FreeRADIUS 2.1.12 rlm_sqlcounter bug
Hi, I am using FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Dec 6 2011 at 19:51:34, and I'd like to set up a quota using rlm_sqlcounter. However, the quota I'd like to use is over 4GB and the module will than overflow, not allowing a user who still has quota left. The user with the attributes: mysql> select * from radcheck; +----+----------+--------------------+----+-------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------------+ | 18 | test1 | Max-Octets | := | 29687864955 | | 15 | test1 | Cleartext-Password | := | test | +----+----------+--------------------+----+-------------+ sqlcounter.conf: sqlcounter volumelimitcounter { counter-name = Total-Max-Octets check-name = Max-Octets reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = never error-msg = "Sorry, your bandwidth has exceeded the provided limit" query = "SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct where UserName='%{${key}}'" } radiusd output: [volumelimitcounter] expand: %{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct where UserName='test1'} -> 25687864955 rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user test1, check_item=4294967295, counter=4294967295 ++[volumelimitcounter] returns reject full debug log: can be found at http://pastebin.com/fs2ed6pF Any feedback would be greatly appreciated. Kind regards, Ben
ben beneke wrote:
I am using FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Dec 6 2011 at 19:51:34, and I'd like to set up a quota using rlm_sqlcounter. However, the quota I'd like to use is over 4GB and the module will than overflow, not allowing a user who still has quota left.
Use rlm_expr to do 64-bit math. Counters in RADIUS are 32-bits. So counting more than 4G is impossible using "native" attributes. You need to use rlm_expr to calculate the values yourself. Alan DeKok.
On Fri, Dec 16, 2011 at 3:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
ben beneke wrote:
I am using FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Dec 6 2011 at 19:51:34, and I'd like to set up a quota using rlm_sqlcounter. However, the quota I'd like to use is over 4GB and the module will than overflow, not allowing a user who still has quota left.
Use rlm_expr to do 64-bit math.
Counters in RADIUS are 32-bits. So counting more than 4G is impossible using "native" attributes. You need to use rlm_expr to calculate the values yourself.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_expr doesn't seem to have extensive documentation, nor was I able to find an example similar to what I want to achieve. However, if I understand everything correctly, my solution would be something like the following: rlm_expr is needed to calculate the difference between the substraction of "SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct where UserName='%{${key}}'" (which equals to 25687864955) and the Max-Octets value in radcheck (equaling 29687864955) IF $valueradacct < $valueradcheck: Acess Accept ELSE Access Reject Does this reasoning make any sense?
Hello Friends: I am writing to give me ideas on how to apply the following policy in freeradius: - I need a user is only registered at the same time just one time, so when the user is registered with that other users can not register. I hope I miss understand. Thank you very much. Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
2011/12/17 Guillermo William Llanes Suárez <gwilliam@uci.cu>:
Hello Friends: I am writing to give me ideas on how to apply the following policy in freeradius: - I need a user is only registered at the same time just one time, so when the user is registered with that other users can not register.
That doesnt' make sense.
I hope I miss understand. Thank you very much.
Do you mean simultaneous use? If yes, check the list archive. There's a long thread about it recently. -- Fajar
Hola Fajar y amigos. Lo que necesito es, que una ves que un usuario se encuentre ya autenticado no pueda otra persona (robo de identidad) usar ese mismo usuario para autenticarse en otro equipo. Lo que quiero hacer, es, cuando esto suceda, que el intento de autenticacion por segunda ves sea rechazado, o sea, que solo el usuario puieda estar online solo desde un cliente, no de dos al mismo tiempo. Me explico mejor?. Gracias a todos. ----- Mensaje original ----- De: "Fajar A. Nugraha" <list@fajar.net> Para: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Enviados: Viernes, 16 de Diciembre 2011 15:35:33 Asunto: Re: I need your help!!!! 2011/12/17 Guillermo William Llanes Suárez <gwilliam@uci.cu>:
Hello Friends: I am writing to give me ideas on how to apply the following policy in freeradius: - I need a user is only registered at the same time just one time, so when the user is registered with that other users can not register.
That doesnt' make sense.
I hope I miss understand. Thank you very much.
Do you mean simultaneous use? If yes, check the list archive. There's a long thread about it recently. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
Hi Fajar and friends. What I need is that one you see that a user is authenticated and can not be another person (identity theft) use the same user to authenticate to another machine. What I do is, when this happens, the authentication attempt is rejected for second time, or only the user may thereby be online only from a customer, not both at the same time. Let me explain better?. Thank you all. ----- Mensaje original ----- De: "Guillermo William Llanes Suárez" <gwilliam@uci.cu> Para: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Enviados: Sábado, 17 de Diciembre 2011 8:35:08 Asunto: Re: I need your help!!!! Hola Fajar y amigos. Lo que necesito es, que una ves que un usuario se encuentre ya autenticado no pueda otra persona (robo de identidad) usar ese mismo usuario para autenticarse en otro equipo. Lo que quiero hacer, es, cuando esto suceda, que el intento de autenticacion por segunda ves sea rechazado, o sea, que solo el usuario puieda estar online solo desde un cliente, no de dos al mismo tiempo. Me explico mejor?. Gracias a todos. ----- Mensaje original ----- De: "Fajar A. Nugraha" <list@fajar.net> Para: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Enviados: Viernes, 16 de Diciembre 2011 15:35:33 Asunto: Re: I need your help!!!! 2011/12/17 Guillermo William Llanes Suárez <gwilliam@uci.cu>:
Hello Friends: I am writing to give me ideas on how to apply the following policy in freeradius: - I need a user is only registered at the same time just one time, so when the user is registered with that other users can not register.
That doesnt' make sense.
I hope I miss understand. Thank you very much.
Do you mean simultaneous use? If yes, check the list archive. There's a long thread about it recently. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
Saludos, Debes tener en cuenta la variable *Simultaneous-Use* (Ejemplo: "alice" Cleartext-Password := "passme",Simultaneous-Use := 1 ) esta te va a permitir el número de veces que un usuario de manera simultánea se podrá validar. Exitos. -- Celular: (+57) 316.332.64.33 http://www.unidata.com.co
Hi,
Hi Fajar and friends. What I need is that one you see that a user is authenticated and can not be another person (identity theft) use the same user to authenticate to another machine. What I do is, when this happens, the authentication attempt is rejected for second time, or only the user may thereby be online only from a customer, not both at the same time. Let me explain better?.
Simultaneous-Use - as already said, there have been a couple of big threads about this recently - so if you read the last month of mailing list you will see - or read the config files and docs for FreeRADIUS to see how its done (hint, the best way is to use SQL imho) alan
ben beneke wrote:
rlm_expr doesn't seem to have extensive documentation, nor was I able to find an example similar to what I want to achieve.
It does math. That's it.
However, if I understand everything correctly, my solution would be something like the following:
rlm_expr is needed to calculate the difference between the substraction of "SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct where UserName='%{${key}}'" (which equals to 25687864955) and the Max-Octets value in radcheck (equaling 29687864955)
IF $valueradacct < $valueradcheck: Acess Accept ELSE Access Reject
Does this reasoning make any sense?
Yes. Except that Max-Octets (as an attribute) is bounded by 4G, too. You'd be better off having rlm_expr query SQL directly, via %{sql:...} Alan DeKok.
participants (6)
-
Alan Buxey -
Alan DeKok -
ben beneke -
Fajar A. Nugraha -
Guillermo William Llanes Suárez -
Nelson Acero Fino