rlm_sqlcounter problem

Carlos Martínez-Troncoso Cera cmartinez at uninorte.edu.co
Mon Jun 20 21:16:51 CEST 2005


I modified the users file and now it works, user is now like:

DEFAULT Simultaneous-Use := 1
    Fall-Through = 1

cmartinez Max-Monthly-Session := 108000, Auth-Type := ldap
    Service-Type = Framed-User,
    Framed -Protocol = PPP

--------------------------

Thanks a lot to Roberto and Alan for their time and help.

Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367



Carlos Martínez-Troncoso Cera wrote:

> Thanks Roberto for your answer but I did the changes in 
> sqlcounter.conf and with my cisco, sqlcounter doesn´t work, with 
> NTRadping it works very well. I looked into the source code in 
> freeradius 1.0.4 but this module is the same for 1.0.2 version (I have 
> working 1.0.2)
> What can I do?
> Do you know how can I debug this module?
>
> This is the message with radiusd -X -A (with Cisco):
>
> rlm_ldap: user cmartinez authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 5
> rlm_sqlcounter: Entering module authorize code
> rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "monthlycounter" returns noop for request 5
> modcall: group authorize returns ok for request 5
>   rad_check_password:  Found Auth-Type ldap
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
>
> -------------------------------------------------------------------------
>
> with NTRadping:
>
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> rlm_sqlcounter: Entering module authorize code
> sqlcounter_expand:  'SELECT SUM(AcctSessionTime - GREATEST((1117602000 
> - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
> UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + 
> AcctSessionTime > '1117602000''
> radius_xlat:  'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - 
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
> UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
> AcctSessionTime > '1117602000''
> sqlcounter_expand:  '%{sql:SELECT SUM(AcctSessionTime - 
> GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM 
> radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
> AcctSessionTime > '1117602000'}'
> radius_xlat: Running registered xlat function of module sql for string 
> 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - 
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
> UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
> AcctSessionTime > '1117602000''
> rlm_sql (sql): - sql_xlat
> radius_xlat:  'cmartinez'
> rlm_sql (sql): sql_set_user escaped user --> 'cmartinez'
> radius_xlat:  'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - 
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
> UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
> AcctSessionTime > '1117602000''
> rlm_sql (sql): Reserving sql socket id: 4
> rlm_sql (sql): - sql_xlat finished
> rlm_sql (sql): Released sql socket id: 4
> radius_xlat:  '107853'
> rlm_sqlcounter: (Check item - counter) is less than zero
> rlm_sqlcounter: Rejected user cmartinez, check_item=100000, counter=107853
>  
>
> Thanks for your help!
>
>Carlos Martínez-Troncoso Cera
>Coordinador de Servicios Internet/Intranet
>Universidad del Norte
>Barranquilla, Colombia
>Tel: 57 5 3509367
>
>
>
> Roberto Gonzalez Azevedo wrote:
>
>> sqlcounter noresetcounter {
>> ## Look here
>>         driver = "rlm_sqlcounter"
>>                counter-name = Max-All-Session-Time
>>                check-name = Max-All-Session
>> ## Look here
>>         check-item = Max-All-Session
>>                sqlmod-inst = sql
>>                key = User-Name
>>                reset = never
>>                query = "SELECT SUM(AcctSessionTime) FROM radacct 
>> WHERE UserName='%{%k}'"
>>        }
>>
>> sqlcounter dailycounter {
>>                driver = "rlm_sqlcounter"
>>                counter-name = Daily-Session-Time
>>                check-name = Max-Daily-Session
>> ## Look here
>>         check-item = Max-Daily-Session
>>                sqlmod-inst = sql
>>                key = User-Name
>>                reset = daily
>>                query = "SELECT SUM(AcctSessionTime - GREATEST((%b - 
>> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
>> UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime 
>> > '%b'"
>>        }
>>
>> sqlcounter monthlycounter {
>> ## Look here
>>         driver = "rlm_sqlcounter"
>>                counter-name = Monthly-Session-Time
>>                check-name = Max-Monthly-Session
>> ## Look here
>>         check-item = Max-Monthly-Session
>>                sqlmod-inst = sql
>>                key = User-Name
>>                reset = monthly
>>                query = "SELECT SUM(AcctSessionTime - GREATEST((%b - 
>> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
>> UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime 
>> > '%b'"
>>    }
>>
>> thanks ...
>> -------------------------
>> Roberto Gonzalez Azevedo
>>
>> Carlos Martínez-Troncoso Cera wrote:
>>
>>> ok Roberto:
>>> sqlcounter noresetcounter {
>>>                counter-name = Max-All-Session-Time
>>>                check-name = Max-All-Session
>>>                sqlmod-inst = sql
>>>                key = User-Name
>>>                reset = never
>>>                query = "SELECT SUM(AcctSessionTime) FROM radacct 
>>> WHERE UserName='%{%k}'"
>>>        }
>>>
>>> sqlcounter dailycounter {
>>>                driver = "rlm_sqlcounter"
>>>                counter-name = Daily-Session-Time
>>>                check-name = Max-Daily-Session
>>>                sqlmod-inst = sql
>>>                key = User-Name
>>>                reset = daily
>>>                query = "SELECT SUM(AcctSessionTime - GREATEST((%b - 
>>> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
>>> UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime 
>>> > '%b'"
>>>        }
>>>
>>> sqlcounter monthlycounter {
>>>                counter-name = Monthly-Session-Time
>>>                check-name = Max-Monthly-Session
>>>                sqlmod-inst = sql
>>>                key = User-Name
>>>                reset = monthly
>>>                query = "SELECT SUM(AcctSessionTime - GREATEST((%b - 
>>> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
>>> UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime 
>>> > '%b'"
>>>    }
>>>
>>>
>>>
>>> Carlos Martínez-Troncoso Cera
>>> Coordinador de Servicios Internet/Intranet
>>> Universidad del Norte
>>> Barranquilla, Colombia
>>> Tel: 57 5 3509367
>>>
>>>
>>>
>>> Roberto Gonzalez Azevedo wrote:
>>>
>>>> Show us your sqlcounter.conf ...
>>>>
>>>> You should define 'check-item' in sqlcounter.conf ...
>>>>
>>>> -------------------------
>>>> Roberto Gonzalez Azevedo
>>>> Carlos Martínez-Troncoso Cera wrote:
>>>>
>>>>> Hello.
>>>>>
>>>>> I have freradius-1.0.2 with autorizathion and authentication in 
>>>>> LDAP and accounting in MySQL. I configured to use rlm_sqlcounter 
>>>>> to control time connections, testing with NTRadping work well but 
>>>>> testing with my Cisco NAS it doesn´t work
>>>>>
>>>>> With my cisco NAS this is the message:
>>>>>
>>>>> rlm_sqlcounter: Entering module authorize code
>>>>> rlm_sqlcounter: Could not find Check item value pair
>>>>>   modcall[authorize]: module "noresetcounter" returns noop for 
>>>>> request 3
>>>>> rlm_sqlcounter: Entering module authorize code
>>>>> rlm_sqlcounter: Could not find Check item value pair
>>>>>   modcall[authorize]: module "monthlycounter" returns noop for 
>>>>> request 3
>>>>>
>>>>>
>>>>> With NTRadPing the message is:
>>>>>
>>>>> rlm_sqlcounter: (Check item - counter) is greater than zero
>>>>> rlm_sqlcounter: Authorized user cmartinez, check_item=108000, 
>>>>> counter=106750
>>>>> rlm_sqlcounter: Sent Reply-Item for user cmartinez, 
>>>>> Type=Session-Timeout, value=1250
>>>>>   modcall[authorize]: module "monthlycounter" returns ok for 
>>>>> request 8
>>>>>
>>>>>
>>>>> My relevant conf files:
>>>>> ------------------------------------
>>>>> clients.conf
>>>>>
>>>>> #PC with NTRadping
>>>>> client 172.16.31.43/32 {
>>>>>        secret          = xxxxx
>>>>>        shortname       = Carlos
>>>>>        type            = other
>>>>> }
>>>>> #Cisco NAS
>>>>> client 200.106.138.14/32 {
>>>>>     secret        = xxxxxx
>>>>>     shortname    = cisco
>>>>>     type        = cisco
>>>>> }
>>>>> ------------------------------------
>>>>> radiusd.conf
>>>>>
>>>>> prefix = /usr
>>>>> exec_prefix = /usr
>>>>> sysconfdir = /etc
>>>>> localstatedir = /var
>>>>> sbindir = /usr/sbin
>>>>> logdir = ${localstatedir}/log/radius
>>>>> raddbdir = ${sysconfdir}/raddb
>>>>> radacctdir = ${logdir}/radacct
>>>>> confdir = ${raddbdir}
>>>>> run_dir = ${localstatedir}/run/radiusd
>>>>> log_file = ${logdir}/radius.log
>>>>> libdir = /usr/local/lib
>>>>> pidfile = ${run_dir}/radiusd.pid
>>>>> user = radiusd
>>>>> group = radiusd
>>>>> max_request_time = 30
>>>>> delete_blocked_requests = no
>>>>> cleanup_delay = 5
>>>>> max_requests = 1024
>>>>> bind_address = *
>>>>> port = 1812
>>>>> hostname_lookups = no
>>>>> allow_core_dumps = no
>>>>> regular_expressions    = yes
>>>>> extended_expressions    = yes
>>>>> log_stripped_names = yes
>>>>> log_auth = yes
>>>>> log_auth_badpass = no
>>>>> log_auth_goodpass = no
>>>>> usercollide = no
>>>>> lower_user = no
>>>>> lower_pass = no
>>>>> nospace_user = no
>>>>> nospace_pass = no
>>>>> checkrad = ${sbindir}/checkrad
>>>>>
>>>>> security {
>>>>>     max_attributes = 200
>>>>>     reject_delay = 1
>>>>>     status_server = no
>>>>> }
>>>>>
>>>>> proxy_requests  = no
>>>>> $INCLUDE  ${confdir}/clients.conf
>>>>> snmp    = no
>>>>> $INCLUDE  ${confdir}/snmp.conf
>>>>>
>>>>> thread pool {
>>>>>     start_servers = 5
>>>>>     max_servers = 32
>>>>>     min_spare_servers = 3
>>>>>     max_spare_servers = 10
>>>>>     max_requests_per_server = 0
>>>>> }
>>>>>
>>>>> modules {
>>>>>
>>>>>     pap {
>>>>>         encryption_scheme = crypt
>>>>>     }
>>>>>
>>>>>     chap {
>>>>>         authtype = CHAP
>>>>>     }
>>>>>
>>>>>     pam {
>>>>>         pam_auth = radiusd
>>>>>     }
>>>>>
>>>>>     $INCLUDE  ${confdir}/sql.conf
>>>>>     $INCLUDE  ${confdir}/sqlcounter.conf          mschap {
>>>>>         authtype = MS-CHAP
>>>>>     }
>>>>>
>>>>>     ldap {
>>>>>         server = "200.xx.xx.xx"
>>>>>         port = "390"
>>>>>         identity = "cn=Directory Manager"
>>>>>         password = xxxxxxxxxx
>>>>>         basedn = "o=yy,o=yy"
>>>>>         password_attribute = "userPassword"
>>>>>         filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>>>>>         start_tls = no
>>>>>         access_attr = "dialupAccess"
>>>>>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>>>>>         ldap_connections_number = 5
>>>>>         timeout = 4
>>>>>         timelimit = 3
>>>>>         net_timeout = 1
>>>>>     }
>>>>>
>>>>>     checkval {
>>>>>         item-name = Max-Monthly-Session
>>>>>         check-name = Max-Monthly-Session
>>>>>         data-type = string
>>>>>     }
>>>>>        preprocess {
>>>>>         huntgroups = ${confdir}/huntgroups
>>>>>         hints = ${confdir}/hints
>>>>>         with_ascend_hack = no
>>>>>         ascend_channels_per_line = 23
>>>>>         with_ntdomain_hack = no
>>>>>         with_specialix_jetstream_hack = no
>>>>>         with_cisco_vsa_hack = no
>>>>>     }
>>>>>
>>>>>     files {
>>>>>         usersfile = ${confdir}/users
>>>>>         acctusersfile = ${confdir}/acct_users
>>>>>         compat = no
>>>>>     }
>>>>>
>>>>>     detail {
>>>>>         detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>>>>>         detailperm = 0600
>>>>>     }
>>>>>
>>>>>         detail auth_log {
>>>>>          detailfile = 
>>>>> ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
>>>>>          detailperm = 0600
>>>>>      }
>>>>>
>>>>>     detailfile = 
>>>>> ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
>>>>>       detailperm = 0600
>>>>>
>>>>>     acct_unique {
>>>>>         key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
>>>>> Client-IP-Address, NAS-Port"
>>>>>     }
>>>>>
>>>>>     radutmp {
>>>>>         filename = ${logdir}/radutmp
>>>>>         username = %{User-Name}
>>>>>         case_sensitive = yes
>>>>>         check_with_nas = yes               perm = 0600
>>>>>         callerid = "yes"
>>>>>     }
>>>>>
>>>>>     radutmp sradutmp {
>>>>>         filename = ${logdir}/sradutmp
>>>>>         perm = 0644
>>>>>         callerid = "no"
>>>>>     }
>>>>>
>>>>>     attr_filter {
>>>>>         attrsfile = ${confdir}/attrs
>>>>>     }
>>>>>
>>>>>     always fail {
>>>>>         rcode = fail
>>>>>     }
>>>>>     always reject {
>>>>>         rcode = reject
>>>>>     }
>>>>>     always ok {
>>>>>         rcode = ok
>>>>>         simulcount = 0
>>>>>         mpp = no
>>>>>     }
>>>>>
>>>>>     expr {
>>>>>     }
>>>>>
>>>>>     digest {
>>>>>     }
>>>>>
>>>>>     exec {
>>>>>         wait = yes
>>>>>         input_pairs = request
>>>>>     }
>>>>>
>>>>>     exec echo {
>>>>>         wait = yes
>>>>>         program = "/bin/echo %{User-Name}"
>>>>>         input_pairs = request
>>>>>         output_pairs = reply
>>>>>     }
>>>>>
>>>>>     ippool main_pool {
>>>>>         range-start = 192.168.1.1
>>>>>         range-stop = 192.168.3.254
>>>>>         netmask = 255.255.255.0
>>>>>         cache-size = 800
>>>>>         session-db = ${raddbdir}/db.ippool
>>>>>         ip-index = ${raddbdir}/db.ipindex
>>>>>         override = no
>>>>>         maximum-timeout = 0
>>>>>     }
>>>>> }
>>>>>
>>>>> instantiate {
>>>>>     exec
>>>>>     expr
>>>>>     monthlycounter
>>>>> }
>>>>>
>>>>> authorize {
>>>>>     preprocess
>>>>>     auth_log
>>>>>         chap
>>>>>     mschap
>>>>>     files
>>>>>     ldap
>>>>>     noresetcounter
>>>>>     monthlycounter
>>>>> }
>>>>>
>>>>> authenticate {
>>>>>     Auth-Type PAP {
>>>>>         pap
>>>>>     }
>>>>>     Auth-Type CHAP {
>>>>>         chap
>>>>>     }
>>>>>     Auth-Type MS-CHAP {
>>>>>         mschap
>>>>>     }
>>>>>     Auth-Type LDAP {
>>>>>         ldap
>>>>>     }
>>>>> }
>>>>>
>>>>> preacct {
>>>>>     preprocess
>>>>>     acct_unique
>>>>> }
>>>>>
>>>>> accounting {
>>>>>     detail
>>>>>     radutmp
>>>>>     sradutmp
>>>>>     sql
>>>>> }
>>>>>
>>>>> session {
>>>>>     radutmp
>>>>>     sql
>>>>> }
>>>>>
>>>>> post-auth {
>>>>> }
>>>>>
>>>>> pre-proxy {
>>>>> }
>>>>>
>>>>> post-proxy {
>>>>> }
>>>>>
>>>>> -------------------------------------
>>>>> users
>>>>>
>>>>> DEFAULT Auth-Type = ldap
>>>>>     Fall-Through = 1
>>>>>
>>>>> DEFAULT Simultaneous-Use := 1
>>>>>     Fall-Through = 1
>>>>>
>>>>> DEFAULT Framed-Protocol == PPP
>>>>>     Framed-Protocol = PPP,
>>>>>     Framed-Compression = Van-Jacobson-TCP-IP
>>>>>
>>>>> testuser Max-Monthly-Session := 108000, Auth-Type := ldap
>>>>>     Service-Type = Framed-User,
>>>>>     Framed-Protocol = PPP
>>>>>
>>>>>
>>>>> Any help will be appreciated.
>>>>>
>>>>> Thanks a lot
>>>>>
>>>>> -- 
>>>>> Carlos Martínez-Troncoso Cera
>>>>> Coordinador de Servicios Internet/Intranet
>>>>> Universidad del Norte
>>>>> Barranquilla, Colombia
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>> - List info/subscribe/unsubscribe? See 
>>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - List info/subscribe/unsubscribe? See 
>>>> http://www.freeradius.org/list/users.html
>>>>
>>> - List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>
>>
>>
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>------------------------------------------------------------------------
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list