rlm_sqlcounter: Max-Daily-Session.

Russell Mike radius.sir at gmail.com
Wed May 14 12:16:45 CEST 2014 

Hi,

 i am sure you are doing all that in LAB, why complex? try with PAP at
least to make sure stuff works. And then configure EAP later. don't do
anything to inner-tunnel.

Thanks / Regards



On Tue, May 13, 2014 at 11:39 PM, * <zhex900 at gmail.com> wrote:

> Hi,
>
> I have set my reply item Session-Timeout := 600 for the user bob. I can
> see the radius sending the Session-Timeout to NAS. But the radius get a "*eap_peap
> : Got tunneled reply code 11." *My NAS is receiving other
> Access-Challenge requests but not this one.
>
> I tried to find out what code 11 but I cannot find a simple answer.
>
> Do I need to configure my inner-tunnel?
>
> Jake He
>
>
> *Sending Access-Challenge of id 155 from 10.1.1.2 port 135 to
> 27.33.228.125 port 45095*
> * Session-Timeout := 600*
> * Idle-Timeout := 30*
> * EAP-Message = 0x010200061920*
> * Message-Authenticator = 0x00000000000000000000000000000000*
> * State = 0xb77514c3b6770d58e310744eea16afdc*
> *(1) Finished request 1.*
>
> (8)   [pap] = noop
> (8)  } #  authorize = updated
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (8)   authenticate {
> (8) eap : Expiring EAP session with state 0x7b061f337b0e0549
> (8) eap : Finished EAP session with state 0x7b061f337b0e0549
> (8) eap : Previous EAP request found for state 0x7b061f337b0e0549,
> released from the list
> (8) eap : Peer sent MSCHAPv2 (26)
> (8) eap : EAP MSCHAPv2 (26)
> (8) eap : Calling eap_mschapv2 to process EAP data
> (8) eap_mschapv2 : # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) eap_mschapv2 :  Auth-Type MS-CHAP {
> (8) mschap : Found Cleartext-Password, hashing to create LM-Password
> (8) mschap : Found Cleartext-Password, hashing to create NT-Password
> (8) mschap : Creating challenge hash with username: bob
> (8) mschap : Client is using MS-CHAPv2 for bob, we need NT-Password
> (8) mschap : adding MS-CHAPv2 MPPE keys
> (8)   [mschap] = ok
> (8)  } # Auth-Type MS-CHAP = ok
> MSCHAP Success
> (8) eap : New EAP session, adding 'State' attribute to reply
> 0x7b061f337a0f0549
> (8)   [eap] = handled
> (8)  } #  authenticate = handled
> } # server inner-tunnel
> *(8) eap_peap : Got tunneled reply code 11*
> * Session-Timeout := 600*
> * Idle-Timeout := 30*
> * EAP-Message =
> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738*
> * Message-Authenticator = 0x00000000000000000000000000000000*
> * State = 0x7b061f337a0f0549d125cd93a8b94882*
> (8) eap_peap : Got tunneled reply RADIUS code 11
> Session-Timeout := 600
> Idle-Timeout := 30
> EAP-Message =
> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
>  Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x7b061f337a0f0549d125cd93a8b94882
> (8) eap_peap : Got tunneled Access-Challenge
> (8) eap : New EAP session, adding 'State' attribute to reply
> 0xb77514c3bf7c0d58
> (8)   [eap] = handled
> (8)  } #  authenticate = handled
>
>
>
>
>
> On Tue, May 13, 2014 at 9:32 PM, Russell Mike <radius.sir at gmail.com>wrote:
>
>>
>>
>>
>> On Tue, May 13, 2014 at 12:30 PM, * <zhex900 at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Thank you for your patience. I am very happy someone can help me. Now I
>>> made some progress.
>>>
>>> I find out what the problem is now. In the query you provided I need to
>>> put quotes around radacct. Like this:
>>>  query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(),
>>> MIN(AcctStartTime))),0) FROM *`radacct` *WHERE UserName='%{%k}' ORDER
>>> BY AcctStartTime LIMIT 1;"
>>>
>>> Okay, good, there was error in username veritable as well in your
>> previous query ('%{%k}' ). Anyways. happy it worked !!
>>
>>
>>> Now, have one more problem.
>>>
>>> My NAS (Mikrotik) is not receiving the Session-Timout. I cannot see it
>>> in the NAS log. I only can see Acct-Session-Time. Therefore it is not
>>> terminating the session. For testing I have set the time limit to 60
>>> seconds.
>>>
>>> Freeradius is sending it:
>>>
>>> (2) dailycounter : Sent Reply-Item for user hello, Type=Session-Timeout,
>>> value=60
>>> (2)   [dailycounter] = ok
>>>
>>> Sending Access-Challenge of id 232 from 10.1.1.2 port 135 to
>>> 27.33.228.125 port 47097
>>> Session-Timeout = 60
>>>  EAP-Message = 0x010200061920
>>> Message-Authenticator = 0x00000000000000000000000000000000
>>> State = 0x543a9074553889da6f504855ab4e7a4b
>>> (2) Finished request 2.
>>>
>>> I did not put anything in the radreply for the user. When I did put
>>> Session-Timeout=60 in radreply, I still cannot see it in the NAS log.
>>>
>>> Is it my a problem with NAS configuration?
>>>
>>> What should I do now?
>>>
>>
>> The way FreeRADIUS works is that, it does not disconnect users him self.
>> But rather tells the NAS to disconnect user. if i say that, how FreeRADIUS
>> would tell NAS to disconnect user ? using REPLY ITEM. So put
>> "Session-Timeout" in Reply as well. You said even if you add
>> "Session-Timeout" in reply make no difference, no problem leave
>> "Session-Timeout" in reply-item, it must to be there. And you have more
>> than one problem. 60 seconds are too less, minimum test should be done with
>> 600 seconds for better results.
>>
>> FreeRADIUS is now fine. Configure your NAS properly
>>
>> NOTE: Check item is for FreeRADIUS. reply item is for NAS.
>>
>> Thanks / Regards
>>
>> --RM
>>
>>
>>
>>> Jake He
>>>
>>>
>>> On Tue, May 13, 2014 at 5:12 PM, Arran Cudbard-Bell <
>>> a.cudbardb at freeradius.org> wrote:
>>>
>>>>
>>>> On 13 May 2014, at 08:46, * <zhex900 at gmail.com> wrote:
>>>>
>>>> > You mean I need to upgrade to 3.0.3?
>>>>
>>>> yes.
>>>>
>>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>>>> FreeRADIUS Development Team
>>>>
>>>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140514/d85760b1/attachment-0001.html>

More information about the Freeradius-Users mailing list