Session-Timeout Problem

Selahattin Cilek selahattin_cilek at hotmail.com
Thu Feb 2 21:02:04 CET 2017



On 02.02.2017 22:23, Alan DeKok wrote:
> On Feb 2, 2017, at 1:30 PM, Selahattin Cilek <selahattin_cilek at hotmail.com> wrote: the RADIUS
>>> packets to see the content when the re-auth is sent?
>> Yes, I have captured and checked RADIUS authentication and accounting
>> packets three times:
>>   tcpdump -n -vvv -i em1 src or dst host 192.168.2.1 or 192.168.2.3 and
>> src or dst port 1812 or 1813
>>
>> The Session-Timeout appears at the beginning of the 1st session only:
>> "Session Timeout Attribute (27), length: 6, Value: 10:00 min"
>    Then you configured the server to only send Session-Timeout on the first packet.
>
>    The server does NOT send Session-Timeout by default.  So if it does... you edited it.  If the server sends Session-Timeout at the wrong time... you told it to send Session-Timeout at the wrong time.
>
>    Go back and read the debug output.  Look at it across multiple sessions.  If you can't do this in production, build a test system.  It won't cost anything.
>
>    Then, configure the server to send Session-Timeout correctly.
>
>    I'll note that in all of this, you don't describe what you want to do.  You ask how to fix a particular problem.  This is usually the wrong approach.  If you describe what you want and what you have, we can probably suggest a solution that will work.
>
>    If you keep asking questions which may very well be irrelevant, we won't be able to help you.  And we don't know if the questions are relevant (or not), because you're not describing what you want and what you have.
>
>    Alan DeKok.
>
  I set up my test network three weeks ago and I have been trying to 
solve this problem since. I just want to find out how to configure 
FreeRADIUS to communicate the Session-Timeout attribute every time a 
session is renewed. This is important because that is when I can 
intervene and make FreeRADIUS decide whether or not to let the user 
continue using the network thanks to a script I have written myself:
"Exec-Program-Wait = /usr/local/bin/bash 
/usr/local/etc/raddb/scripts/sql_datacounter_auth.sh scilek" 
(Abbreviated from  the radreply table...)

This script runs at the beginning of each session and checks whether or 
not the user has reached his quota. If he has, he is denied access:
# ...
# Code dismissed for the sake of brevity...
# Check if the user has used up his/her quota:
if (( $DOWNLOAD < $QUOTA )); then
     logger -f /var/log/system.log "ACCEPTED: $USERNAME $DOWNLOAD_MB 
$QUOTA_MB $PERIOD"
     exit 0
else
     logger -f /var/log/system.log "DENIED: $USERNAME $DOWNLOAD_MB 
$QUOTA_MB $PERIOD"
     exit 99
fi

I have not chosen to achieve my goal using the Acct-Interim-Interval 
attribute because I don't know how to make FreeRADIUS react upon 
receiving an interim update packet. Even if I did, I would not know how 
to make the NAS terminate the user's session.

I agree I might not have been verbose enough so far, but you'll agree I 
could not post all the data related to the issue. I know people do not 
like to read lots of cryptic messages, and I hoped you would fill in the 
gaps.

Thank you all for your interest.




---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus




More information about the Freeradius-Users mailing list