Unix TimeStamp Based Login
Hello! Maybe somebody know or maybe already implemented , Unix TimeStamp based login? For example if I have "radcheck" table like this: http://freeradius.1045715.n5.nabble.com/file/n5708187/freeradius_unix.png How should Freeradius know, that he need's to look at start_time and end_time field in this table, and let the user to log in just at this specific time slot? I know that I need to change this SQL statement: authorize_check_query = "SELECT id, username, attribute1, value, op1 \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" Thanks if you have a minute to help me figure this out. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Sun, May 13, 2012 at 8:50 PM, jomajo <ster.efx@gmail.com> wrote:
Hello!
Maybe somebody know or maybe already implemented , Unix TimeStamp based login?
Not that I know of
For example if I have "radcheck" table like this:
http://freeradius.1045715.n5.nabble.com/file/n5708187/freeradius_unix.png
Looks similar to a "hack" I made. Not with login time though.
How should Freeradius know, that he need's to look at start_time and end_time field in this table, and let the user to log in just at this specific time slot?
AFAIK the closest thing in the default FR setup is rlm_logintime (http://wiki.freeradius.org/Rlm_logintime), but it's not what you need since you want unix timestamps. You have to create your own solution.
I know that I need to change this SQL statement:
authorize_check_query = "SELECT id, username, attribute1, value, op1 \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id"
Thanks if you have a minute to help me figure this out.
You could try (1) Ask whomever designed the table. Your table schema is not standard. If you're taking over an existing solution, and it was based on FR, then your predecessor should know best why he made that table the way it is. (2) Learn SQL You could mix the default query with sql's datetime functions, something like authorize_check_query = "SELECT .... WHERE ... AND start_time >= unix_timestamp() \ AND stop_time <= unix_timestamp() \ ORDER BY id" the example might not work for your setup, and might not be what you need (e.g. "login time" vs "time allowed to be connected"), but should give you some basic idea where to start. (3) Hire someone with more knowledge in FR and whatever SQL server you're using. -- Fajar
Thank you Fajar for your answer. SQL table is not a problem, we can design this table as we want. I just have reservation calendar which reserves a time slot in unix timestamp standard. I just need to somehow authenticate that user at this specific time. :/ -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I found this disscussion freeradius.1045715.n5.nabble.com/Opposite-of-Expiraton-attribute-td4497694.html . I have a problem at this point now: # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} expand: %m-%d-%Y -> 05-14-2012 ++[request] returns notfound [sql] expand: %{User-Name} -> 12345 [sql] sql_set_user escaped user --> '12345' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '12345' ORDER BY id rlm_sql: Failed to create the pair: Invalid octet string "2012-05-14 00:00:00 " for attribute name "Current-Date" rlm_sql (sql): Error getting data from database [sql] SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> 12345 [sql] sql_set_user escaped user --> '12345' [sql] expand: %{User-Password} -> 12345 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '12345', '12345', 'Access-Reject', '2012-05-14 15:23:38') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '12345', '12345', 'Access-Reject', '2012-05-14 15:23:38') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok My radcheck table: http://freeradius.1045715.n5.nabble.com/file/n5708939/radcheck.png I tried different Current-Date attribute variations, but there was no success. As I understand, we first, can authenticate user by specific date with Current-Date attribute, and then at specific time , with Login-Time attribute? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hello Phil. Ofcourse it is not! I don't know (other people) but if they know any helpful information related with this, please let me know. Can you share more information about Matthew lab ? How he's reserving a time slot and authenticating users with freeradius? This information would be really helpful, because I'm tying to achieve this too. On Mon, May 14, 2012 at 1:13 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 13/05/12 14:50, jomajo wrote:
Hello!
Maybe somebody know or maybe already implemented , Unix TimeStamp based login?
Is this a class project? In have had (other) people emailing me off-list about this.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hello Phil. Ofcourse it is not! I don't know (other people) but if they know any helpful information related with this, please let me know. Can you share more information about Matthew lab ? How he's reserving a time slot and authenticating users with freeradius? This information would be really helpful, because I'm tying to achieve this too. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 14/05/12 12:09, jomajo wrote:
Hello Phil. Ofcourse it is not! I don't know (other people) but if they know any helpful information related with this, please let me know.
Ah, sorry, I'm confused - you're the same person!
Can you share more information about Matthew lab ? How he's reserving a time slot and authenticating users with freeradius?
This information would be really helpful, because I'm tying to achieve this too
So, in brief, you want something like this: Let's say you have an SQL table: username string, start_time integer, end_time integer ...and the start/end times are unix seconds-since-epoch. You could implement this as follows. First, create three local attributes in raddb/dictionary: ATTRIBUTE Resv-Start-Time 3010 integer ATTRIBUTE Resv-End-Time 3011 integer ATTRIBUTE Resv-Cur-Time 3012 integer Second, write an "unlang" policy in your virtual server like so: authorize { ... update request { Resv-Start-Time := "%{sql:select start_time from resv where username='%{User-Name}'}" Resv-End-Time := "%{sql:select end_time from resv where username='%{User-Name}'}" Resv-Cur-Time := "%l" } if (Resv-Cur-Time < Resv-Start-Time) { reject update reply { Reply-Message := "your slot has not yet started" } } if (Resv-Cur-Time > Resv-End-Time) { reject update reply { Reply-Message := "your slot has finished" } } # you probably want to set the Session-Timeout so they get kicked off update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" } ... } Hopefully it's clear what this does, and how it works.
Thank you Phil! I will try! On Mon, May 14, 2012 at 3:25 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 14/05/12 12:09, jomajo wrote:
Hello Phil. Ofcourse it is not! I don't know (other people) but if they know any helpful information related with this, please let me know.
Ah, sorry, I'm confused - you're the same person!
Can you share more information about Matthew lab ? How he's reserving a time slot and authenticating users with freeradius?
This information would be really helpful, because I'm tying to achieve this too
So, in brief, you want something like this:
Let's say you have an SQL table:
username string, start_time integer, end_time integer
...and the start/end times are unix seconds-since-epoch. You could implement this as follows.
First, create three local attributes in raddb/dictionary:
ATTRIBUTE Resv-Start-Time 3010 integer ATTRIBUTE Resv-End-Time 3011 integer ATTRIBUTE Resv-Cur-Time 3012 integer
Second, write an "unlang" policy in your virtual server like so:
authorize { ... update request { Resv-Start-Time := "%{sql:select start_time from resv where username='%{User-Name}'}" Resv-End-Time := "%{sql:select end_time from resv where username='%{User-Name}'}" Resv-Cur-Time := "%l" }
if (Resv-Cur-Time < Resv-Start-Time) { reject update reply { Reply-Message := "your slot has not yet started" } }
if (Resv-Cur-Time > Resv-End-Time) { reject update reply { Reply-Message := "your slot has finished" } }
# you probably want to set the Session-Timeout so they get kicked off update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" }
... }
Hopefully it's clear what this does, and how it works.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Phil, I configured my freeradius server as in your example above ( It looks like case letters doesn't make any difference in MySQL statements) User is successfully authenticated because of radcheck table. Maybe I need to reinstall freeradius server , because a month ago there was "Dialup Admin" installed too. Radcheck sql statements runs from "dialup.conf" file. *This is my table:* CREATE TABLE `Resv` ( `Username` varchar(20) NOT NULL, `Start-Time` int(11) NOT NULL, `End-Time` int(11) NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=latin1; *This is my output:* # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select Start_time from Resv where Username='%{User-Name}' -> select Start_time from Resv where Username='ieva' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql): database query error, select Start_time from Resv where Username='ieva': Unknown column 'Start_time' in 'field list' rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select Start_time from Resv where Username='%{User-Name}'} -> sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select End_time from Resv where Username='%{User-Name}' -> select End_time from Resv where Username='ieva' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql): database query error, select End_time from Resv where Username='ieva': Unknown column 'End_time' in 'field list' rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select End_time from Resv where Username='%{User-Name}'} -> expand: %l -> 1337002345 ++[request] returns notfound ++? if (Resv-Cur-Time < Resv-Start-Time) Failed parsing "Resv-Start-Time": Unknown value Resv-Start-Time for attribute Resv-Cur-Time ++? if (Resv-Cur-Time > Resv-End-Time) Failed parsing "Resv-End-Time": Unknown value Resv-End-Time for attribute Resv-Cur-Time expand: %{Resv-End-Time} - %{Resv-Cur-Time} -> 0 - 1337002345 expand: %{expr:%{Resv-End-Time} - %{Resv-Cur-Time}} -> -1337002345 ++[reply] returns notfound ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.83.51/auth-detail-20120514 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.83.51/auth-detail-20120514 [auth_log] expand: %t -> Mon May 14 16:32:25 2012 ++[auth_log] returns ok [sql] expand: %{User-Name} -> ieva [sql] sql_set_user escaped user --> 'ieva' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ieva' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ieva' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 10.0.0.1 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "ieva" [pap] Using clear text password "ieva" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> ieva [sql] sql_set_user escaped user --> 'ieva' [sql] expand: %{User-Password} -> ieva [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ieva', 'ieva', 'Access-Accept', '2012-05-14 16:32:25') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ieva', 'ieva', 'Access-Accept', '2012-05-14 16:32:25') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok [sql_log] Processing sql_log_postauth [sql_log] expand: %{User-Name} -> ieva [sql_log] expand: %{%{User-Name}:-DEFAULT} -> ieva [sql_log] sql_set_user escaped user --> 'ieva' [sql_log] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_log] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('ieva', 'ieva', 'Access-Accept', '2012-05-14 16:32:25'); [sql_log] expand: /var/log/freeradius/radacct/sql-relay -> /var/log/freeradius/radacct/sql-relay ++[sql_log] returns ok ++[exec] returns noop On Mon, May 14, 2012 at 3:39 PM, Efx Efx <ster.efx@gmail.com> wrote:
Thank you Phil!
I will try!
On Mon, May 14, 2012 at 3:25 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 14/05/12 12:09, jomajo wrote:
Hello Phil. Ofcourse it is not! I don't know (other people) but if they know any helpful information related with this, please let me know.
Ah, sorry, I'm confused - you're the same person!
Can you share more information about Matthew lab ? How he's reserving a time slot and authenticating users with freeradius?
This information would be really helpful, because I'm tying to achieve this too
So, in brief, you want something like this:
Let's say you have an SQL table:
username string, start_time integer, end_time integer
...and the start/end times are unix seconds-since-epoch. You could implement this as follows.
First, create three local attributes in raddb/dictionary:
ATTRIBUTE Resv-Start-Time 3010 integer ATTRIBUTE Resv-End-Time 3011 integer ATTRIBUTE Resv-Cur-Time 3012 integer
Second, write an "unlang" policy in your virtual server like so:
authorize { ... update request { Resv-Start-Time := "%{sql:select start_time from resv where username='%{User-Name}'}" Resv-End-Time := "%{sql:select end_time from resv where username='%{User-Name}'}" Resv-Cur-Time := "%l" }
if (Resv-Cur-Time < Resv-Start-Time) { reject update reply { Reply-Message := "your slot has not yet started" } }
if (Resv-Cur-Time > Resv-End-Time) { reject update reply { Reply-Message := "your slot has finished" } }
# you probably want to set the Session-Timeout so they get kicked off update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" }
... }
Hopefully it's clear what this does, and how it works.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 14/05/12 14:40, Efx Efx wrote:
CREATE TABLE `Resv` ( `Username` varchar(20) NOT NULL, `Start-Time` int(11) NOT NULL, `End-Time` int(11) NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
Hyphens? Really? Bad idea. Stick to all lower-case letters and underscore.
*This is my output:*
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select Start_time from Resv where Username='%{User-Name}' -> select Start_time from Resv where Username='ieva' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql): database query error, select Start_time from Resv where
This is a basic SQL error. Your query is wrong.
Username='ieva': Unknown column 'Start_time' in 'field list'
Because you have defined the table with "start-time" not "start_time"
Efx Efx wrote:
Phil, I configured my freeradius server as in your example above ( It looks like case letters doesn't make any difference in MySQL statements)
1) PLEASE edit your posts to remove extra text. It's just polite.
User is successfully authenticated because of radcheck table. Maybe I need to reinstall freeradius server , because a month ago there was "Dialup Admin" installed too. Radcheck sql statements runs from "dialup.conf" file.
*This is my table:*
CREATE TABLE `Resv` ( `Username` varchar(20) NOT NULL, `Start-Time` int(11) NOT NULL, `End-Time` int(11) NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
*This is my output:*
Which you clearly didn't read. Why?
rlm_sql (sql): database query error, select Start_time from Resv where Username='ieva': Unknown column 'Start_time' in 'field list'
What is so hard to understand about that message? The whole point of debug output is for you to READ IT. Alan DeKok.
Yes Alan, shame on me. ( I wasn't sleeping for 30 hours right now :/ ) Now freeradius doesn't know what is current-time? And can do anything more? # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select start_time from resv where username='%{User-Name}' -> select start_time from resv where username='ieva' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select start_time from resv where username='%{User-Name}'} -> 1336995000 sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select end_time from resv where username='%{User-Name}' -> select end_time from resv where username='ieva' rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select end_time from resv where username='%{User-Name}'} -> 1337004000 expand: %l -> 1337005165 ++[request] returns notfound ++? if (Resv-Cur-Time < Resv-Start-Time) Failed parsing "Resv-Start-Time": Unknown value Resv-Start-Time for attribute Resv-Cur-Time ++? if (Resv-Cur-Time > Resv-End-Time) Failed parsing "Resv-End-Time": Unknown value Resv-End-Time for attribute Resv-Cur-Time expand: %{Resv-End-Time} - %{Resv-Cur-Time} -> 1337004000 - 1337005165 expand: %{expr:%{Resv-End-Time} - %{Resv-Cur-Time}} -> -1165 ++[reply] returns notfound Thank you for your answers , they are really helpful! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
jomajo wrote:
Yes Alan, shame on me. ( I wasn't sleeping for 30 hours right now :/ )
Now freeradius doesn't know what is current-time? And can do anything more?
The debug log doesn't show that. The current-time is only available as a comparison, and requires the logintime module to be enabled. Alan DeKok.
Thank you Alan, but login-time module is already enabled. Can you tell me guys, which solution do you see at this time based authentication, because I don't know what to do at this point. It checks time in the tables,and I can pass now some attributes and authenticate the user? But If time check fail, user can still can authenticate if he has correct username and password? Maybe I need to extend my table with password and some attributes? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 14/05/12 15:25, jomajo wrote:
Failed parsing "Resv-Start-Time": Unknown value Resv-Start-Time for attribute Resv-Cur-Time
Ah, sorry. I keep forgetting unlang is picky. You want: if (Resv-Cur-Time < "%{Resv-Start-Time}") { .. } if (Resv-Cur-Time > "%{Resv-End-Time}") { .. } You need to quote the right-hand side of the expression, otherwise FreeRADIUS tries to look it up in the dictionary and can't find it. (might be handy to have an attribute type that didn't do this)
Freeradius says TRUE, but REJECTS the user anyway: # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[logintime] returns noop sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select start_time from resv where username='%{User-Name}' -> select start_time from resv where username='ieva' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select start_time from resv where username='%{User-Name}'} -> 1337038200 sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select end_time from resv where username='%{User-Name}' -> select end_time from resv where username='ieva' rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select end_time from resv where username='%{User-Name}'} -> 1337020200 expand: %l -> 1337010053 ++[request] returns noop ++? if (Resv-Cur-Time < "%{Resv-Start-Time}") expand: %{Resv-Start-Time} -> 1337038200 ? Evaluating (Resv-Cur-Time < "%{Resv-Start-Time}") -> TRUE ++? if (Resv-Cur-Time < "%{Resv-Start-Time}") -> TRUE ++- entering if (Resv-Cur-Time < "%{Resv-Start-Time}") {...} +++[reject] returns reject ++- if (Resv-Cur-Time < "%{Resv-Start-Time}") returns reject Using Post-Auth-Type Reject -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 14/05/12 16:42, jomajo wrote:
Freeradius says TRUE, but REJECTS the user anyway:
You need to do some of the work here, and apply some thought to what's going on. It's not polite to just post every error without doing some work yourself to determine the problem. READ the output, and understand the policy you've written.
expand: %{sql:select start_time from resv where username='%{User-Name}'} -> 1337038200
expand: %{sql:select end_time from resv where username='%{User-Name}'} -> 1337020200
You have end time > start time here. This is obviously wrong.
expand: %l -> 1337010053 ++[request] returns noop ++? if (Resv-Cur-Time< "%{Resv-Start-Time}") expand: %{Resv-Start-Time} -> 1337038200 ? Evaluating (Resv-Cur-Time< "%{Resv-Start-Time}") -> TRUE
Pay attention to this. Current time is less than start time, therefore the booking slot isn't open, therefore reject.
Phil. I can't say how much thankful I'm! This is working ! Thank you Thank you Thank you! :) It's good to have a people like you in this community! Thank's again! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hello Guys. As I said everything works fine, just I have a problem with session timeout. User doesn't get kick when his times expires.
From other topics and post I saw , that this row looks correct:
update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" } Could you give me any suggestions? Nothing happens when user time expires, so there is no help with debug. Thanks, if you have a minute. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 16/05/12 12:52, jomajo wrote:
Hello Guys.
As I said everything works fine, just I have a problem with session timeout. User doesn't get kick when his times expires.
From other topics and post I saw , that this row looks correct:
update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" }
Could you give me any suggestions? Nothing happens when user time expires, so there is no help with debug.
Have you confirmed that Session-Timeout appears in the reply? If so, then your NAS is ignoring it or does not support it. This is not a FreeRADIUS problem.
I think NAS supports it. Session timeout is working without a problem with "Login-Time" RLM. Sorry, but how could I confirm that? (logs?) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I add update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" into authentication and post-auth sections. User can login at this time , but the session-timeout says "++[reply] returns notfound" : # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select start_time from resv where username='%{User-Name}' -> select start_time from resv where username='ieva' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select start_time from resv where username='%{User-Name}'} -> 1337176800 sql_xlat expand: %{User-Name} -> ieva sql_set_user escaped user --> 'ieva' expand: select end_time from resv where username='%{User-Name}' -> select end_time from resv where username='ieva' rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select end_time from resv where username='%{User-Name}'} -> 1337183000 expand: %l -> 1337182192 ++[request] returns notfound ++? if (Resv-Cur-Time < "%{Resv-Start-Time}") expand: %{Resv-Start-Time} -> 1337176800 ? Evaluating (Resv-Cur-Time < "%{Resv-Start-Time}") -> FALSE ++? if (Resv-Cur-Time < "%{Resv-Start-Time}") -> FALSE ++? if (Resv-Cur-Time > "%{Resv-End-Time}") expand: %{Resv-End-Time} -> 1337183000 ? Evaluating (Resv-Cur-Time > "%{Resv-End-Time}") -> FALSE ++? if (Resv-Cur-Time > "%{Resv-End-Time}") -> FALSE expand: %{Resv-End-Time} - %{Resv-Cur-Time} -> 1337183000 - 1337182192 expand: %{expr:%{Resv-End-Time} - %{Resv-Cur-Time}} -> 808 ++[reply] returns notfound ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.0.0.100/auth-detail-20120516 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.0.0.100/auth-detail-20120516 [auth_log] expand: %t -> Wed May 16 18:29:52 2012 ++[auth_log] returns ok [sql] expand: %{User-Name} -> ieva [sql] sql_set_user escaped user --> 'ieva' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ieva' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ieva' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 10.0.0.245 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "ieva" [pap] Using clear text password "ieva" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} expand: %{Resv-End-Time} - %{Resv-Cur-Time} -> 1337183000 - 1337182192 expand: %{expr:%{Resv-End-Time} - %{Resv-Cur-Time}} -> 808 ++[reply] returns noop [sql] expand: %{User-Name} -> ieva [sql] sql_set_user escaped user --> 'ieva' [sql] expand: %{User-Password} -> ieva [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ieva', 'ieva', 'Access-Accept', '2012-05-16 18:29:52') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ieva', 'ieva', 'Access-Accept', '2012-05-16 18:29:52') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok [sql_log] Processing sql_log_postauth [sql_log] expand: %{User-Name} -> ieva [sql_log] expand: %{%{User-Name}:-DEFAULT} -> ieva [sql_log] sql_set_user escaped user --> 'ieva' [sql_log] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_log] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('ieva', 'ieva', 'Access-Accept', '2012-05-16 18:29:52'); [sql_log] expand: /var/log/freeradius/radacct/sql-relay -> /var/log/freeradius/radacct/sql-relay ++[sql_log] returns ok ++[exec] returns noop Sending Access-Accept of id 180 to 10.0.0.100 port 1645 Session-Timeout = 808 Finished request 0. Going to the next request Waking up in 4.9 seconds. Can you suggest where should I look now? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 16/05/12 16:32, jomajo wrote:
I add update reply { Session-Timeout := "%{expr:%{Resv-End-Time} - %{Resv-Cur-Time}}" into authentication and post-auth sections.
User can login at this time , but the session-timeout says "++[reply] returns notfound" :
That's irrelevant. Ignore it.
Sending Access-Accept of id 180 to 10.0.0.100 port 1645 Session-Timeout = 808
*THIS* is all that matters. Session-Timeout is being set to "808" (seconds) in the reply. If your NAS isn't obeying this, your NAS is at fault. Speak to the NAS manufacturer.
Dear Phil, my NAS understands that (I'm using cisco 2811 router). Session timeout as I said is working correctly with "Login-Time" module. Maybe I am missing something on freeradius configuration? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Good news! Yes, there was a problem with my NAS :) Before (with this one row session-timeout doesn't work ) : aaa authentication login default group radius If you add this row : aaa authentication login default group radius aaa authorization exec default group radius Session-timeout works :) Looks like aaa authorization command was needed. Thank you again guys! :) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
That's really interesting, sometimes I can get log in when I should, sometimes I can get log in when I shouldn't. I'm changing dates and looking at this behaviour. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-tp5708187... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (5)
-
Alan DeKok -
Efx Efx -
Fajar A. Nugraha -
jomajo -
Phil Mayers