CoA reply a wrong Session-Timeout
Hi to all I am running freeradius ver 2.1.12-6 on CentOS 6.0. I have configured freeradius with sql_counter module and all is working fine. Now I have to configure CoA but on my NAS (Mikrotik) I receive the Session-Timeout equal to 0 and the same is for the Traffic (Mikrotik-XMit-Limit attribute) Which is the freeradius variable to pass to Session-Timeout inside the "update coa{" in order to have the residual credit time of the user? This is the freeradius configuration: /ETC/SITE-AVAILABLE/DEFAULT authorize { rewrite.calling_station_id preprocess chap mschap suffix eap { ok = return } unix sql expiration logintime pap noresetcounter dailycounter monthlycounter noresettrafficcounter dailytraffic monthlytraffic pppoetrafficcounter pppoedailytraffic pppoemonthlytraffic update control { Auth-Type := `/usr/bin/php -f /sitiweb/hotspot/functions/freeradiusauthorize.php %{User-Name} %{User-Password} %{Calling-Station-Id} %{NAS-IP-Address} %{Called-Station-ID}` } } accounting { rewrite.calling_station_id unix sql #COA update coa { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" Framed-IP-Address = "%{Framed-IP-Address}" Session-Timeout = "%{Session-Timeout}" # Session-Timeout = "%{Credit-Time}" # Session-Timeout = "%{noresetcounter:Credit-Time}" # Session-Timeout = "%{Session-Timeout}" # Session-Timeout = "%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'}" # Session-Timeout = "%{noresetcounter}" # Session-Timeout = "%{rlm_sqlcounter:noresetcounter}" Mikrotik-XMit-Limit = "%{Mikrotik-XMit-Limit}" # Mikrotik-XMit-Limit = "%{Monthly-Credit-Traffic}" } # update control { # Send-CoA-Request = Yes # } } CLIENTS.CONF: client 0.0.0.0/0 { secret = hshelioos require_message_authenticator = no nastype = other } #COA home_server piazzalaterale-coa { type = coa # # Note that a home server of type "coa" MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 192.168.0.201 port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a "client" section. secret = hshelioos # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } SQLCOUNTER.CONF: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Credit-Time sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Daily-Credit-Time sqlmod-inst = sql key = User-Name #reset = daily reset = never #query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" #query = "SELECT SUM(SessionTime) FROM (SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) AS SessionTime FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b' UNION SELECT 0 AS SessionTime) AS Results" query = "SELECT SUM(SessionTime) FROM (SELECT SUM(AcctSessionTime) AS SessionTime FROM radacct WHERE UserName='%{%k}' AND DATE(NOW())=DATE(acctstoptime) UNION SELECT 0 AS SessionTime) AS Results" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Monthly-Credit-Time sqlmod-inst = sql key = User-Name #reset = daily reset = never #query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" #query = "SELECT SUM(SessionTime) FROM (SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) AS SessionTime FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b' UNION SELECT 0 AS SessionTime) AS Results" query = "SELECT SUM(SessionTime) FROM (SELECT SUM(AcctSessionTime) AS SessionTime FROM radacct WHERE UserName='%{%k}' AND MONTH(acctstoptime) = MONTH(NOW()) AND YEAR(acctstoptime) = YEAR(NOW()) UNION SELECT 0 AS SessionTime) AS Results" } and this is the LOG of "radiusd -X" command: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.201 port 33465, id=32, length=230 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:22:5F:0F:58:84" Called-Station-Id = "Piazza Laterale" NAS-Port-Id = "hs-bridge" User-Name = "00393383880766@BarCentrale" NAS-Port = 2151677962 Acct-Session-Id = "8040000a" Framed-IP-Address = 10.0.200.105 Mikrotik-Host-IP = 10.0.200.105 CHAP-Challenge = 0x980558b3c7d785a90bcc313cb3d36f05 CHAP-Password = 0xb857266bd68f0ad533ce1801e25f165f64 Service-Type = Login-User WISPr-Logoff-URL = "http://0.0.0.0/logout" NAS-Identifier = "Piazza Laterale" NAS-IP-Address = 192.168.0.201 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> 00:22:5F:0F:58:84 expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 00:22:5F:0F:58:84 expand: %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> 00:22:5F:0F:58:84 ++++[request] returns notfound ++++[updated] returns updated +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite.calling_station_id returns updated ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm "BarCentrale" for User-Name = "00393383880766@BarCentrale" [suffix] No such realm "BarCentrale" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [sql] expand: %{User-Name} -> 00393383880766@BarCentrale [sql] sql_set_user escaped user --> '00393383880766@BarCentrale' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00393383880766@BarCentrale' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '00393383880766@BarCentrale' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '00393383880766@BarCentrale' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'DEFAULT2048K-256K-5DEVICES' ORDER BY id [sql] User found in group DEFAULT2048K-256K-5DEVICES [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'DEFAULT2048K-256K-5DEVICES' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop rlm_sqlcounter: Entering module authorize code WARNING: Please replace '%k' with '${key}' sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'' [noresetcounter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='00393383880766@BarCentrale' WARNING: Please replace '%S' with '${sqlmod-inst}' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='00393383880766@BarCentrale'}' [noresetcounter] sql_xlat [noresetcounter] expand: %{User-Name} -> 00393383880766@BarCentrale [noresetcounter] sql_set_user escaped user --> '00393383880766@BarCentrale' [noresetcounter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='00393383880766@BarCentrale' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='00393383880766@BarCentrale' rlm_sql (sql): Reserving sql socket id: 3 [noresetcounter] sql_xlat finished rlm_sql (sql): Released sql socket id: 3 [noresetcounter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='00393383880766@BarCentrale'} -> 747 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user 00393383880766@BarCentrale, check_item=2700, counter=747 rlm_sqlcounter: Sent Reply-Item for user 00393383880766@BarCentrale, Type=Session-Timeout, value=1953 ++[noresetcounter] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresettrafficcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailytraffic] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlytraffic] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[pppoetrafficcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[pppoedailytraffic] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[pppoemonthlytraffic] returns noop expand: %{User-Name} -> 00393383880766@BarCentrale expand: %{User-Password} -> expand: %{Calling-Station-Id} -> 00:22:5F:0F:58:84 expand: %{NAS-IP-Address} -> 192.168.0.201 expand: %{Called-Station-ID} -> Piazza Laterale Exec-Program output: Exec-Program: returned: 0 ++[control] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. CHAP-Password is correct. # Executing section session from file /etc/raddb/sites-enabled/default +- entering group session {...} [sql] expand: %{User-Name} -> 00393383880766@BarCentrale [sql] sql_set_user escaped user --> '00393383880766@BarCentrale' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = '00393383880766@BarCentrale' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> 00393383880766@BarCentrale [sql] sql_set_user escaped user --> '00393383880766@BarCentrale' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> 0xb857266bd68f0ad533ce1801e25f165f64 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00393383880766@BarCentrale', '0xb857266bd68f0ad533ce1801e25f165f64', 'Access-Accept', '2016-09-16 14:22:23') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00393383880766@BarCentrale', '0xb857266bd68f0ad533ce1801e25f165f64', 'Access-Accept', '2016-09-16 14:22:23') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 32 to 192.168.0.201 port 33465 SESSION-TIMEOUT := 1953 Idle-Timeout := 180 WISPr-Bandwidth-Max-Down := 2048000 WISPr-Bandwidth-Max-Up := 256000 Mikrotik-Rate-Limit := "256000/2048000" Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.0.201 port 55450, id=33, length=176 Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:22:5F:0F:58:84" Called-Station-Id = "Piazza Laterale" NAS-Port-Id = "hs-bridge" User-Name = "00393383880766@BarCentrale" NAS-Port = 2151677962 Acct-Session-Id = "8040000a" Framed-IP-Address = 10.0.200.105 Mikrotik-Host-IP = 10.0.200.105 Event-Timestamp = "Sep 16 2016 14:22:23 CEST" NAS-Identifier = "Piazza Laterale" Acct-Delay-Time = 0 NAS-IP-Address = 192.168.0.201 # Executing section preacct from file /etc/raddb/radiusd.conf +- entering group preacct {...} [acct_unique] Hashing 'Client-IP-Address = 192.168.0.201,NAS-IP-Address = 192.168.0.201,Acct-Session-Id = "8040000a",User-Name = "00393383880766@BarCentrale"' [acct_unique] Acct-Unique-Session-ID = "9fbe06198361f0df". ++[acct_unique] returns ok # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} ++- entering policy rewrite.calling_station_id {...} +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) ?? Evaluating (Calling-Station-Id) -> TRUE expand: %{Calling-Station-Id} -> 00:22:5F:0F:58:84 expand: policy.mac-addr -> policy.mac-addr expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 00:22:5F:0F:58:84 expand: %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} -> 00:22:5F:0F:58:84 ++++[request] returns noop ++++[updated] returns updated +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 1: Preceding "if" was taken ++- policy rewrite.calling_station_id returns updated ++[unix] returns ok [sql] expand: %{User-Name} -> 00393383880766@BarCentrale [sql] sql_set_user escaped user --> '00393383880766@BarCentrale' [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 00393383880766@BarCentrale attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated expand: %{User-Name} -> 00393383880766@BarCentrale expand: %{Acct-Session-Id} -> 8040000a expand: %{NAS-IP-Address} -> 192.168.0.201 expand: %{Framed-IP-Address} -> 10.0.200.105 EXPAND: %{SESSION-TIMEOUT} -> ++[coa] returns updated Sending Accounting-Response of id 33 to 192.168.0.201 port 55450 WARNING: Empty pre-proxy section. Using default return values. SENDING COA-REQUEST OF ID 217 TO 192.168.0.201 PORT 3799 User-Name = "00393383880766@BarCentrale" Acct-Session-Id = "8040000a" NAS-IP-Address = 192.168.0.201 Framed-IP-Address = 10.0.200.105 SESSION-TIMEOUT = 0 Finished request 1. Cleaning up request 1 ID 33 with timestamp +134 Going to the next request Waking up in 1.8 seconds. rad_recv: CoA-ACK packet from host 192.168.0.201 port 3799, id=217, length=43 NAS-Identifier = "Piazza Laterale" NAS-IP-Address = 192.168.0.201 # Executing section post-proxy from file /etc/raddb/sites-enabled/default As you can see from the LOG, CoA is working correctly but send as Session-Timeout 0, instead of the correct credit Traffic for the user that is 1953. I have tried a lot of variable on the "coa update" for Session-Timeout and Mikrotik-XMit-Limit but none work. Can someone help me? Best regards Con Smart 3 Giga a 9 euro/4 sett navighi veloce, chiami e invii SMS dal tuo smartphone verso tutti i fissi e mobili in Italia. Passa a Tiscali Mobile! http://casa.tiscali.it/mobile/
On Sep 16, 2016, at 8:28 AM, prometeotv@tiscali.it wrote:
I am running freeradius ver 2.1.12-6 on CentOS 6.0.
Upgrade to a recent version. There is just no reason to use a version from 5 years ago.
I have configured freeradius with sql_counter module and all is working fine. Now I have to configure CoA but on my NAS (Mikrotik) I receive the Session-Timeout equal to 0 and the same is for the Traffic (Mikrotik-XMit-Limit attribute) Which is the freeradius variable to pass to Session-Timeout inside the "update coa{" in order to have the residual credit time of the user?
Session-Timeout. BUT you have to get the correct value from somewhere. Right now, you're taking the value from the accounting packet. Which doesn't have a Session-Timeout. Alan DeKok.
participants (2)
-
Alan DeKok -
prometeotv@tiscali.it