Default Max-Daily-Session setting and per user setting
Hello! I want to set up default Max-Daily-Session limit for all users to 1h and also have the ability to set up per-user Max-Daily-Session. How can I achieve that? I know I can set per-user limit in radcheck mysql table, but how can I set the default limit that will not overwrite per-user setting? Thanks, Matej -- --- Matej Zerovnik
On Jan 2, 2015, at 6:46 AM, Matej Žerovnik <matej@zunaj.si> wrote:
I want to set up default Max-Daily-Session limit for all users to 1h and also have the ability to set up per-user Max-Daily-Session. How can I achieve that?
Set a global default, and over-ride it with a per-user setting.
I know I can set per-user limit in radcheck mysql table, but how can I set the default limit that will not overwrite per-user setting?
$ man users Which tells you about the operators. You can do: authorize { … sql update control { Max-Daily-Session = 3600 # for ALL users } … } The ‘=‘ says “set it, but don’t over-ride it if it already exists” Alan DeKok.
On 2.1.2015 14:58, Alan DeKok wrote:
now I can set per-user limit in radcheck mysql table, but how can I set the default limit that will not overwrite per-user setting? $ man users
Which tells you about the operators. You can do:
authorize { …
sql update control { Max-Daily-Session = 3600 # for ALL users } …
}
The ‘=‘ says “set it, but don’t over-ride it if it already exists” As always, spot on:)
But I still have some troubles. Here is a cut of debug log: (7) update control { (7) Max-Daily-Session = 3600 (7) } # update control = noop sqlcounter_expand: 'SELECT SUM(acctsessiontime - GREATEST((1420153200 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1420153200'' (7) dailycounter : EXPAND %{User-Name} (7) dailycounter : --> testuser (7) dailycounter : SQL-User-Name set to 'testuser' rlm_sql (sql): Reserved connection (7) rlm_sql (sql): Executing query: 'SELECT SUM(acctsessiontime - GREATEST((1420153200 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'testuser' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1420153200'' (7) dailycounter : NULL value in first column of result rlm_sql (sql): Released connection (7) (7) dailycounter : EXPAND %{sql:SELECT SUM(acctsessiontime - GREATEST((1420153200 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1420153200'} (7) dailycounter : --> (7) dailycounter : No integer found in result string "". May be first session, setting counter to 0 (7) dailycounter : Allowing user, control:Max-Daily-Session value (3600) is greater than counter value (0) (7) dailycounter : Setting reply:Session-Timeout value to 6196 (7) [dailycounter] = ok Since this is the 1st login for this user today, counter value is set to 0 and max-daily-session is correctly set to 3600 seconds. Why does the counter sets Session-timeout to 6196? Matej -- --- Matej Zerovnik
On Jan 2, 2015, at 5:23 PM, Matej Žerovnik <matej@zunaj.si> wrote:
But I still have some troubles. Here is a cut of debug log: ... (7) dailycounter : Setting reply:Session-Timeout value to 6196 (7) [dailycounter] = ok
Since this is the 1st login for this user today, counter value is set to 0 and max-daily-session is correctly set to 3600 seconds. Why does the counter sets Session-timeout to 6196?
The user logged in just before the reset time. Instead of kicking them off, and immediately allowing them on again… it just lets them on for two time periods. i.e. if the user has an hour of login per day, and logs in at 11:45, he should be allowed in until midnight, and for one hour afterwards. Alan DeKok.
On 2 Jan 2015, at 18:06, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 2, 2015, at 5:23 PM, Matej Žerovnik <matej@zunaj.si> wrote:
But I still have some troubles. Here is a cut of debug log: ... (7) dailycounter : Setting reply:Session-Timeout value to 6196 (7) [dailycounter] = ok
Since this is the 1st login for this user today, counter value is set to 0 and max-daily-session is correctly set to 3600 seconds. Why does the counter sets Session-timeout to 6196?
The user logged in just before the reset time. Instead of kicking them off, and immediately allowing them on again… it just lets them on for two time periods.
i.e. if the user has an hour of login per day, and logs in at 11:45, he should be allowed in until midnight, and for one hour afterwards.
Added an extra debug message for this case, just to prove that's what's happening if you feel like building from v3.0.x. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Matej Žerovnik