Back to version 3.0.9 (I'm over 18 hours testing) I changed policy.d/accouting: was: update request { &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}" } changed to: update request { &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{NAS-IP-Address}}" } So I simulated the problem again and radacct worked FINE: it did NOT create a new line (because uniqueid was the same!) and put the ACCTSTOPTIME as expected. But ANOTHER PROBLEM OCCURRED: radipppol was NOT updated! Inside sqlippool.conf I have: pool_key = "%{NAS-Port}" So the pool_key is Nas-Port, ok! Let´s see the query: (0) sqlippool_v4: EXPAND %{User-Name} (0) sqlippool_v4: --> test (0) sqlippool_v4: SQL-User-Name set to 'test' (0) sqlippool_v4: EXPAND START TRANSACTION (0) sqlippool_v4: --> START TRANSACTION (0) sqlippool_v4: Executing query: START TRANSACTION (0) sqlippool_v4: EXPAND UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' (0) sqlippool_v4: --> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '192.168.0.1' AND pool_key = '0' AND username = 'test' AND callingstationid = '' AND framedipaddress = '1.1.1.1' (0) sqlippool_v4: Executing query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '192.168.0.1' AND pool_key = '0' AND username = 'test' AND callingstationid = '' AND framedipaddress = '1.1.1.1' rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0 (0) sqlippool_v4: EXPAND COMMIT (0) sqlippool_v4: --> COMMIT (0) sqlippool_v4: Executing query: COMMIT (0) sqlippool_v4: EXPAND Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name}) (0) sqlippool_v4: --> Released IP 1.1.1.1 (did cli user test) rlm_sql (sql): Released connection (0) (0) [sqlippool_v4] = ok pool_key should not be ZERO! Here is my conclusion: When a user tries to connect there is a simultaneous check: (0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL When there is NO other connections (99% of the time), everything works fine. But when this query returns a connection, Freeradius looses NAS-Identifier, NAS-Port-ID and NAS-Port, so It cannot close radacct and radipool. This is NOT behavior of version 2.1.12! 2.1.12 and 3.0.9 have the SAME behavior: close radacct and free the IP from radippool. But, because there is no NAS-Identifier, NAS-Port-ID and NAS-Port the UPDATE queries does nothing. When sites sites-enabled/default/preacct is called from a accounting-request, it works fine. But when is called in a access-request, after the simultaneous check, it did not get the NAS-Identifier, NAS-Port-ID and NAS-Port parameters. Look this log (I put some asterisks at the beginning of the important lines): (0) Received Access-Request Id 222 from 192.168.0.1:49006 to 192.168.0.99:1812 length 144 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15729440 (0) NAS-Port-Type = Ethernet (0) User-Name = "test" (0) Calling-Station-Id = "C0:4A:00:87:C6:D9" (0) Called-Station-Id = "service1" (0) NAS-Port-Id = "bridge1" (0) CHAP-Challenge = 0x01cb327edb3e8c32494b0b6e6c10b09d (0) CHAP-Password = 0x01b3833103457a7f1707baa01e0c6dfa28 (0) NAS-Identifier = "Main_Router" (0) NAS-IP-Address = 192.168.0.1 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 182 (0) [files] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> test (0) sql: SQL-User-Name set to 'test' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "123456" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (0) sql: User found in the group table (0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '10' ORDER BY id (0) sql: Group "10": Conditional check items matched (0) sql: Group "10": Merging assignment check items (0) sql: Simultaneous-Use := 1 (0) sql: Pool-Name := "pool_ativo" (0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '10' ORDER BY id (0) sql: Group "10": Merging reply items (0) sql: Mikrotik-Delegated-IPv6-Pool := "PD" rlm_sql (sql): Released connection (1) rlm_sql (sql): 0 of 6 connections in use. Need more spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.25, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type CHAP { (0) chap: Comparing with "known good" Cleartext-Password (0) chap: CHAP user "test" authenticated successfully (0) [chap] = ok (0) } # Auth-Type CHAP = ok (0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default *** (0) session { *** (0) EXPAND %{NAS-Port} *** (0) --> 15729440 (0) sql: EXPAND %{User-Name} (0) sql: --> test (0) sql: SQL-User-Name set to 'test' (0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL (0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL rlm_sql (sql): Reserved connection (2) (0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL (0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL (0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL (0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL (0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default *** (0) preacct { *** (0) EXPAND %{NAS-Port} *** (0) --> 0 (0) [preprocess] = ok (0) policy acct_unique { (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (0) EXPAND %{string:Class} (0) --> (0) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{NAS-IP-Address}} (0) --> ff97493ea4bc763492c5bd1544f13823 (0) &Acct-Unique-Session-Id := ff97493ea4bc763492c5bd1544f13823 (0) } # update request = noop (0) EXPAND %{User-Name} (0) --> test (0) EXPAND %{Acct-Session-ID} (0) --> 819000e3 (0) EXPAND %{NAS-IPv6-Address} (0) --> (0) EXPAND %{NAS-IP-Address} (0) --> 192.168.0.1 (0) EXPAND %{NAS-Identifier} (0) --> (0) EXPAND %{NAS-Port-ID} (0) --> (0) EXPAND %{NAS-Port} (0) --> 0 (0) } # else = noop (0) } # policy acct_unique = noop Nas-Port is ok in session, but zero in preacct: (0) session { (0) EXPAND %{NAS-Port} (0) --> 15729440 (0) sql: EXPAND %{User-Name} (0) sql: --> test (0) sql: SQL-User-Name set to 'test' (0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL (0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL rlm_sql (sql): Reserved connection (2) (0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'test' AND acctstoptime IS NULL (0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL (0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL (0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL (0) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default (0) preacct { (0) EXPAND %{NAS-Port} (0) --> 0 Alan, thanks for your reply! You said that Access-Request should not go to preacct section. I looked into version 2: [sql] expand: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'test' AND acctstoptime IS NULL # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 15729406,Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Session-Id = "819000c2",User-Name = "test"' [acct_unique] Acct-Unique-Session-ID = "5cc3e8235801dd84". ++[acct_unique] returns ok It seems that after a positive “simultaneous check” FreeRadius go to preacct to close the old connection. Nas-Port value was passed to preacct in version 2.1.12. Well, that´s It, looking for help... Regards Fabricio --- Este email foi escaneado pelo Avast antivírus. http://www.avast.com