rlm_sqlcounter: Max-Daily-Session.
Russell Mike
radius.sir at gmail.com
Thu May 15 17:23:25 CEST 2014
Try hard, it would work. it is important that accounting is logged in MySQL
DB and check weather sql is enable "sites-available/default"
accouting {
sql
}
Thanks
On Thu, May 15, 2014 at 1:09 PM, * <zhex900 at gmail.com> wrote:
> Hi Russell,
>
> I changed the authorisation method on my device to EAP-TTLS, I could not
> get PAP to work. Now Session-Timeout is received by NAS. No more code 11.
> But for some reason MikroTik does not terminate the session after the
> assigned time.
>
> I made post in
> http://forum.mikrotik.com/viewtopic.php?f=2&t=84986&p=426217#p426217. I
> will try to upgrade RouterOS to 6.12. Apart from this don't know what else
> to do.
>
> Thank you for your kind help.
>
> Jake He
>
>
> On Wed, May 14, 2014 at 6:16 PM, Russell Mike <radius.sir at gmail.com>wrote:
>
>> Hi,
>>
>> i am sure you are doing all that in LAB, why complex? try with PAP at
>> least to make sure stuff works. And then configure EAP later. don't do
>> anything to inner-tunnel.
>>
>> Thanks / Regards
>>
>>
>>
>> On Tue, May 13, 2014 at 11:39 PM, * <zhex900 at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have set my reply item Session-Timeout := 600 for the user bob. I can
>>> see the radius sending the Session-Timeout to NAS. But the radius get a "*eap_peap
>>> : Got tunneled reply code 11." *My NAS is receiving other
>>> Access-Challenge requests but not this one.
>>>
>>> I tried to find out what code 11 but I cannot find a simple answer.
>>>
>>> Do I need to configure my inner-tunnel?
>>>
>>> Jake He
>>>
>>>
>>> *Sending Access-Challenge of id 155 from 10.1.1.2 port 135 to
>>> 27.33.228.125 port 45095*
>>> * Session-Timeout := 600*
>>> * Idle-Timeout := 30*
>>> * EAP-Message = 0x010200061920*
>>> * Message-Authenticator = 0x00000000000000000000000000000000*
>>> * State = 0xb77514c3b6770d58e310744eea16afdc*
>>> *(1) Finished request 1.*
>>>
>>> (8) [pap] = noop
>>> (8) } # authorize = updated
>>> (8) Found Auth-Type = EAP
>>> (8) # Executing group from file
>>> /etc/freeradius/sites-enabled/inner-tunnel
>>> (8) authenticate {
>>> (8) eap : Expiring EAP session with state 0x7b061f337b0e0549
>>> (8) eap : Finished EAP session with state 0x7b061f337b0e0549
>>> (8) eap : Previous EAP request found for state 0x7b061f337b0e0549,
>>> released from the list
>>> (8) eap : Peer sent MSCHAPv2 (26)
>>> (8) eap : EAP MSCHAPv2 (26)
>>> (8) eap : Calling eap_mschapv2 to process EAP data
>>> (8) eap_mschapv2 : # Executing group from file
>>> /etc/freeradius/sites-enabled/inner-tunnel
>>> (8) eap_mschapv2 : Auth-Type MS-CHAP {
>>> (8) mschap : Found Cleartext-Password, hashing to create LM-Password
>>> (8) mschap : Found Cleartext-Password, hashing to create NT-Password
>>> (8) mschap : Creating challenge hash with username: bob
>>> (8) mschap : Client is using MS-CHAPv2 for bob, we need NT-Password
>>> (8) mschap : adding MS-CHAPv2 MPPE keys
>>> (8) [mschap] = ok
>>> (8) } # Auth-Type MS-CHAP = ok
>>> MSCHAP Success
>>> (8) eap : New EAP session, adding 'State' attribute to reply
>>> 0x7b061f337a0f0549
>>> (8) [eap] = handled
>>> (8) } # authenticate = handled
>>> } # server inner-tunnel
>>> *(8) eap_peap : Got tunneled reply code 11*
>>> * Session-Timeout := 600*
>>> * Idle-Timeout := 30*
>>> * EAP-Message =
>>> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738*
>>> * Message-Authenticator = 0x00000000000000000000000000000000*
>>> * State = 0x7b061f337a0f0549d125cd93a8b94882*
>>> (8) eap_peap : Got tunneled reply RADIUS code 11
>>> Session-Timeout := 600
>>> Idle-Timeout := 30
>>> EAP-Message =
>>> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
>>> Message-Authenticator = 0x00000000000000000000000000000000
>>> State = 0x7b061f337a0f0549d125cd93a8b94882
>>> (8) eap_peap : Got tunneled Access-Challenge
>>> (8) eap : New EAP session, adding 'State' attribute to reply
>>> 0xb77514c3bf7c0d58
>>> (8) [eap] = handled
>>> (8) } # authenticate = handled
>>>
>>>
>>>
>>>
>>>
>>> On Tue, May 13, 2014 at 9:32 PM, Russell Mike <radius.sir at gmail.com>wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Tue, May 13, 2014 at 12:30 PM, * <zhex900 at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Thank you for your patience. I am very happy someone can help me. Now
>>>>> I made some progress.
>>>>>
>>>>> I find out what the problem is now. In the query you provided I need
>>>>> to put quotes around radacct. Like this:
>>>>> query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(),
>>>>> MIN(AcctStartTime))),0) FROM *`radacct` *WHERE UserName='%{%k}' ORDER
>>>>> BY AcctStartTime LIMIT 1;"
>>>>>
>>>>> Okay, good, there was error in username veritable as well in your
>>>> previous query ('%{%k}' ). Anyways. happy it worked !!
>>>>
>>>>
>>>>> Now, have one more problem.
>>>>>
>>>>> My NAS (Mikrotik) is not receiving the Session-Timout. I cannot see it
>>>>> in the NAS log. I only can see Acct-Session-Time. Therefore it is not
>>>>> terminating the session. For testing I have set the time limit to 60
>>>>> seconds.
>>>>>
>>>>> Freeradius is sending it:
>>>>>
>>>>> (2) dailycounter : Sent Reply-Item for user hello,
>>>>> Type=Session-Timeout, value=60
>>>>> (2) [dailycounter] = ok
>>>>>
>>>>> Sending Access-Challenge of id 232 from 10.1.1.2 port 135 to
>>>>> 27.33.228.125 port 47097
>>>>> Session-Timeout = 60
>>>>> EAP-Message = 0x010200061920
>>>>> Message-Authenticator = 0x00000000000000000000000000000000
>>>>> State = 0x543a9074553889da6f504855ab4e7a4b
>>>>> (2) Finished request 2.
>>>>>
>>>>> I did not put anything in the radreply for the user. When I did put
>>>>> Session-Timeout=60 in radreply, I still cannot see it in the NAS log.
>>>>>
>>>>> Is it my a problem with NAS configuration?
>>>>>
>>>>> What should I do now?
>>>>>
>>>>
>>>> The way FreeRADIUS works is that, it does not disconnect users him
>>>> self. But rather tells the NAS to disconnect user. if i say that, how
>>>> FreeRADIUS would tell NAS to disconnect user ? using REPLY ITEM. So put
>>>> "Session-Timeout" in Reply as well. You said even if you add
>>>> "Session-Timeout" in reply make no difference, no problem leave
>>>> "Session-Timeout" in reply-item, it must to be there. And you have
>>>> more than one problem. 60 seconds are too less, minimum test should be done
>>>> with 600 seconds for better results.
>>>>
>>>> FreeRADIUS is now fine. Configure your NAS properly
>>>>
>>>> NOTE: Check item is for FreeRADIUS. reply item is for NAS.
>>>>
>>>> Thanks / Regards
>>>>
>>>> --RM
>>>>
>>>>
>>>>
>>>>> Jake He
>>>>>
>>>>>
>>>>> On Tue, May 13, 2014 at 5:12 PM, Arran Cudbard-Bell <
>>>>> a.cudbardb at freeradius.org> wrote:
>>>>>
>>>>>>
>>>>>> On 13 May 2014, at 08:46, * <zhex900 at gmail.com> wrote:
>>>>>>
>>>>>> > You mean I need to upgrade to 3.0.3?
>>>>>>
>>>>>> yes.
>>>>>>
>>>>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>>>>>> FreeRADIUS Development Team
>>>>>>
>>>>>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>>>>>
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See
>>>>>> http://www.freeradius.org/list/users.html
>>>>>>
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140515/db13a717/attachment-0001.html>
More information about the Freeradius-Users
mailing list