Session-Timeout Problem

Selahattin Cilek selahattin_cilek at hotmail.com
Thu Feb 2 13:48:14 CET 2017 



-------- Forwarded Message --------
Subject:        Re: Session-Timeout Problem
Date:   Thu, 2 Feb 2017 15:17:00 +0300
From:   Selahattin ÇİLEK <selahattin_cilek at hotmail.com><mailto:selahattin_cilek at hotmail.com>
To:     Brian Candler <b.candler at pobox.com><mailto:b.candler at pobox.com>



On 02.02.2017 13:45, Brian Candler wrote:
On 02/02/2017 09:24, Selahattin Cilek wrote:
When I set the "Session-Timeout := 600" for
a user, the NAS is supposed to renew the session every 10 minutes. My
Unifi AP recognises the attribute and actually DOES terminate the first
session when it times out after 10 minutes. The problem is that it
terminates only the first session, the second session lasts until the
NAS reboots, the user logs out or shuts down the host. This means a user
could exceed his quota if he keeps his wireless connection alive. There
are some users that exceed their 7GB weekly quota by 6 GBs! Should I
blame the AP firmware for this or is it a bug in FreeRADIUS 2.2.8?

That's very easy to determine. Use tcpdump / wireshark / radsniff to capture all the response from FreeRADIUS.

- If FreeRADIUS *is* sending the Session-Timeout every time, then the bug is in the access point.

- If FreeRADIUS *isn't* sending the Session-Timeout attribute sometimes, then the bug is in FreeRADIUS (or the way you have configured it)
I don't believe FreeRADIUS is supposed to send Session-Timeout messages the to NAS, but the other way around.


However, I would point out that there are much better ways of achieving your goal than kicking off users every 10 minutes, which is highly disruptive.
No, it is not disruptive. The NAS is not supposed to first disconnect and then reconnect the user every 10 minutes, it is supposed to send usage statistics and request a re-authentication of the user. I have a script that checks network usage and decides whether or not to allow the user to be re-authenticated: Exec-Program-Wait = /usr/local/bin/bash /usr/local/etc/raddb/scripts/sql_datacounter_auth.sh scilek
I need to keep track of network usage using FreeRADIUS and MySQL.


1. Use Radius Accounting to measure how much traffic users are using (with Interim-Accounting you will get periodic updates). Then kick the user off when the user reaches the download limit.
The "Acct-Interim-Interval" informs the NAS of how frequently it should send update packets to the FreeRADIUS server and send the usage statistics incrementally. A user cannot be re-authenticated using this attribute. The updates do not occur during the second session anyway. The key is the "Session-Timeout" attribute. A user can be granted or denied access only before a new session starts.


Unifi provides an HTTP/JSON API to do this. This shell script shows how to use it:

https://www.ubnt.com/downloads/unifi/5.3.11/unifi_sh_api
I do not want to use vendor scripts. I want to use FreeRADIUS, MySQL and my own scripts.


"unifi_reconnect_sta" will kick off the user, to force them to reauthenticate.
A NAS based solution will not work because I will have to configure each and every NAS on each and every site. What if I'd like to use some other NAS some other day?


2. The Unifi controller's mongodb database tracks how much bandwidth every user has consumed. So you could just periodically query that and kick off the abusers.

I cannot have a separate machine for Unifi controller on the site. Besides, I might someday wanna keep track of network usage in a centralised database.

3. Use the Unifi's built-in bandwidth control features (User Groups / bandwidth limits). That's at the level of kbps not total GB per week.  Still, people who have exceeded their quota could have a very low bandwidth limit applied.

That will not work because it is not centralised. I have 30 APs on one site and the user can log in to any one of them.


Regards,

Brian.

Thank you very much for the advice.



________________________________
[Avast logo] <https://www.avast.com/antivirus>

This email has been checked for viruses by Avast antivirus software.
www.avast.com<https://www.avast.com/antivirus>




________________________________
[Avast logo] <https://www.avast.com/antivirus>

This email has been checked for viruses by Avast antivirus software.
www.avast.com<https://www.avast.com/antivirus>

More information about the Freeradius-Users mailing list