Session-Timeout anomalies

Alan DeKok aland at
Fri Feb 8 16:50:17 CET 2013

Bill Isaacs wrote:
> Ok so the question then is: where the hell is radclient getting the
> notion that the account has 2366393 seconds left?

  From the RADIUS server.  This isn't magic.  radclient doesn't invent
attributes in reply packets.  It receives them from the RADIUS server.

> Alan, take a deep breath.  Of course I've looked at the debug output. 
> Note my opening sentence, ol' pardner.  ;)

  Well... your question about "where does radclient get that value from"
is entirely missing the point.  It gets it from the RADIUS server.  I've
said this.  I have no idea how to convince you it's true.

  And the *only* way to debug the RADIUS server is to look at the debug

  And no, your original message did *not* say you had run the server in
debugging mode.  There's only a reference to creating an account for
debugging purposes.  There's no "radiusd -X" output.

  My frustration here is that the documentation and my messages cannot
possibly be any more clear.  Yet you're wandering around doing
everything *but* what the documentation says, and then wondering why I'm
getting annoyed.

  Run the server in debugging mode.  Really.  Do it.  I mean it.

  If you want to track down the issue to a specific module, update the
config to do:

	update reply {
		Reply-Message += "A %{reply:Session-Timeout}"

  Cut & paste that through various pieces of authorize, post-auth, etc.
 Change the "A" to "B", "C", etc.  You should see 10-20 Reply-Messages
in the Access-Accept.  Each with a value for Session-Timeout.  That lets
you track *what* the value is, and *where* in the config the value is
coming from.

  Then once you know it's a particular module, you can figure out how to
fix that module.

  Right now, you're staring at the radclient output, wondering why the
server isn't working.  That's a mistake.

  Alan DeKok.

More information about the Freeradius-Users mailing list