all the documentation, but thought it would also be helpful /both to me and to others/ to post the problem here. (emphasis added). (a) looking at radclient, and (b) looking at the config, and NOT looking at the debug output. There are messages every day saying POST THE DEBUG OUTPUT. You didn't do that. You have failed the basic netiquette we ask for here. And then to top it off, get condescending to me when I point this out. What I implied in the ensuing message was that it would be posted here once I tracked the message down, You've failed to understand the need for the debug output. It is nearly everything you need to (a) debug, and (b) solve the problem. You don't post it here after you've come up with a solution. You post it here so that people with a clue can read it, and help you. but that posting it and the solution in nice digestible pieces for those not familiar at all with radius would be helpful to them. Nonsense. Again, you make it clear you don't understand. What is helpful is a *solution*. You posted a problem. You posted the wrong information about the problem. You are suggesting that people use the wrong *method* to track the problem down. You're wasting everyone's time. You're misleading future people, who will find your post, and potentially go down the wrong path. I suspect if you went to decaf and quit asking 'why' others don't just do what should be done, you would have understood that. I think you're being condescending and rude. Stop it. Take a deep breath. Read between the lines, and realize that if others understood radius the way you do, you'd be out of a job (at least on the board here). It doesn't take a rocket scientist to read the documentation, and post the debug output as suggested in the FAQ, man page, web pages, and daily on this list. You didn't do that. I really don't care why. The entire reason I'm an expert is that I'm willing to learn from others. I read the documentation, and I follow instructions. It's not hard. You don't do that. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Again Alan, read between the lines. I've been scanning these emails from this group for about year through google searches. What I've learned from this mailing list is that you routinely castigate people who ask questions on here. That's rude. Your tone is arrogant. And that's rude. Yes, I'm being condescending but it's in order to point out your rudeness -- hopefully in an entertaining way. You're apparently a hopeless case where that's concerned. What it seems to me that this thread needs is a set of discussions that don't include a staple diet of questioner-castigation, as you've done here to me. OF course I expected it, even counted on it, to make the point I'm making here. No one is being led down the wrong path. You just need to lighten up and be a little less arrogant. A little nicer. A human being. And the whole thing sailed right over your arrogant head. Read this exchange, and I rest my case right there. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. By the way Alan, I didn't need that spoon fed to me. I'm drawing out information for the benefit of others and frankly, just seeing if you have anything in your repertoire that doesn't include trying to belittle people who are asking for help. Jury is still out on that one, but wearing a frown as they deliberate. :) Now for the useful stuff. Here is the telling part of the freeradius -X output that I ran earlier this morning and printed out to use as a reference in my inquiries: [accessperiod] expand: %{sql:SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} - 231238 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238 rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout, value=2360762* ++[accessperiod] returns ok So, there's something fishy with the rlm_sqlcounter module. Looks like the place to start. Stay tuned, film at 11. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Again Alan, read between the lines. I've been scanning these emails from this group for about year through google searches. What I've learned from this mailing list is that you routinely castigate people who ask questions on here. That's rude. Your tone is arrogant. And that's rude. Yes, I'm being condescending but it's in order to point out your rudeness -- hopefully in an entertaining way. You're apparently a hopeless case where that's concerned. What it seems to me that this thread needs is a set of discussions that don't include a staple diet of questioner-castigation, as you've done here to me. OF course I expected it, even counted on it, to make the point I'm making here. No one is being led down the wrong path. You just need to lighten up and be a little less arrogant. A little nicer. A human being. And the whole thing sailed right over your arrogant head. Read this exchange, and I rest my case right there. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. By the way Alan, I didn't need that spoon fed to me. I'm drawing out information for the benefit of others and frankly, just seeing if you have anything in your repertoire that doesn't include trying to belittle people who are asking for help. Jury is still out on that one, but wearing a frown as they deliberate. :) Now for the useful stuff. Here is the telling part of the freeradius -X output that I ran earlier this morning and printed out to use as a reference in my inquiries: [accessperiod] expand: %{sql:SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} - 231238 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238 rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout, value=2360762* ++[accessperiod] returns ok So, there's something fishy with the rlm_sqlcounter module. Looks like the place to start. Stay tuned, film at 11. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Here is the telling part of the freeradius -X output that I ran earlier this morning and printed out to use as a reference in my inquiries: [accessperiod] expand: %{sql:SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} - 231238 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238 rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout, value=2360762* ++[accessperiod] returns ok So, there's something fishy with the rlm_sqlcounter module. All of this nonsense could have been prevented if you had posted this in your first message. The debug output is clear: 1) it runs a query: SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1 2) the query returns 231238 You can verify this by running the query manually. That's why it's printed out in debugging mode. 3) 2592000 - 231238 = 2360762 This is maybe grade 5 math. 4) sqlcounter returns 2370762. FreeRADIUS is working correctly. 5) Instead of following instructions, you wasted everyones time by ignoring the documentation, and then arguing about it 6) you still blame FreeRADIUS, *despite* the pretty clear debug output above. It doesn't take a RADIUS expert to figure it out. 7) Despite your poor attitude, I'm *still* trying to help you 8) If you respond by blaming me or putting me down, you will be unsubscribed and banned from this list. If you keep your messages technical, there's no problem. If you read the documentation, there's no problem. If you follow instructions, there's no problem. The entire problem is you refusing to follow instructions, and then arguing about it. You have this weird idea that I'm being rude for telling you to FOLLOW THE DOCUMENTATION. The only problem here is you. Fix your attitude, or you will be unsubscribed and banned. There are hundreds of people a month who post questions and get answers without any problem. Choose to be one of them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Alan, Being a moderator does NOT give you moral license to treat people like children. You're a rude man. Please ban me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
Hi, We want to force Session-Timeout for all our users. Authorization and authentication are made by LDAP. Is it possible to add Session-Timeout in a file or config file to apply it to all our users ? BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Yes. You could do it simply with users file, use unlang in post-auth or add it to LDAP as 3 places to start with (just one way is enough!) And you'll need to ensure tour NAS kit follow/honours the value you provide. If you are proxying a la eduroam then the remote site providing the service will decide what to do. They may honour your value, they may filter it out or they may override it with their chosen value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Le 18/01/2013 12:26, Emmanuel BILLOT a écrit : Hi, We want to force Session-Timeout for all our users. Authorization and authentication are made by LDAP. Is it possible to add Session-Timeout in a file or config file to apply it to all our users ? BR, More question about it : I saw that interim-update was a partial report of what was done during the session, fixed on interval for not losing all data if connexion fail for accounting. Ok, but i knew there was regular re-auth session to keep the connexion alive, right ? If it is right, what could be the attribut to increase interval between two checks ? BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On 18.01.2013 12:26, Emmanuel BILLOT wrote: Hi, We want to force Session-Timeout for all our users. Authorization and authentication are made by LDAP. Is it possible to add Session-Timeout in a file or config file to apply it to all our users ? Add the following at the begining of the users file DEFAULT Session-Timeout := and be sure to call the file module in authorize OR in authorize, add update reply { Session-Timeout := } Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 17:20, schrieb Klaus Klein: Am 26.07.2012 16:16, schrieb Matthew Newton: On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. I was afraid it would go down that road. :-( And it did. But not too far. A newer firmware (BETA, hmm...) fix the problem. Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. ... Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP On 26.7.2012 16:08, Klaus Klein wrote: Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 16:29, schrieb Marinko Tarlać: Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP AP No.1 Netgear WG602v3 with dd-wrt v24_micro_generic.bin AP No.2 Siemens Gigaset SE515dsl Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 16:16, schrieb Matthew Newton: On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. I was afraid it would go down that road. :-( Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? I'm just tracing the wpa_supplicant and noticed a message Cancelling authentication timeout Unfortunately, it's not clear what or which side (AP or Client) is causing this message. Is there any way a client could cancel a session timeout? Or why would a AP do so? Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: All the information of the users that connect and dc, is stored in the db.daily file I suppose. But I can not open the file with notepad and see which user had how many seconds of active sessions. That's not how computers work. Do you open MP3s in Notepad to play them? I configured a user to use 1 hour per day. The user used 20 min of his 1 hour limit. Now where can I see that users remaining time to spent during that day?? I am not using regular accounting tables of the FR. I suppose that information is located that db.daily file but I can not see inside of it. Can you help me? See the rad_counter.pl file which is distributed with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
Thank you Alan, I couldnt find that perl file in my machine. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5696811.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On Wed, May 9, 2012 at 3:54 PM, yagizozen yagizo...@yahoo.com wrote: Thank you Alan, I couldnt find that perl file in my machine. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. Short version: No. Long version: did you look at rad_counter.pl, as Alan mentioned? If you did, you'd notice that it's a perl script, which uses GDBM_File module. Both should be available on windows (active perl, cygwin, etc). Or you could use some other program which supports gdbm (e.g. php). But since you didn't even bother looking at that file, my guess is you won't be able to find the applications required to look at it's content. So no, you won't be able to do so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On Wed, May 9, 2012 at 3:54 PM, yagizozen yagizo...@yahoo.com wrote: Thank you Alan, I couldnt find that perl file in my machine. It's available on FR source code, as mentioned already by Alan: http://freeradius.org/download.html Or read the latest development version directly from github: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_counter/rad_counter.pl -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: I couldnt find that perl file in my machine. That's not a good response. The file is distributed with FreeRADIUS. Go look in the FreeRADIUS distribution archive for it. Is there any way to see the content of db.daily with the use of any program in the windows environment so that I can copy the file to my windows and use that tool to look inside. I have no idea. I don't use Windows. The tools distributed with FreeRADIUS work. Use them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
You are right Sir, I could not find it in my server because it didnt installed I guess when I install FR with yum install freeradius2 freeradius2-utils -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697104.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
I do not have the modules folder under /usr/src. How can I install the modules folder to my machine but do not change any other file contents under /etc or /var/log/radius -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697169.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
yagizozen wrote: I do not have the modules folder under /usr/src. How can I install the modules folder to my machine but do not change any other file contents under /etc or /var/log/radius Download the tar file from our FTP site. See http://www.freeradius.org/ Or, read the link that Fajar sent out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
On 05/09/2012 07:17 AM, yagizozen wrote: You are right Sir, I could not find it in my server because it didnt installed I guess when I install FR with yum install freeradius2 freeradius2-utils The reason the rad_counter.pl is only in a source distribution is because it's not installed via the install target in the Makefile. If rad_counter.pl is meant to be a user utility it should be installed as part of make install. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
John Dennis wrote: The reason the rad_counter.pl is only in a source distribution is because it's not installed via the install target in the Makefile. If rad_counter.pl is meant to be a user utility it should be installed as part of make install. That's probably a good idea. I'll go add that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout Monitoring from db.daily
helloo everyone, I manage to do it finally :) THANK YOU Very much -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089p5697405.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout Monitoring from db.daily
Hello guys, I am using counter module as follows: counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout cache-size = 5000 } All the information of the users that connect and dc, is stored in the db.daily file I suppose. But I can not open the file with notepad and see which user had how many seconds of active sessions. I configured a user to use 1 hour per day. The user used 20 min of his 1 hour limit. Now where can I see that users remaining time to spent during that day?? I am not using regular accounting tables of the FR. I suppose that information is located that db.daily file but I can not see inside of it. Can you help me? Thank you very much -- View this message in context: http://freeradius.1045715.n5.nabble.com/Session-Timeout-Monitoring-from-db-daily-tp5693089.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): starting 5 rlm_sql (sql): Attempting to connect rlm_sql_mysql #5 rlm_sql_mysql: Starting connect to MySQL server for #5 rlm_sql (sql): Connected new DB handle, #5 rlm_sql (sql): starting 6 rlm_sql (sql): Attempting to connect rlm_sql_mysql #6 rlm_sql_mysql: Starting connect to MySQL server for #6 rlm_sql (sql): Connected new DB handle, #6 rlm_sql (sql): starting 7 rlm_sql (sql): Attempting to connect rlm_sql_mysql #7 rlm_sql_mysql: Starting connect to MySQL server for #7 rlm_sql (sql): Connected new DB handle, #7 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 7 rlm_sql (sql): Read entry nasname=80.26.102.157,shortname=NataliWifi,secret=sj6bo5RdYsmME@uyf8yuTq9x4SVb39 rlm_sql (sql): Adding client 80.26.102.157 (NataliWifi, server=none) to clients list rlm_sql (sql): Read entry nasname=0.0.0.0/0,shortname=FaberWifi,secret=62p@%5RdYsmME@uyf8yuTq9x4SVb39 rlm_sql (sql): Adding client 0.0.0.0 (FaberWifi, server=none) to clients list rlm_sql (sql): Read entry nasname=213.0.2.116,shortname=WifiPoint,secret=Mb6xUH14yXK27F1d rlm_sql (sql): Adding client 213.0.2.116 (WifiPoint, server=none) to clients list rlm_sql (sql): Read entry nasname=80.36.217.106,shortname=PamadiWifi,secret=mk5mk5RdYsmME@uyf8yuTq9x4SVb39 rlm_sql (sql): Adding client 80.36.217.106 (PamadiWifi, server=none) to clients list rlm_sql (sql): Read entry nasname=213.97.154.93,shortname=PamadiWifiArenas,secret=mk6ml5RdYsmME@uyf8yuTq9x4SVb39 rlm_sql (sql): Adding client 213.97.154.93 (PamadiWifiArenas, server=none) to clients list rlm_sql (sql): Released sql socket id: 7 Module: Linked to module rlm_sqlcounter Module: Instantiating module unuso from file /etc/freeradius/sql/mysql/counter.conf sqlcounter unuso { counter-name = One-All-Session-Time check-name = One-All-Session reply-name = Session-Timeout key = User-Name sqlmod-inst = sql query = SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName='%{%k}' ORDER BY AcctStartTime LIMIT 1 reset = never safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / } rlm_sqlcounter: Reply attribute Session-Timeout is number 27 rlm_sqlcounter: Counter attribute One-All-Session-Time is number 11273 rlm_sqlcounter: Check attribute One-All-Session is number 11274 rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Next reset 0 [2012-02-03 12:00:00] rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Prev reset 0 [2012-02-03 12:00:00] Module: Instantiating module noresetcounter from file /etc/freeradius/sql/mysql/counter.conf sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session reply-name = Session-Timeout key = User-Name sqlmod-inst = sql query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' reset = never safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / } rlm_sqlcounter: Reply attribute Session-Timeout is number 27 rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11275 rlm_sqlcounter: Check attribute Max-All-Session is number 11276 rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Next reset 0 [2012-02-03 12:00:00] rlm_sqlcounter: Current Time: 1328269705 [2012-02-03 12:48:25], Prev reset 0 [2012-02-03 12:00:00] Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module acct_unique from file /etc/freeradius/modules/acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating module attr_filter.accounting_response from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = /etc/freeradius/attrs.accounting_response key
Re: Problems sending session-timeout
tonimanel wrote: I'm having problems configuring authentication attributes which were send to the NAS. I don't know why FreeRADIUS doesn't check attributes that NAS sends - only check called-stattion-id (maybe I should to complete the configuration... I don't know how). Learn how to ask good questions. You keep talking about a solution you've implemented. Don't do that. It's clear you don't understand the server, and you don't understand what you've implemented. Instead, describe what you want to do. Describe what information you see in an Access-Request, and what information you want to see in an Access-Accept. Describe how you want to use the information in the Access-Request to make decisions. You are having major difficulties configuring the server. The ONLY reason for this is that you don't know what you want it to do. I don't have clear what I should to do. I would like to get that when a user login to the NAS, NAS has to send some attributes like radius location name, radius location id, called station id and then FreeRADIUS compare with database. The NAS sends whatever it wants to send. It doesn't have to send anything. And what do you mean by FreeRADIUS compare with database? Compare WHAT? With WHAT? WHY is it doing the comparison? Now, called station id functions correctly. After that, FreeRADIUS has to send to the NAS the user's time session. What's a user's time session? You need to talk about what's actually happening. Using the correct words is a requirement. Using vague confusing words just makes your life more difficult. In my case, these attributes were not sent/received and I can't to get a complete functionality. You haven't described what you want the server to do. All you've said is the server receives packets and sends replies. But it doesn't work Those kind of comments are content-free, and unhelpful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi, I'm having problems configuring authentication attributes which were send to the NAS. I don't know why FreeRADIUS doesn't check attributes that NAS sends - only check called-stattion-id (maybe I should to complete the configuration... I don't know how). FreeRADIUS will check whatever you tell it to check - eg in check table, or using unlang etc I don't have clear what I should to do. I would like to get that when a user login to the NAS, NAS has to send some attributes like radius location name, radius location id, called station id and then FreeRADIUS compare with database. Now, called station id functions correctly. After that, FreeRADIUS has to send to the NAS the user's time session. rad reply table alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
I think that I have not explained very well. I disagree Alan Dekok. Sorry if you think that I'm talking about my implementation, but I think that is correct to explain (or at least try) what happen in my case. I think that another users could have these problems. Or if you configure some service and it works fine, but something you don't know how works, what would you do? I'm using Mikrotik's field names, sorry. So I would like to know why if FreeRADIUS reads from radgroupcheck an attribute, it is not compared with NAS' attibute. In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? I have added dictionary. Any idea? Thanks. Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5453735.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
On Fri, Feb 3, 2012 at 7:54 PM, tonimanel antoniofernan...@fabergames.com wrote: I think that I have not explained very well. I disagree Alan Dekok. Sorry if you think that I'm talking about my implementation, but I think that is correct to explain (or at least try) what happen in my case. I think that another users could have these problems. Or if you configure some service and it works fine, but something you don't know how works, what would you do? I'm using Mikrotik's field names, sorry. So I would like to know why if FreeRADIUS reads from radgroupcheck an attribute, it is not compared with NAS' attibute. In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? I have added dictionary. Any idea? Back up a bit. I'm going to be blunt here. At this point I HIGHLY suggest you try to implement a BASIC freeradius installation, from a FRESH installation (either source or package is fine). Don't forget to read the documentation. Create users in sql, then run the server in debug mode. Test authentication (radtest is fine). Observe what happens. That would give you an idea how freeradius works, without the complexity of additional/advanced modules/configuration. You REALLY need to understand how it works. Cause to tell the truth, you're bordering annoying right now. I know you don't mean to, but you keep on using your own terms, and insisting things don't work, when in fact it might be just a simple configuration problem. Seriously. Spend some time to learn the basics. It will help you phrase your questions, and it will help others from giving answers you can understand. Now back to your question. For the question of why these values were not compared in sql, you need to learn about operators and tables. Since you seem to be using debian or derivaties, start with /usr/share/doc/freeradius/rlm_sql.gz. Especially read about the flow and operators. Make SURE you understand them before asking more question. As for why your sqlcounter not working, I'd start with looking at this line from the debug log [unuso] expand: %{sql:SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName='e58ARw' ORDER BY AcctStartTime LIMIT 1} - rlm_sqlcounter: No integer found in string Check: - did you customize the queries? If yes, revert it. Unless you REALLY know what you're doing. The defaults work fine in most cases, and often user modification butchered it. - if it's still the default query, or you've changed it but you REALLY know what you're doing, look at that query from debug log. Execute it directly in your db's sql prompt. A quick glance says you've modified the query (since the default query all have SUM in the SELECT statement) and the modification made sqlcounter stop working because your modified query does not return an integer. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I disagree Alan Dekok. Sorry if you think that I'm talking about my implementation, I never said that. I think that another users could have these problems. Or if you configure some service and it works fine, but something you don't know how works, what would you do? I would listen to people after asking their advice. You are not doing that. Follow the instructions posted here. Or you will be unsubscribed. It's that simple. I'm using Mikrotik's field names, sorry. So I would like to know why if FreeRADIUS reads from radgroupcheck an attribute, it is not compared with NAS' attibute. Your question makes it clear that you HAVE NOT READ the existing documentation. The rlm_sql documentation describes how it works. Why are you wasting our time (and yours) by asking questions which are already answered in the documentation? In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? You were TOLD WHAT TO DO. Follow the instructions posted here. Or you will be unsubscribed. I have added dictionary. Any idea? You are asking for help and ignoring the answers. Stop it. It's rude. It WILL cause you to be banned from this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Sorry. I wouldn't like to be ban of list. Thanks for your help. I will read again the configuration and then I will try to configure it. I had copied an old configuration, for this reason appears this error in sql query. Thanks for your help and sorry again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5453949.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi, NAS' attibute. In my case, I have configured in Mikrotik a location name that in radgroupcheck is WISPr-Location-Name, why these values were not compared? And another problem that I'm having is that when user login seems that NAS (Mikrotik in my case) does nor receive session time left (Session-Timeout). Why? Have I to configure something? I have added radiusd -X and watch what is happening. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi again, I don't know why my FreeRADIUS server doesn't send session-timeout and another attributes like radius-location-name or radius-location-id (all in Mikrotik NAS). In FreeRADIUS older versions, I think that this attributes were sent automatically with the dictionary activation. Anybody can tell me how could I do to send all attributes automatically without adding one per one in counter.sql file? Thanks for your help. Best regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5449960.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I don't know why my FreeRADIUS server doesn't send session-timeout and another attributes like radius-location-name or radius-location-id (all in Mikrotik NAS). In FreeRADIUS older versions, I think that this attributes were sent automatically with the dictionary activation. No. Anybody can tell me how could I do to send all attributes automatically without adding one per one in counter.sql file? What's a counter.sql file? If you want the server to send an attribute in an Access-Accept, you MUST configure it to send that attribute. The server has ALWAYS worked this way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi Alan, Thanks for your reply. I wanted to say counter.conf. In that file we can define counters that theorically sends attributes to the NAS, in my case Mikrotik. I have enabled Mikrotik's dictionary. So, I should to add all attributes inside of counter.conf file in all directives defined , ¿that's correct? Thanks for your attention. Best regards, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5450548.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I wanted to say counter.conf. Which one? In that file we can define counters that theorically sends attributes to the NAS, in my case Mikrotik. I have enabled Mikrotik's dictionary. So, I should to add all attributes inside of counter.conf file in all directives defined , ¿that's correct? No. You haven't spent time reading the documentation to see how the server works. Or, you haven't bothered to *accurately* describe what you're doing. Your messages are short, and nearly content free. You keep repeating counter and Mikrotik. So? Do you know how to use FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
First sorry for the inconvenience of my consultations. I think that I have been clear. When a user wants access to my FreeRADIUS, user tries login, and then FreeRADIUS service checks session time of username, make some actions and lastly replies with attributes to the NAS (in my case Mikrotik). NAS, in my case, should receives session timeout, radius-id-location... If I must to configure freeradius to replies with these attributes, I should to add it inside of sql/mysql/counter.conf (a file that contains noresetcounter, monthly or daily directives), that's correct? If I'm wrong or I have some mistakes, please, sorry. I think that it's clear (I think). I could put the output result but maybe it isn't necessary. Thank you very much for your answers and your time. Regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5451234.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
tonimanel wrote: I think that I have been clear. When a user wants access to my FreeRADIUS, user tries login, and then FreeRADIUS service checks session time of username, make some actions and lastly replies with attributes to the NAS (in my case Mikrotik). NAS, in my case, should receives session timeout, radius-id-location... If I must to configure freeradius to replies with these attributes, I should to add it inside of sql/mysql/counter.conf (a file that contains noresetcounter, monthly or daily directives), that's correct? No. Modules are configured in the raddb/modules directory. Look *there* for the counter configuration. That file also contains *extensive* documentation on how the module works. This includes when/where Session-Timeout is sent. Go read that and configure the server as it suggest. THEN post the debug output if it still doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Hi Alan, Thanks again for your reply. I will check later. I will report news here ... Regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5451438.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
Thanks for your answer. Sorry if my question was a lot of basic ... I have solved this adding reply-name (reply-name = Session-Timeout) in all modules defined in counter.sql. Thank you very much. Best regards, Toni. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-sending-session-timeout-tp5433107p5434802.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems sending session-timeout
Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? This is the output result: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 50 reject_delay = 3 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec
Re: Problems sending session-timeout
On Thu, Jan 26, 2012 at 10:14 PM, tonimanel antoniofernan...@fabergames.com wrote: Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? Just put it it radreply :) I think you meant this though: http://wiki.freeradius.org/Rlm_sqlcounter Read it, especially the parts that mention check-name and counter-name. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
Have you tried setting the proper timeout from the auth section? Session-Timeout := `/script/that/returns/minimum/of/1-hour/or/remaining-time` ? On 9/12/2011 20:52, denzx wrote: Hi, I am new in this mailing list. I have similar situation too, I need counting something before decide to send session-timeout to NAS in accounting section. The purpose is disconnect online-user by updating his current Session-Timeout with lower value. Unfortunately, its still not working. My question is, is it possible to send reply Session-Timeout in accounting section? I put same in accounting section: update reply { Session-Timeout := `/path/to/my/super/awesome/sessiontimeout/script -myarguments` } -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4796996.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
On Tue, Sep 13, 2011 at 10:52 AM, denzx dennyzulfi...@gmail.com wrote: My question is, is it possible to send reply Session-Timeout in accounting section? From http://www.ietf.org/rfc/rfc2865.txt 5.27. Session-Timeout Description This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge. So no, you shouldn't be able to send reply Session-Timeout in accounting section -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
Hi All again, thanks a lot for your answers. it's now clear to me that I must try other ways to perform disconnection of users. BR//Denny -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4797640.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
if you use mpd5 you can check 'drop-user', it is vendor specific for mpd5, but works fine! check last documentation for mpd5 13.09.2011, 12:40, denzx dennyzulfi...@gmail.com: Hi All again, thanks a lot for your answers. it's now clear to me that I must try other ways to perform disconnection of users. BR//Denny -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4797640.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
Hi, I am new in this mailing list. I have similar situation too, I need counting something before decide to send session-timeout to NAS in accounting section. The purpose is disconnect online-user by updating his current Session-Timeout with lower value. Unfortunately, its still not working. My question is, is it possible to send reply Session-Timeout in accounting section? I put same in accounting section: update reply { Session-Timeout := `/path/to/my/super/awesome/sessiontimeout/script -myarguments` } -- View this message in context: http://freeradius.1045715.n5.nabble.com/Custom-function-to-update-Session-Timeout-tp4779813p4796996.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom function to update Session-Timeout
Hi All, I am new to developing for Freeradius and i was hoping one of you can direct me into the right direction. I would like to have a program update the Session-Timeout on authentication request or on disconnect so that when the user receives the access accept it receives the updated Session-TImeout. What is the correct way of doing this and is there some sort of example that i can read. I have been searching in the mailing list and in google but so far no luck. Regards, Ivo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom function to update Session-Timeout
On 7 Sep 2011, at 21:28, Ivaylo Petkov wrote: Hi All, I am new to developing for Freeradius and i was hoping one of you can direct me into the right direction. I would like to have a program update the Session-Timeout on authentication request or on disconnect so that when the user receives the access accept it receives the updated Session-TImeout. What is the correct way of doing this and is there some sort of example that i can read. I have been searching in the mailing list and in google but so far no luck. Put this in the post-auth section of raddb/sites-available/default update reply { Session-Timeout := `/path/to/my/super/awesome/sessiontimeout/script -myarguments` } -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post Logout/Session timeout SQL
I'm using freeradius with coova-chilli. Works fine and dandy, but I'm trying to enforce some policy which I can do with some scripts, but it would be much cleaner to do with radius (IMHO). What I want to happen is when user session timeout or bandwidth restriction has been hit, update a database field. right now on session timeout accounting_update_query appears to be run. I would like to run an additional query as well, to disable the account (I've added a disabled field to the radcheck and updated my auth query to check that). Is this something that can be configured, or is there some better way to accomplish what I'm trying to do? R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Logout/Session timeout SQL
On Sat, 2011-03-26 at 15:01 -0500, Marc Phillips wrote: I'm using freeradius with coova-chilli. Works fine and dandy, but I'm trying to enforce some policy which I can do with some scripts, but it would be much cleaner to do with radius (IMHO). What I want to happen is when user session timeout or bandwidth restriction has been hit, update a database field. right now on session timeout accounting_update_query appears to be run. I would like to run an additional query as well, to disable the account (I've added a disabled field to the radcheck and updated my auth query to check that). Is this something that can be configured, or is there some better way to accomplish what I'm trying to do? Why not define a trigger in the database to run the additional query or a function that can perform the necessary checks and the execute a query. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Logout/Session timeout SQL
Why not define a trigger in the database to run the additional query or a function that can perform the necessary checks and the execute a query. I'll take a look at some triggers and stored procedures to go along with it. Would be useful for cleaning up stuff anyway (running radius and chilli on a wireless router, so space is at a premium). I got the inital criteria done by doing an inner join on the accounting_stop_query = \ UPDATE ${acct_table2} INNER JOIN ${authcheck_table} USING (username) SET \ ${acct_table2}.acctstoptime = '%S', \ ${acct_table2}.acctsessiontime= '%{Acct-Session-Time}', \ ${acct_table2}.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}' 32 | \ '%{%{Acct-Input-Octets}:-0}', \ ${acct_table2}.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' 32 | \ '%{%{Acct-Output-Octets}:-0}', \ ${acct_table2}.acctterminatecause = '%{Acct-Terminate-Cause}', \ ${acct_table2}.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \ ${acct_table2}.connectinfo_stop = '%{Connect-Info}', \ ${authcheck_table}.disabled = 1 \ WHERE ${acct_table2}.acctsessionid = '%{Acct-Session-Id}' \ AND ${acct_table2}.username = '%{SQL-User-Name}' \ AND ${acct_table2}.nasipaddress = '%{NAS-IP-Address}' R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout and expiration problem
Fazal Ahmed Malik wrote: I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I am having trouble with session-timeout ,expiration. On dialup_admin i have correct information for both attributes like user can login for 0 seconds and similarly for expiration like account expired. But users can still logon even after expiration date passed. For session timeout user get disconnected right after alocated quota but here again user can login. Both attribute are setup from dialupadmin with = operator for session timeout and := for expiration You can set up rules in post-auth to reject anyone who has less than 5 minutes of time: ... if (reply:Session-Timeout 300) { reject } ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-timeout and expiration problem
Hi, I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I am having trouble with session-timeout ,expiration. On dialup_admin i have correct information for both attributes like user can login for 0 seconds and similarly for expiration like account expired. But users can still logon even after expiration date passed. For session timeout user get disconnected right after alocated quota but here again user can login. Both attribute are setup from dialupadmin with = operator for session timeout and := for expiration Please help if i am missing some thing in config. Best regards, Fazal Ahmed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
You need sqlcounter (counter.conf) for that. Found. but no UPDATE query in it. Oddly enough, counter doesn't update anything - it COUNTS. It counts how much time has been used in current period (on previous logins) and deducts that from the limit. You can choose the reset period (daily counter resets every day, weekly every week etc.) and the limit. You set the limit by placing attribute configured as check_name in radcheck table with the value of max allowed time in seconds. Example, for daily limit of 1 hour you would enter: username Max-Daily-Session := 3600 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 12:51 PM, Ivan Kalik:: You need sqlcounter (counter.conf) for that. Found. but no UPDATE query in it. Oddly enough, counter doesn't update anything - it COUNTS. OK, Attached is my 'default' file, and the 'freeradius -X' output. the counter (in counter.conf) is: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATER((%b - AcctStartTime::ABSTIME::INT4), ... } What is wrong? freeradius does not start because SQL Counter modules aren't allowed in 'accounting' sections. It is told to put it in 'accounting'... -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at 17:42:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/postgresql/dialup.conf including configuration file /etc/freeradius/sql/postgresql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 41.204.0.0/16 { require_message_authenticator = no secret = testing123-2 shortname = quarante-un-deux-cent-quatre } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_sqlcounter Module: Instantiating dailycounter sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout key = User-Name sqlmod-inst = sql query = SELECT SUM(AcctSessionTime - GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime '%b' reset = daily safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / } rlm_sqlcounter: Reply attribute Session-Timeout is number 27 rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11273 rlm_sqlcounter: Check attribute Max-Daily-Session is number 11274 rlm_sqlcounter: Current Time: 1253282691 [2009-09-18 14:04:51], Next
Re: using SQL, where is Session-Timeout updated?
sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATER((%b - AcctStartTime::ABSTIME::INT4), ... } What is wrong? freeradius does not start because SQL Counter modules aren't allowed in 'accounting' sections. It is told to put it in 'accounting'... No, you weren't told to put it there. Read again my message about where are you supposed to list it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 05:41 PM, Ivan Kalik:: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATER((%b - AcctStartTime::ABSTIME::INT4), ... } What is wrong? freeradius does not start because SQL Counter modules aren't allowed in 'accounting' sections. It is told to put it in 'accounting'... No, you weren't told to put it there. Read again my message about where are you supposed to list it. from stock radiusd.conf, arround line #1488: # [...] # The module should be added in the instantiate, authorize and # accounting sections. [...] Ivan, I merged your explanation with what is in the documentation. Of course you did not tell me accounting but, I read it in radiusd.conf. Should I remove it from accounting {...} or move it elsewhere? When I think about it, placing it in accounting is a bit useless, because the counter call occurs when radreply (after authentication). It seems logical not to have to put it in here... But as well as I begin with RADIUS in general,... Your advices are welcome. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 05:41 PM, Ivan Kalik:: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATER((%b - AcctStartTime::ABSTIME::INT4), ... } What is wrong? freeradius does not start because SQL Counter modules aren't allowed in 'accounting' sections. It is told to put it in 'accounting'... No, you weren't told to put it there. Read again my message about where are you supposed to list it. from stock radiusd.conf, arround line #1488: # [...] # The module should be added in the instantiate, authorize and # accounting sections. [...] That's instruction for counter, not sqlcounter module. That's not the same thing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout for unlimited?
Hi, (Using freeRadius v2) We have prepaid users, where the freeradius server should answer with some non null integer Session-Timeout. We have also postpaid users, where the session should be unlimited. What is the Session-Timeout value corresponding to unlimited? Thank you. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout for unlimited?
Hi, We have prepaid users, where the freeradius server should answer with some non null integer Session-Timeout. We have also postpaid users, where the session should be unlimited. What is the Session-Timeout value corresponding to unlimited? If you don't send Session-Timeout at all, the session will not be timing out. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Am 08.07.2009 um 20:05 schrieb Gong Cheng: Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. I suppose that with 2.1.7, the stable version in GIT is meant, see: http://git.freeradius.org/ Have a nice day! Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access- Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access- Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session- Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Alan, They most certainly do! I just debugged a case where the Cisco 1200 takes the 30s Session-Timeout that the Microsoft IAS server sends and treats it as a response timeout. (It then aborts the authentication, which I believe is wrong, but that's another story) When doing a SecurID authentication with user input of a 60s token OTP, the default 30s is inadequate. Cisco does document the way to extend or override this behavior. The Session-Timeout on Access-Challenges for EAP should be a separate design somehow. In the older MS RasEap API, it was crudely based on on the type of Send action the EAP server used. In the newer MS EAPHost API, the EAP server code has direct control. I don't know how your EAP modules interface to the RADIUS server proper, but a method that is expecting interactive user control _will_ want to create some slack here. Not all EAP methods complete in short time. Dave. On Jul 8, 2009, al...@deployingradius.com wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Just checked hostapd and it seems to implement this too: hostapd/ieee802_1x.c: case RADIUS_CODE_ACCESS_CHALLENGE: sm-eap_if-aaaEapReq = TRUE; if (session_timeout_set) { /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ sm-eap_if-aaaMethodTimeout = session_timeout; Gong Cheng wrote: Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: Gong Cheng wrote: Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24397046.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout in Access-Challenge (that contains EAP-Message)
Hi, I wonder if there is a way - not to include Session-Timeout value intended for Access-Accept in Access-Challenge messages? - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. http://tools.ietf.org/html/rfc3579#section-2.3 thanks! -gong -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24383664.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: First Session-Timeout response error
Yes I need all of them. Is it a problem? Le 09-06-29 à 16:31, Guillaume Brenaut a écrit : Hello, after looking for a solution in different forums and on this mailing list without any success I decide to post my problem here. I'm having trouble to get the good Session-Timeout at the first request. Example: one user with Max-All-Session:=900 try to connect: r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret Sending Access-Request of id 197 to 127.0.0.1 port 1812 User-Name = jalmjdm User-Password = nqbnmwcp NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=197, length=78 WISPr-Redirection-URL = http://www.google.ca; WISPr-Bandwidth-Max-Up = 128000 WISPr-Bandwidth-Max-Down = 512000 Session-Timeout = 2537321 But the next request give the good answer: r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret Sending Access-Request of id 174 to 127.0.0.1 port 1812 User-Name = jalmjdm User-Password = nqbnmwcp NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=174, length=78 WISPr-Redirection-URL = http://www.google.ca; WISPr-Bandwidth-Max-Up = 128000 WISPr-Bandwidth-Max-Down = 512000 Session-Timeout = 886 I heard about a conflict problem with authorize parameters but I haven't figured out how to fix it. Here is my config: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } #AUHTORIZE SECTION instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec # # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for expr noresetcounter expiration logintime } authorize { preprocess suffix chap mschap sql files noresetcounter hourlycounter dailycounter monthlycounter weeklycounter yearlycounter totaloctetyearlycounter totaloctetmonthlycounter totaloctethourlycounter totaloctetdaylycounter outputyearlycounter outputmonthlycounter outputhourlycounter outputdaylycounter inputyearlycounter inputmonthlycounter inputhourlycounter inputdaylycounter } Thanks for your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First Session-Timeout response error
Hello, after looking for a solution in different forums and on this mailing list without any success I decide to post my problem here. I'm having trouble to get the good Session-Timeout at the first request. Example: one user with Max-All-Session:=900 try to connect: r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret Sending Access-Request of id 197 to 127.0.0.1 port 1812 User-Name = jalmjdm User-Password = nqbnmwcp NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=197, length=78 WISPr-Redirection-URL = http://www.google.ca; WISPr-Bandwidth-Max-Up = 128000 WISPr-Bandwidth-Max-Down = 512000 Session-Timeout = 2537321 But the next request give the good answer: r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret Sending Access-Request of id 174 to 127.0.0.1 port 1812 User-Name = jalmjdm User-Password = nqbnmwcp NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=174, length=78 WISPr-Redirection-URL = http://www.google.ca; WISPr-Bandwidth-Max-Up = 128000 WISPr-Bandwidth-Max-Down = 512000 Session-Timeout = 886 I heard about a conflict problem with authorize parameters but I haven't figured out how to fix it. Here is my config: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } #AUHTORIZE SECTION instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec # # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for expr noresetcounter expiration logintime } authorize { preprocess suffix chap mschap sql files noresetcounter hourlycounter dailycounter monthlycounter weeklycounter yearlycounter totaloctetyearlycounter totaloctetmonthlycounter totaloctethourlycounter totaloctetdaylycounter outputyearlycounter outputmonthlycounter outputhourlycounter outputdaylycounter inputyearlycounter inputmonthlycounter inputhourlycounter inputdaylycounter } Thanks for your help- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: First Session-Timeout response error
after looking for a solution in different forums and on this mailing list without any success I decide to post my problem here. I'm having trouble to get the good Session-Timeout at the first request. Example: one user with Max-All-Session:=900 try to connect: r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret Sending Access-Request of id 197 to 127.0.0.1 port 1812 User-Name = jalmjdm User-Password = nqbnmwcp NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=197, length=78 WISPr-Redirection-URL = http://www.google.ca; WISPr-Bandwidth-Max-Up = 128000 WISPr-Bandwidth-Max-Down = 512000 Session-Timeout = 2537321 Post the debug for such request. But the next request give the good answer: r...@server:~# radtest jalmjdm nqbnmwcp 127.0.0.1 1812 secret Sending Access-Request of id 174 to 127.0.0.1 port 1812 User-Name = jalmjdm User-Password = nqbnmwcp NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=174, length=78 WISPr-Redirection-URL = http://www.google.ca; WISPr-Bandwidth-Max-Up = 128000 WISPr-Bandwidth-Max-Down = 512000 Session-Timeout = 886 It might be of use to see debug of this too. I heard about a conflict problem with authorize parameters but I haven't figured out how to fix it. Here is my config: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } #AUHTORIZE SECTION instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec # # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for expr noresetcounter expiration logintime } authorize { preprocess suffix chap mschap sql files noresetcounter hourlycounter dailycounter monthlycounter weeklycounter yearlycounter totaloctetyearlycounter totaloctetmonthlycounter totaloctethourlycounter totaloctetdaylycounter outputyearlycounter outputmonthlycounter outputhourlycounter outputdaylycounter inputyearlycounter inputmonthlycounter inputhourlycounter inputdaylycounter } You actually use *all* these counters? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto: Session-Timeout for DTAG (Zwangstrennung)
Hello list, This might be interesting for users in germany, since there is a disconnect each 24h if you are working with products from Deutsche Telekom (DTAG). The disconnect will be forced, if the session is up for more than 24h. So the job was to set the session-timeout so that logout will ocur each day at the same time. I solved it with freeradius/postgres with an internal sql-function. Its a quick hack and there might be 100 better ways to solve. Here we go: The function for postgres: CREATE FUNCTION sessionto(character varying(64)) RETURNS integer AS' DECLARE user ALIAS FOR $1; timeout INTEGER; BEGIN IF (select time from disctime where username=user and time is not NULL) extract(epoch from (localtime)) THEN select into timeout round((select time from disctime where username=user and time is not NULL) - extract(epoch from (localtime))); ELSE select into timeout round((86400 + (select time from disctime where username=user and time is not NULL) - extract(epoch from (localtime; END IF; if (timeout is NULL) THEN timeout:=86399; END IF; RETURN timeout; END; ' LANGUAGE 'plpgsql'; disctime is a table which has fields for username and time in seconds since 0:00 of the day. The session-timeout can be set via sql xlat from reply module as an dynamic value: attribute,op, value Session-Timeout = `%{sql: select sessionto('%{User-Name}') }` BR Uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto: Session-Timeout for DTAG (Zwangstrennung)
Am Montag, 20. April 2009 19:13:08 schrieb Uwe Kastens: Hello list, This might be interesting for users in germany, since there is a disconnect each 24h if you are working with products from Deutsche Telekom (DTAG). The disconnect will be forced, if the session is up for more than 24h. So the job was to set the session-timeout so that logout will ocur each day at the same time. I solved it with freeradius/postgres with an internal sql-function. Its a quick hack and there might be 100 better ways to solve. Here we go: (...) hi, thanks for the posting. Good to know the technics behind the scenes even for large providers. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout for disconnecting user
Hi all, I am using Freeradius 2.1.3 to authenticate my users from AP via Active Directory. I have defined the time span that all users may login to the system in the users file: DEFAULT Login-Time := Wk0630-0130,Wk1020-1033,Wk1240-1351,Wk1555-2359,Sa,Su The logintime module calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. How can i include Session-Timeout in the Access-Accept packet? Best Regards, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout for disconnecting user
I am using Freeradius 2.1.3 to authenticate my users from AP via Active Directory. I have defined the time span that all users may login to the system in the users file: DEFAULT Login-Time := Wk0630-0130,Wk1020-1033,Wk1240-1351,Wk1555-2359,Sa,Su The logintime module calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. Is this in inner'tunnel (debug would help)? How can i include Session-Timeout in the Access-Accept packet? If logintime works in inner-tunnel you need to enable use_tunneled_reply in (peap and/or ttls section) eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html