Simultaneous sessions and deleting stale sessions
Hi, I have a 2 tier question First would mention the simultaneous verify query for reference simul_verify_query = "\ SELECT \ radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \ callingstationid, framedprotocol \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" One: I see many posts for deletion of stale sessions not working, One particular post which pretty close to solving the non working problem was: http://lists.freeradius.org/pipermail/freeradius-users/2015-November/080816.... The posts conclusion was that fake accounting packet doesnt have the same acct-session-id as that of the stale session that is why it is not able to close it. As acct-unique-session-id(md5 of some attributes including acct-session-id NAS-Identifier etc) comes out to be different. But what i found from a little analysis was that actually the acct-session-id is not the problem but the "NAS-Identifier" is. The NAS-Identifier was being sent in a normal accounting packet(atlease in my case maybe not in somebody else's) but it was not being sent in the "fake accountng query" as it is not present in the radacct table it is not fetched from the table as can be seen in the query above. So the acct-unique-session-id calculated has two different values one in case the normal accounting packet comes and other if fake accounting packet comes, Thus failing over to insertion as updation would not pass. The acct-session-id was coming out to be the same as the stale session's so that was not the problem. Please shed some light on this. Two: I noticed some anomaly in simultaneous verify query in sql and when the attributes are selected to actually delete stale sessions, I am running 3.0.11. which selects radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol. That is 8 attributes from the radacct table. And somehow my stale sessions were all getting acctsessiontime as 0 so on reading the source code which goes like: while (rlm_sql_fetch_row(inst, request, &handle) == 0) { row = handle->row; if (!row) { break; } if (!row[2]){ RDEBUG("Cannot zap stale entry. No username present in entry"); rcode = RLM_MODULE_FAIL; goto finish; } if (!row[1]){ RDEBUG("Cannot zap stale entry. No session id in entry"); rcode = RLM_MODULE_FAIL; goto finish; } if (row[3]) { nas_addr = inet_addr(row[3]); } if (row[4]) { nas_port = atoi(row[4]); } check = rad_check_ts(nas_addr, nas_port, row[2], row[1]); if (check == 0) { /* * Stale record - zap it. */ if (inst->config->delete_stale_sessions == true) { uint32_t framed_addr = 0; char proto = 0; int sess_time = 0; if (row[5]) framed_addr = inet_addr(row[5]); if (row[7]){ if (strcmp(row[7], "PPP") == 0) proto = 'P'; else if (strcmp(row[7], "SLIP") == 0) proto = 'S'; } if (row[8]) sess_time = atoi(row[8]); session_zap(request, nas_addr, nas_port, row[2], row[1], framed_addr, proto, sess_time); } } The code above makes use of 9 attributes last one being(row[8]) acctsessiontime which was not getting fetched in the query. For that reason it always picks the value as 0 for acctsessiontime which is not ideal(a guess). BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in
On Oct 3, 2016, at 6:13 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
I have a 2 tier question First would mention the simultaneous verify query for reference simul_verify_query = "\ SELECT \ radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \ callingstationid, framedprotocol \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" One: I see many posts for deletion of stale sessions not working, One particular post which pretty close to solving the non working problem was: http://lists.freeradius.org/pipermail/freeradius-users/2015-November/080816....
OK...
The posts conclusion was that fake accounting packet doesnt have the same acct-session-id as that of the stale session that is why it is not able to close it. As acct-unique-session-id(md5 of some attributes including acct-session-id NAS-Identifier etc) comes out to be different.
But what i found from a little analysis was that actually the acct-session-id is not the problem but the "NAS-Identifier" is. The NAS-Identifier was being sent in a normal accounting packet(atlease in my case maybe not in somebody else's) but it was not being sent in the "fake accountng query" as it is not present in the radacct table it is not fetched from the table as can be seen in the query above.
The solution then is to fetch the Acct-Unique-Session-Id, and to use that.
Two: I noticed some anomaly in simultaneous verify query in sql and when the attributes are selected to actually delete stale sessions, I am running 3.0.11.
which selects radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol. That is 8 attributes from the radacct table. And somehow my stale sessions were all getting acctsessiontime as 0
OK...
The code above makes use of 9 attributes last one being(row[8]) acctsessiontime which was not getting fetched in the query. For that reason it always picks the value as 0 for acctsessiontime which is not ideal(a guess).
I'll push a fix. You can also calculate the "stop time" as the time when the ZAP packet was sent. i.e. if there's no time in the packet, use Event-Timestamp, or "now". Alan DeKok.
The solution then is to fetch the Acct-Unique-Session-Id, and to use that.
You are talking about using unlang and fetching acct-unique-sessionid in accounting right also for zapping??
Two: I noticed some anomaly in simultaneous verify query in sql and when the attributes are selected to actually delete stale sessions, I am running 3.0.11.
which selects radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol. That is 8 attributes from the radacct table. And somehow my stale sessions were all getting acctsessiontime as 0
OK...
The code above makes use of 9 attributes last one being(row[8]) acctsessiontime which was not getting fetched in the query. For that reason it always picks the value as 0 for acctsessiontime which is not ideal(a guess).
I'll push a fix.
You can also calculate the "stop time" as the time when the ZAP packet was sent. i.e. if there's no time in the packet, use Event-Timestamp, or "now".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in
On Oct 3, 2016, at 12:14 PM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
The solution then is to fetch the Acct-Unique-Session-Id, and to use that.
You are talking about using unlang and fetching acct-unique-sessionid in accounting right also for zapping??
That won't work. You'll have to edit the queries and the source code. Our plans for version 4 are that this will all be a lot more configurable. Alan DeKok.
That won't work. You'll have to edit the queries and the source code.
Our plans for version 4 are that this will all be a lot more configurable.
Ok, thanks
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in
On Mon, Oct 3, 2016 at 9:46 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 3, 2016, at 12:14 PM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
The solution then is to fetch the Acct-Unique-Session-Id, and to use that.
You are talking about using unlang and fetching acct-unique-sessionid in accounting right also for zapping??
That won't work. You'll have to edit the queries and the source code.
Our plans for version 4 are that this will all be a lot more configurable.
Tried generating a fake accounting packet using radclient and sending acct-unique-session-id in it, apparently the server doesn't take that attribute and still is calculating it. (35) Received Accounting-Request Id 166 from 127.0.0.1:42717 to 127.0.0.1:1813 length 137 (35) User-Name = "xxxxx" (35) User-Password = "\200\030\364\035bL\354\320B\2154\222h\376\026P" (35) Acct-Status-Type = Stop (35) Acct-Session-Id = "17efb0f3/e4:25:e7:bb:b9:69/192806" (35) NAS-Port = 8 (35) NAS-Port-Type = Wireless-802.11 (35) NAS-IP-Address = xxxxx (35) NAS-Identifier = "xxxx" (35) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default echo "User-Name=xxxx,User-Password=qwert,Acct-Status-Type = Stop,Acct-Session-Id = 17efb0f3/e4:25:e7:bb:b9:69/192806,Nas-Port = 8,NAS-Port-Type = Wireless-802.11,Nas-Ip-Address=xxxx,Nas-Identifier=xxxxx,Acct-Unique-Session-Id=df0056c509b4e7c9218af535eea70755" | radclient 127.0.0.1:1813 acct testing123 -x
participants (2)
-
Alan DeKok -
Anirudh Malhotra