User-accounts do not expire in time...

Evert evert at poboxes.info
Wed Nov 21 14:51:57 CET 2007


I've been checking radacct, and there is a record there for every 'Login OK'. Isn't the
oldest of those used to figure out when 24 hours have passed?

IMHO the type of NAS and/or sniffing for stuff is not relevant here. It's the RADIUS
server which keeps on giving 'Login OK' even after the 24-hour period has passed.

The server runs version 1.1.6 of FreeRADIUS  ;-)


Regards,
	Evert




liran tal wrote:
> If your NAS is not sending any accounting packets to the server on the usage
> for a user how should freeradius know to increment it's counter for
> the attribute?
> 
> So how about you eliminate all of the possible obvious errors by
> telling us which
> NAS is it (someone here might have had the same problem) and check these
> issues with a sniffer maybe to be sure.
> 
> Regards,
> Liran.
> 
> 
> On Nov 21, 2007 3:14 PM, Evert <evert at poboxes.info> wrote:
>> >From this location I have no direct access to the NAS in question at the moment, so that
>> will have to wait a bit.
>>
>> But what about my comment that the user should not get a 'Login OK' but a 'Invalid user
>> (rlm_sqlcounter: Maximum never usage time reached)' as soon as 24 hours have passed and he
>> tries to log in again...?
>> Am I wrong there?
>>
>>
>>
>> Regards,
>>         Evert
>>
>> liran tal wrote:
>>> How about checking Alan's comment on whether your NAS
>>> is actually sending accounting information or not?
>>>
>>>
>>> Regards,
>>> Liran.
>>>
>>>
>>> On Nov 21, 2007 2:12 PM, Evert <evert at poboxes.info> wrote:
>>>> There is indeed a record in the usergroup-table with
>>>> UserName= ofjyc5
>>>> GroupName= 24hours
>>>>
>>>> ;-)
>>>>
>>>>
>>>> Regards,
>>>>         Evert
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> liran tal wrote:
>>>>> Hopefully you didn't forget to set the user-group mapping in usergroup
>>>>> table, right?
>>>>>
>>>>>
>>>>> Regards,
>>>>> Liran.
>>>>>
>>>>> On Nov 21, 2007 1:01 PM, Evert <evert at poboxes.info> wrote:
>>>>>> Alan DeKok wrote:
>>>>>>> Evert wrote:
>>>>>>>> I have users in my system who are supposed to be able to logon as much as they want, in a
>>>>>>>> period of 24 hours starting from  their 1st logon.
>>>>>>> ...
>>>>>>>> however, a user who is a member of the 24hours group is able to log on longer than the
>>>>>>>> 24hours period:
>>>>>>>   Is the server receiving accounting packets?
>>>>>>>
>>>>>>>   The fact that a user received an Access-Accept doesn't mean they
>>>>>>> succeeded in logging in.  The NAS may have rebooted, they may have hung
>>>>>>> up, the Access-Accept could have been lost, etc.
>>>>>>>
>>>>>>>   The server knows (and accounts for) the user logging in only when it
>>>>>>> receives an Accounting-Request packet.  The accounting packets are also
>>>>>>> used to determine how long the user was logged in for.
>>>>>> Provided both the server and the NAS have not rebooted in the mean time, shouldn't the
>>>>>> server send a 'Maximum never usage time reached', based on the rules in sqlcounter.conf,
>>>>>> accounting packets or not?
>>>>>>
>>>>>> How long the user has been logged on in the 24-hour period is not really relevant in my
>>>>>> case. All I need is that when the user tries to log in again > 24 hours after 1st logon
>>>>>> (based on AcctStartTime) he gets a 'Maximum never usage time reached'.
>>>>>>
>>>>>>
>>>>>>
>>>>>> (I'll have to check on the accounting packets. Not sure about them)
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>         Evert
>>>>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list