Script for logging out user from their session

Ivan Kalik tnt at
Sat Aug 1 16:06:13 CEST 2009

> I am a newbie trying to create a prepaid hotspot and I am using following.
> CentOS 5.3
> freeradius2-2.1.6
> mysql 5.0.45
> daloradius-0.9-8
> chillispot 1.0 (in dd-wrt)
> Now I wanted to try that if I will give a user 1 hour time (1 hour
> prepaid card is sold and assumed that user can consume that within
> infinite period of time without expiration), i want to limit that time
> strictly. For this I have implemented the "Max-All-Session" Attribute
> and so far it is working during login time (not during user session).
> So following is the problem:
> 1) User have 1 hour and if he is continuously logged in more than 1
> hour, there is no way he will be automatically logged out.

You have not implemented the counter correctly or your NAS doesn't support

> 2) For solution to this, I have implemented the "Session-Timeout" of 1
> hour (3600) together with "Max-All-Session".

Which is poitless.

> This solution works given
> that user is not interrupted (or logged in continuously for 1 hour or
> more). This strategy fails when user logs out before 1 hour and logs
> in again. Supposing he still have 20 mins total time left, when he
> logs back in , his session timeout is again 1 hour so if continues to
> use until session timeout, he will end up using more than his time.
> This is worse if user logs in multiple time within credited time
> period.

OK, so Session-Timeout works. Then you haven't implemented the counter
properly. Post the debug.

> In this situation, what I wanted to do is - No matter what, when user
> reaches his time limit, he will be logged out from his session (if
> logged in)  or not accept login request anymore ("Max-All-Session"
> already does this).

Yes, but it looks like you are overriding Session-Timeout set by the
couter with the fixed value.

> 3) Now to implement the former condition I did some research and found
> out that freeradius is not designed to kick the user however we need
> to send the "Packet of Disconnect" to NAS (AP) by some means of
> script. It is also assumed (I guess) that we will monitor their
> account table and hand pick the user by ourselves and disconnect them
> manually. Instead I want to automate this thing.

Just forget that.

> 4) After some research for this automation, I found out about the
> "radkill" untility (which is not exactly I wanted) but got some idea
> that we can do following step to logout user automatically
> (a) Find out about that user session and from which NAS he is logged
> in (radwho can be used for this purpose)
> (b) Send the packet of disconnect to that NAS for that particular user.

You don't need any of that. Just set up counter properly.

> Now before reinventing the wheel, I have been asking a question to
> myself for sometime
> (a) In the prepaid users scenario, there may be hundreds of users
> connected. Isn't that keeping track of each user's time in real time
> through some kind of daemon will be CPU intensive task? and overkill
> for the server?

Not at all, since the server doesn't do that. NAS generates accounting.

> (b) Instead of keeping track in eating CPU cycles and memory, I though
> it would be nice to use and implement this logic when accounting
> packet arrives from chilli to radius (something like database
> triggerers). so when accounting packet arrives for any particular
> user, radius will check his "Max-All-Session" against used sum of used
> sessions and if necessary, send the packet of disconnect to the NAS.
> Well the problem is I don't know how to implement this since I am very
> new to freeradius and this whole hotspot thing.

No need. By passing Session-Timeout at login time NAS will disconnect the
user when the time comes.

> (c) Lastly, I am just wondering that somebody must have faced this
> problem before and made a solution considering many hotspot solutions
> available today. or  am I seriously missing something (since new in
> this area), or there are more sleek approach to this problem than what
> I am thinking, which is readily available out of the box.

You have messed up counter implementation. Post the debug and lets see
what is going on with it.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list