Session-Timeout anomalies
Alan DeKok
aland at deployingradius.com
Fri Feb 8 16:50:17 CET 2013
Bill Isaacs wrote:
> Ok so the question then is: where the hell is radclient getting the
> notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
> Alan, take a deep breath. Of course I've looked at the debug output.
> Note my opening sentence, ol' pardner. ;)
Well... your question about "where does radclient get that value from"
is entirely missing the point. It gets it from the RADIUS server. I've
said this. I have no idea how to convince you it's true.
And the *only* way to debug the RADIUS server is to look at the debug
output.
And no, your original message did *not* say you had run the server in
debugging mode. There's only a reference to creating an account for
debugging purposes. There's no "radiusd -X" output.
My frustration here is that the documentation and my messages cannot
possibly be any more clear. Yet you're wandering around doing
everything *but* what the documentation says, and then wondering why I'm
getting annoyed.
Run the server in debugging mode. Really. Do it. I mean it.
If you want to track down the issue to a specific module, update the
config to do:
update reply {
Reply-Message += "A %{reply:Session-Timeout}"
}
Cut & paste that through various pieces of authorize, post-auth, etc.
Change the "A" to "B", "C", etc. You should see 10-20 Reply-Messages
in the Access-Accept. Each with a value for Session-Timeout. That lets
you track *what* the value is, and *where* in the config the value is
coming from.
Then once you know it's a particular module, you can figure out how to
fix that module.
Right now, you're staring at the radclient output, wondering why the
server isn't working. That's a mistake.
Alan DeKok.
More information about the Freeradius-Users
mailing list