Idle-Timeout problem
Hi I currently work with freeradius version 2.1.7, my users are in mysql. mysql SELECT * FROM `radusergroup`; +++--+ | username | groupname | priority | +++--+ | joseph | Desarrollo |1 | | carlos | Desarrollo |1 | | miguel | Admins |1 | ++ My problem is that users are being disconnected before the time indicated by parameter Idle-Timeout. mysql SELECT * FROM `radgroupreply` ; +++++-+ | id | groupname | attribute | op | value | +++++-+ | 1 | Desarrollo | Service-Type | = | Framed-User | | 2 | Desarrollo | Framed-Protocol| = | PPP | | 3 | Desarrollo | Framed-MTU | = | 1500| | 4 | Desarrollo | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 5 | Desarrollo | Framed-IP-Netmask | = | 255.255.255.0 | | 6 | Desarrollo | Idle-Timeout | := | 900 | | 7 | Admins | Service-Type | = | Framed-User | | 8 | Admins | Framed-Protocol| = | PPP | | 9 | Admins | Framed-MTU | = | 1500| | 10 | Admins | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 11 | Admins | Framed-IP-Netmask | = | 255.255.255.0 | | 12 | Admins | Idle-Timeout | := | 0 | +++++-+ As you can see here he is sending the access server parameters defined above in the database. Sending Access-Accept of id 246 to 172.19.19.50 port 17979 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Framed-IP-Netmask = 255.255.255.0 Idle-Timeout := 900 And here you can see the user disconnected prematurely rad_recv: Accounting-Request packet from host 172.19.19.10 port 17979, id=197, length=170 NAS-IP-Address = 172.19.19.10 NAS-Identifier = Access Server Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.71.53.214 User-Name = carlos NAS-Port = 447 NAS-Port-Type = Async Called-Station-Id = 60110 Calling-Station-Id = 78382547 Acct-Status-Type = Stop Acct-Session-Id = 013425 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Acct-Input-Octets = 47429 Acct-Output-Octets = 4377 Acct-Input-Packets = 66 Acct-Output-Packets = 57 Acct-Session-Time = 95 Acct-Terminate-Cause = Idle-Timeout Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
hi will, I have tried this configuration and it's working fine with radtest but Ever i am getting session time out value on AP side also but during the change request time . actually i want the session time out in accept-access time. is it the normal scenario? can you help me in this case? thanks, Mitul Modi On Fri, Feb 13, 2009 at 3:23 PM, Will D. Spann willdsp...@yahoo.com wrote: Mitul, i have tried this thing but when i am doing so its taking this as a default entry and giving error for user name and password i have entered username and cleartext-password in user file. Could you post your users file (with any non-testing passwords starred out of course)? My apologies; let me add a clarification. If your user entries in the users file don't have the Fall-Through = Yes attribute set, putting the DEFAULT section at the end of the file won't apply the Session-Timeout to the users. However, it shouldn't cause an error. Have you tried testing without the DEFAULT section, using a user with Cleartext-Password? I've tested the following configuration on FreeRADIUS 2.1.1 with success. testCleartext-Password := testing Fall-Through = Yes DEFAULT Session-Timeout = 60 Try testing this with radtest, such as the following, where testing123 is your shared secret and the server is running on localhost. This should return an Access-Accept message with Session-Timeout specified. (I assume you're also running the server with debug output, as radiusd -X.) radtest test testing localhost 0 testing123 If you don't want to add the Fall-Through attribute to each of your user entries, you could instead use the following modified DEFAULT section near the top of the users file, before all the authorized user entries. I've also tested this configuration. (Note the comma.) DEFAULT Session-Timeout = timeout, Fall-Through = Yes also i have configured the mysql database for authentication and accounting. so at that time i am getting error no User-password or CHAP-password in request. Are you using both the users file and MySQL for authentication, or are you testing each setup separately? I'd recommend getting FreeRADIUS working with the users file alone before setting up database-based authentication. Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
i have tried this thing but when i am doing so its taking this as a default entry and giving error for user name and password i have entered username and cleartext-password in user file. Could you post your users file (with any non-testing passwords starred out of course)? My apologies; let me add a clarification. If your user entries in the users file don't have the Fall-Through = Yes attribute set, putting the DEFAULT section at the end of the file won't apply the Session-Timeout to the users. However, it shouldn't cause an error. Have you tried testing without the DEFAULT section, using a user with Cleartext-Password? I've tested the following configuration on FreeRADIUS 2.1.1 with success. testCleartext-Password := testing Fall-Through = Yes DEFAULT Session-Timeout = 60 Try testing this with radtest, such as the following, where testing123 is your shared secret and the server is running on localhost. This should return an Access-Accept message with Session-Timeout specified. (I assume you're also running the server with debug output, as radiusd -X.) radtest test testing localhost 0 testing123 If you don't want to add the Fall-Through attribute to each of your user entries, you could instead use the following modified DEFAULT section near the top of the users file, before all the authorized user entries. I've also tested this configuration. (Note the comma.) DEFAULT Session-Timeout = timeout, Fall-Through = Yes also i have configured the mysql database for authentication and accounting. so at that time i am getting error no User-password or CHAP-password in request. Are you using both the users file and MySQL for authentication, or are you testing each setup separately? I'd recommend getting FreeRADIUS working with the users file alone before setting up database-based authentication. Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
Mitul, I have tried this configuration and it's working fine with radtest but Glad to hear you have this working with radtest. This means you have this functionality properly configured on the FreeRADIUS side now. Ever i am getting session time out value on AP side also but during the change request time . actually i want the session time out in accept-access time. is it the normal scenario? can you help me in this case? With the configuration I showed, FreeRADIUS will send the Session-Timeout attribute to the AP in an Access-Accept packet, in response to the AP sending an Access-Request packet to FreeRADIUS that is accepted. I'm not sure what you're referring to when you say change request time. Can you elaborate? It sounds like you may have a configuration issue on the AP side. Unfortunately, if this is an AP configuration issue, I doubt I'd be of much help. On the AP side, I've only worked with the ChilliSpot network access server (used for WiFi hotpots). Regards, Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
hi, thanks for the reply. i have tried this thing but when i am doing so its taking this as a default entry and giving error for user name and password i have entered username and cleartext-password in user file. also i have configured the mysql database for authentication and accounting. so at that time i am getting error no User-password or CHAP-password in request. thanks, mitul modi On Fri, Feb 13, 2009 at 12:07 AM, Will D. Spann willdsp...@yahoo.comwrote: Mitul Modi, i am new to free radius. can any one help how i can cinfigure Session-Timeout? i am using EAP-TTLS with chap password. i have added credentials for user name and password in users file. To apply a Session-Timeout to all the users in your 'users' file, add the following entry after the user entries. DEFAULT Session-Timeout = seconds Enter a number in seconds for seconds. This should do the trick. Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-timeout problem
hi, I am using EAP-TTLS authentication in radius. and i want to use Session-Timeout. but i am not getting where i have to set session time out. if some one can help. thanks, mitul modi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-timeout problem
hi, i am new to free radius. can any one help how i can cinfigure Session-Timeout? i am using EAP-TTLS with chap password. i have added credentials for user name and password in users file. thanks, mitul modi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timeout Problem
Hello, I am working with an AP CN300, from Colubris Networks, FreeRadius (2004/03) and XSupplicant-1.0. I have the following problem: xsupplicant tries to authenticate, but it is a little slow. The AP sends the EAP-Request, 10secs after it sends it again, and other 10secs after it sends an EAP-Failure. When XSupplicant finally sends the EAP-Response, it seems to be ignored by the AP. Here is an extract of the AP logs: Jul 7 13:18:33 debug eapolserver Sending RADIUS Packet (Length:'121',Code:'Access-Request',ID:'245') to RADIUS Server (Ip:'192.168.49.222',Port:'1812') Jul 7 13:18:33 debug eapolserver Receiving RADIUS Packet (Length:'94',Code:'Access-Challenge',ID:'245') from RADIUS Server (Ip:'192.168.49.222',Port:'1812'). Jul 7 13:18:33 debug eapolserver Sending EAPOL (length='24') EAP Request (length='6',id='134') to station (mac-address='00-40-05-54-16-EB'). Jul 7 13:18:43 debug eapolserver Sending EAPOL (length='24') EAP Request (length='6',id='134') to station (mac-address='00-40-05-54-16-EB'). Jul 7 13:18:53 debug eapolserver Sending EAPOL (length='22') EAP Failure (length='4',id='134') to station (mac-address='00-40-05-54-16-EB'). Jul 7 13:18:55 debug eapolserver Sending EAPOL (length='22') EAP Failure (length='4',id='135') to station (mac-address='00-40-05-54-16-EB'). I have tried to make the timeout bigger, using the following attributes: Sending Access-Challenge of id 20 to 192.168.51.161:2048 Session-Timeout = 4294967295 Idle-Timeout = 4294967295 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x016600060d20 Message-Authenticator = 0x State = 0xf53847f06665db0d05b8740e7c9856e0 But they seem not to have any effect. Anybody knows how to make it? Thank you, Alejandro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Timeout Problem
=?iso-8859-1?Q?Alejandro_Mart=EDnez_Marcos?= [EMAIL PROTECTED] wrote: I have the following problem: xsupplicant tries to authenticate, but it is a little slow. The AP sends the EAP-Request, 10secs after it sends it again, and other 10secs after it sends an EAP-Failure. When XSupplicant finally sends the EAP-Response, it seems to be ignored by the AP. Because the AP thinks that the supplicant is dead. I suggest looking at the debug logs of xsupplicant to see why it's so slow. It may be trying to do DNS lookups, which won't work if it doesn't have a network connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html