Setting and extending Session-timeout
Hello! I'm a RADIUS newbie, so bear with me in case I ask stupid questions.... So here is a short description of what my project would needs to do: - every user can login via WIFI or LAN(public computer) - he can use wifi 24h/day - he can use public pc only 1h/day if he's authorized by default and he can extend the use if needed Logging is now working and users can log in, so one thing done:) Current problems: - how to not limit session-timeout for wifi and limit for public computers. All users have only 1 login name. I guess my best bet is some scripting with unlang?
Agrh! Pressed ctrl-enter too soon:) Here is the whole mail: Hello! I'm a RADIUS newbie, so bear with me in case I ask stupid questions.... So here is a short description of what my project would needs to do: - every user can login via WIFI or LAN(public computer) - user can use wifi 24h/day - user can use public pc only 1h/day if he's authorized and he can extend the use if needed Logging is now working and users can log in, so one thing done:) How to set session-timeout for public computers but not for wifi. All users have only 1 login name. I guess my best bet is with some unlang scripting? authorize { if (NAS-Port-Type == 'Ethernet') { update { control:Max-Daily-Session := 3600 } dailycounter } } This should update control record for 'dailycounter' and run it if user signs from Ethernet NAS port type. In case he logs in via wifi, system will skip execution of dailycounter and session-timeout will not be sent. Is my thinking correct? What if I want to extend session timeout for a certain user? I've had success sending a COA packet with radclient. Is it possible to change it without running radclient? Can I create a custom sql table where I insert user name and wanted session length and radius will read that out and send COA to client? Is it possible to somehow get the current set session-timeout for a certain user? If not, can I somehow store it in a database on login or update? That way I can always check current session-timeout for a certain user and set a new one accordingly. Thanks, Matej On 19.5.2014 12:28, Matej Žerovnik wrote:
Hello!
I'm a RADIUS newbie, so bear with me in case I ask stupid questions....
So here is a short description of what my project would needs to do: - every user can login via WIFI or LAN(public computer) - he can use wifi 24h/day - he can use public pc only 1h/day if he's authorized by default and he can extend the use if needed
Logging is now working and users can log in, so one thing done:)
Current problems: - how to not limit session-timeout for wifi and limit for public computers. All users have only 1 login name. I guess my best bet is some scripting with unlang? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 19/05/2014 11:52, Matej Žerovnik wrote:
This should update control record for 'dailycounter' and run it if user signs from Ethernet NAS port type. In case he logs in via wifi, system will skip execution of dailycounter and session-timeout will not be sent. Is my thinking correct?
Yes, I think so.
What if I want to extend session timeout for a certain user? I've had success sending a COA packet with radclient. Is it possible to change it without running radclient?
Not really. If you're extending a session timeout, that's in response to an external, non-RADIUS event e.g. administrative configuration, user self-service. FreeRADIUS responds to RADIUS packets.
Can I create a custom sql table where I insert user name and wanted session length and radius will read that out and send COA to client?
No, definitely not. FreeRADIUS is event-driven in response to radius packets.
Is it possible to somehow get the current set session-timeout for a certain user?
You could log the value you returned in post-auth with linelog or sql.
If not, can I somehow store it in a database on login or update?
Login yes, as above. Update no - as mentioned this is a non-RADIUS event.
On 19.5.2014 13:48, Phil Mayers wrote:
On 19/05/2014 11:52, Matej Žerovnik wrote:
This should update control record for 'dailycounter' and run it if user signs from Ethernet NAS port type. In case he logs in via wifi, system will skip execution of dailycounter and session-timeout will not be sent. Is my thinking correct?
Yes, I think so.
Ok, will try it on my test installation...
What if I want to extend session timeout for a certain user? I've had success sending a COA packet with radclient. Is it possible to change it without running radclient?
Not really. If you're extending a session timeout, that's in response to an external, non-RADIUS event e.g. administrative configuration, user self-service.
FreeRADIUS responds to RADIUS packets.
Can I create a custom sql table where I insert user name and wanted session length and radius will read that out and send COA to client?
No, definitely not. FreeRADIUS is event-driven in response to radius packets.
I guess I could do a little DIY script that reads SQL database, sends CoA package with radclient and just put everything in cron.
Is it possible to somehow get the current set session-timeout for a certain user?
You could log the value you returned in post-auth with linelog or sql.
I think that will work...
If not, can I somehow store it in a database on login or update?
Login yes, as above. Update no - as mentioned this is a non-RADIUS event.
I guess I could store it on login and then use the script from above to update session-timeout field in my sql table. After update, I would send the CoA package using radclient. Is there a php radius client available, so that I don't need to call external programs? I know all this is not the best solution, but it still seems the best way to extend sessions for one user on all NAS-es. The other option would be to update max-session-time and tell user to reconnect, but I would like for users to be as painless as possible. Matej
On 19.5.2014 13:48, Phil Mayers wrote:
On 19/05/2014 11:52, Matej Žerovnik wrote:
This should update control record for 'dailycounter' and run it if user signs from Ethernet NAS port type. In case he logs in via wifi, system will skip execution of dailycounter and session-timeout will not be sent. Is my thinking correct? Yes, I think so.
Ok, will try it on my test installation...
What if I want to extend session timeout for a certain user? I've had success sending a COA packet with radclient. Is it possible to change it without running radclient? Not really. If you're extending a session timeout, that's in response to an external, non-RADIUS event e.g. administrative configuration, user self-service.
FreeRADIUS responds to RADIUS packets.
Can I create a custom sql table where I insert user name and wanted session length and radius will read that out and send COA to client? No, definitely not. FreeRADIUS is event-driven in response to radius packets.
I guess I could do a little DIY script that reads SQL database, sends CoA package with radclient and just put everything in cron.
Is it possible to somehow get the current set session-timeout for a certain user? You could log the value you returned in post-auth with linelog or sql.
I think that will work...
If not, can I somehow store it in a database on login or update? Login yes, as above. Update no - as mentioned this is a non-RADIUS event.
I guess I could store it on login and then use the script from above to update session-timeout field in my sql table. After update, I would send the CoA package using radclient. Is there a php radius client available, so that I don't need to call external programs? I know all this is not the best solution, but it still seems the best way to extend sessions for one user on all NAS-es. The other option would be to update max-session-time and tell user to reconnect, but I would like for users to be as painless as possible. Matej
participants (2)
-
Matej Žerovnik -
Phil Mayers