rlm_sqlcounter: Max-Daily-Session.

* zhex900 at gmail.com
Fri May 16 02:58:05 CEST 2014 

Accounting is working fine. All the information are logged.

I think radius is working fine.

Do I need to setup PPP AAA at the NAS?
http://wiki.mikrotik.com/wiki/Manual:PPP_AAA


On Thu, May 15, 2014 at 11:23 PM, Russell Mike <radius.sir at gmail.com> wrote:

> Try hard, it would work. it is important that accounting is logged in
> MySQL DB and check weather sql is enable "sites-available/default"
>
> accouting {
> sql
> }
>
> Thanks
>
>
> On Thu, May 15, 2014 at 1:09 PM, * <zhex900 at gmail.com> wrote:
>
>> Hi Russell,
>>
>> I changed the authorisation method on my device to EAP-TTLS, I could not
>> get PAP to work. Now Session-Timeout is received by NAS. No more code 11.
>> But for some reason MikroTik does not terminate the session after the
>> assigned time.
>>
>> I made post in
>> http://forum.mikrotik.com/viewtopic.php?f=2&t=84986&p=426217#p426217. I
>> will try to upgrade RouterOS to 6.12. Apart from this don't know what else
>> to do.
>>
>> Thank you for your kind help.
>>
>> Jake He
>>
>>
>> On Wed, May 14, 2014 at 6:16 PM, Russell Mike <radius.sir at gmail.com>wrote:
>>
>>> Hi,
>>>
>>>  i am sure you are doing all that in LAB, why complex? try with PAP at
>>> least to make sure stuff works. And then configure EAP later. don't do
>>> anything to inner-tunnel.
>>>
>>> Thanks / Regards
>>>
>>>
>>>
>>> On Tue, May 13, 2014 at 11:39 PM, * <zhex900 at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have set my reply item Session-Timeout := 600 for the user bob. I can
>>>> see the radius sending the Session-Timeout to NAS. But the radius get a "*eap_peap
>>>> : Got tunneled reply code 11." *My NAS is receiving other
>>>> Access-Challenge requests but not this one.
>>>>
>>>> I tried to find out what code 11 but I cannot find a simple answer.
>>>>
>>>> Do I need to configure my inner-tunnel?
>>>>
>>>> Jake He
>>>>
>>>>
>>>> *Sending Access-Challenge of id 155 from 10.1.1.2 port 135 to
>>>> 27.33.228.125 port 45095*
>>>> * Session-Timeout := 600*
>>>> * Idle-Timeout := 30*
>>>> * EAP-Message = 0x010200061920*
>>>> * Message-Authenticator = 0x00000000000000000000000000000000*
>>>> * State = 0xb77514c3b6770d58e310744eea16afdc*
>>>> *(1) Finished request 1.*
>>>>
>>>> (8)   [pap] = noop
>>>> (8)  } #  authorize = updated
>>>> (8) Found Auth-Type = EAP
>>>> (8) # Executing group from file
>>>> /etc/freeradius/sites-enabled/inner-tunnel
>>>> (8)   authenticate {
>>>> (8) eap : Expiring EAP session with state 0x7b061f337b0e0549
>>>> (8) eap : Finished EAP session with state 0x7b061f337b0e0549
>>>> (8) eap : Previous EAP request found for state 0x7b061f337b0e0549,
>>>> released from the list
>>>> (8) eap : Peer sent MSCHAPv2 (26)
>>>> (8) eap : EAP MSCHAPv2 (26)
>>>> (8) eap : Calling eap_mschapv2 to process EAP data
>>>> (8) eap_mschapv2 : # Executing group from file
>>>> /etc/freeradius/sites-enabled/inner-tunnel
>>>> (8) eap_mschapv2 :  Auth-Type MS-CHAP {
>>>> (8) mschap : Found Cleartext-Password, hashing to create LM-Password
>>>> (8) mschap : Found Cleartext-Password, hashing to create NT-Password
>>>> (8) mschap : Creating challenge hash with username: bob
>>>> (8) mschap : Client is using MS-CHAPv2 for bob, we need NT-Password
>>>> (8) mschap : adding MS-CHAPv2 MPPE keys
>>>> (8)   [mschap] = ok
>>>> (8)  } # Auth-Type MS-CHAP = ok
>>>> MSCHAP Success
>>>> (8) eap : New EAP session, adding 'State' attribute to reply
>>>> 0x7b061f337a0f0549
>>>> (8)   [eap] = handled
>>>> (8)  } #  authenticate = handled
>>>> } # server inner-tunnel
>>>> *(8) eap_peap : Got tunneled reply code 11*
>>>> * Session-Timeout := 600*
>>>> * Idle-Timeout := 30*
>>>> * EAP-Message =
>>>> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738*
>>>> * Message-Authenticator = 0x00000000000000000000000000000000*
>>>> * State = 0x7b061f337a0f0549d125cd93a8b94882*
>>>> (8) eap_peap : Got tunneled reply RADIUS code 11
>>>> Session-Timeout := 600
>>>> Idle-Timeout := 30
>>>> EAP-Message =
>>>> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
>>>>  Message-Authenticator = 0x00000000000000000000000000000000
>>>> State = 0x7b061f337a0f0549d125cd93a8b94882
>>>> (8) eap_peap : Got tunneled Access-Challenge
>>>> (8) eap : New EAP session, adding 'State' attribute to reply
>>>> 0xb77514c3bf7c0d58
>>>> (8)   [eap] = handled
>>>> (8)  } #  authenticate = handled
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, May 13, 2014 at 9:32 PM, Russell Mike <radius.sir at gmail.com>wrote:
>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 13, 2014 at 12:30 PM, * <zhex900 at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Thank you for your patience. I am very happy someone can help me. Now
>>>>>> I made some progress.
>>>>>>
>>>>>> I find out what the problem is now. In the query you provided I need
>>>>>> to put quotes around radacct. Like this:
>>>>>>  query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(),
>>>>>> MIN(AcctStartTime))),0) FROM *`radacct` *WHERE UserName='%{%k}'
>>>>>> ORDER BY AcctStartTime LIMIT 1;"
>>>>>>
>>>>>> Okay, good, there was error in username veritable as well in your
>>>>> previous query ('%{%k}' ). Anyways. happy it worked !!
>>>>>
>>>>>
>>>>>> Now, have one more problem.
>>>>>>
>>>>>> My NAS (Mikrotik) is not receiving the Session-Timout. I cannot see
>>>>>> it in the NAS log. I only can see Acct-Session-Time. Therefore it is
>>>>>> not terminating the session. For testing I have set the time limit to 60
>>>>>> seconds.
>>>>>>
>>>>>> Freeradius is sending it:
>>>>>>
>>>>>> (2) dailycounter : Sent Reply-Item for user hello,
>>>>>> Type=Session-Timeout, value=60
>>>>>> (2)   [dailycounter] = ok
>>>>>>
>>>>>> Sending Access-Challenge of id 232 from 10.1.1.2 port 135 to
>>>>>> 27.33.228.125 port 47097
>>>>>> Session-Timeout = 60
>>>>>>  EAP-Message = 0x010200061920
>>>>>> Message-Authenticator = 0x00000000000000000000000000000000
>>>>>> State = 0x543a9074553889da6f504855ab4e7a4b
>>>>>> (2) Finished request 2.
>>>>>>
>>>>>> I did not put anything in the radreply for the user. When I did put
>>>>>> Session-Timeout=60 in radreply, I still cannot see it in the NAS log.
>>>>>>
>>>>>> Is it my a problem with NAS configuration?
>>>>>>
>>>>>> What should I do now?
>>>>>>
>>>>>
>>>>> The way FreeRADIUS works is that, it does not disconnect users him
>>>>> self. But rather tells the NAS to disconnect user. if i say that, how
>>>>> FreeRADIUS would tell NAS to disconnect user ? using REPLY ITEM. So put
>>>>> "Session-Timeout" in Reply as well. You said even if you add
>>>>> "Session-Timeout" in reply make no difference, no problem leave
>>>>> "Session-Timeout" in reply-item, it must to be there. And you have
>>>>> more than one problem. 60 seconds are too less, minimum test should be done
>>>>> with 600 seconds for better results.
>>>>>
>>>>> FreeRADIUS is now fine. Configure your NAS properly
>>>>>
>>>>> NOTE: Check item is for FreeRADIUS. reply item is for NAS.
>>>>>
>>>>> Thanks / Regards
>>>>>
>>>>> --RM
>>>>>
>>>>>
>>>>>
>>>>>> Jake He
>>>>>>
>>>>>>
>>>>>> On Tue, May 13, 2014 at 5:12 PM, Arran Cudbard-Bell <
>>>>>> a.cudbardb at freeradius.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> On 13 May 2014, at 08:46, * <zhex900 at gmail.com> wrote:
>>>>>>>
>>>>>>> > You mean I need to upgrade to 3.0.3?
>>>>>>>
>>>>>>> yes.
>>>>>>>
>>>>>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>>>>>>> FreeRADIUS Development Team
>>>>>>>
>>>>>>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>>>>>>
>>>>>>>
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See
>>>>>>> http://www.freeradius.org/list/users.html
>>>>>>>
>>>>>>
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See
>>>>>> http://www.freeradius.org/list/users.html
>>>>>>
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140516/e9a4a5aa/attachment-0001.html>

More information about the Freeradius-Users mailing list