limiting sessions

Andrew Long along at escapewire.com
Thu Nov 9 17:34:55 CET 2006 

> On Thursday 09 November 2006 11:00, Andrew Long wrote:
>> Here is the output from radiusd -X regarding the answer to an
>> auth-request from one of the properties where I changed
>> session-timeout to 1800. It does not look to me like the
>> session-timeout attribute is being sent... any suggestions?

> Where are you setting Session-Timeout?  If it is being added by an sql entry,
> run the queries shown in your debug output to verify the rows returned from
> the database are correct.

> What are the check and reply items for the section that contains the 
> Session-Timeout attribute?  Are they matching attributes in the 
> Access-Request packet you sent?

> Kevin Bonner

I grabbed the response from radius to an auth-request from aroma and
it does not appear to include the session timeout attr-value pair,
but it did authorize.

So, I ran the query that the module ran (grabbed from the -x output)

SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '4aroma70370'
AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id

and found that it came up with a null set for that user when run
against radgroupreply,usergroup (session-timout is in radgroupreply).

Next, I looked in usergroup with

SELECT
`usergroup`.`UserName`,
`usergroup`.`creationdate`,
`usergroup`.`GroupName`
from usergroup
where username like '%aroma%'
order by creationdate desc
limit 1000;

and found no pairs for recent aroma usernames and no entry for
'4aroma70370'.

also ran

SELECT
`usergroup`.`UserName`,
`usergroup`.`creationdate`,
`usergroup`.`GroupName`
from usergroup
where username = '4aroma70370';

and that also comes up null...

Does it make sense that radius is not recognizing the usernames as
belonging to the group 'aroma', thus not assigning the group-reply?
This is my current thought on this, but I'm not sure why it would
still authorize the request, unless it's not necessary that users be
part of group.

I am thinking that some usernames were created and added to the
radcheck table but were overlooked in usergroup...
  

-- 
Regards,
Andrew

More information about the Freeradius-Users mailing list