Max-Daily-Session - User session termination

pamela pomary ppomary at gmail.com
Wed Mar 7 19:11:37 CET 2012


Hello once again,


Thank you for your help in resolving this problem so far. I have counters
increasing now after defining Max-Daily-Session for DEFAULT user in the
users file like below and adding the line aaa accounting dot1x default
start-stop group radius suggested by Alan Buxey to config on my Cisco 2960
switch NAS.

DEFAULT        Service-Type == Login-User
                      Framed-IP-Address = 255.255.255.254,
                      Framed-MTU = 576,
                      Max-Daily-Session = 240,

I found the following in the log

### Debug log ###
rlm_counter: Entering module authorize code
rlm_counter: Searching the database for key 'clare'
rlm_counter: Key Found.
rlm_counter: Check item = 240, Count = 2386
rlm_counter: Rejected user clare, check_item=240, counter=2386
  modcall[authorize]: module "daily" returns reject for request 0
modcall: leaving group authorize (returns reject) for request 0
Invalid user (rlm_counter: Maximum hourly usage time reached): [clare]
(from client C2960_NOC_LAN1 port 50009 cli 00-1E-33-D5-7A-68)
Delaying request 0 for 1 seconds
Finished request 0

Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 230 to 10.1.5.4 port 1645
        Reply-Message = "Your maximum hourly usage time has been reached"


I realise user clare is rejected only when user login after cable is
unplugged and plugged back into the computer. What it means is that when a
user login and is granted access, user's counter keeps increasing beyond
the Max-Daily-Session until cable is unplugged from the computer.When cable
is plugged back into the computer and user is prompted to login, user is
rejected because he/she has exceeded the maximum daily session.

What I want to achieve is to get user session disconnected/timeout
automatically while cable is still plugged in and user reaching his/her
maximum daily session set for the day. I hope it is possible to do :)

I have the following config on my NAS- Cisco 2960 switch


aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting suppress null-username
aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo periodic 1
aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius

interface FastEthernet0/9
switchport access vlan 6
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
authentication violation protect

dot1x pae both
dot1x max-req 3
spanning-tree portfast


----------
Pamela Pomary
University of Ghana, ICT Directorate
skype:ppomary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120307/7f36ae21/attachment-0001.html>


More information about the Freeradius-Users mailing list