rlm_sqlcounter: Max-Daily-Session.

* zhex900 at gmail.com
Thu May 15 15:09:39 CEST 2014


Hi Russell,

I changed the authorisation method on my device to EAP-TTLS, I could not
get PAP to work. Now Session-Timeout is received by NAS. No more code 11.
But for some reason MikroTik does not terminate the session after the
assigned time.

I made post in
http://forum.mikrotik.com/viewtopic.php?f=2&t=84986&p=426217#p426217. I
will try to upgrade RouterOS to 6.12. Apart from this don't know what else
to do.

Thank you for your kind help.

Jake He


On Wed, May 14, 2014 at 6:16 PM, Russell Mike <radius.sir at gmail.com> wrote:

> Hi,
>
>  i am sure you are doing all that in LAB, why complex? try with PAP at
> least to make sure stuff works. And then configure EAP later. don't do
> anything to inner-tunnel.
>
> Thanks / Regards
>
>
>
> On Tue, May 13, 2014 at 11:39 PM, * <zhex900 at gmail.com> wrote:
>
>> Hi,
>>
>> I have set my reply item Session-Timeout := 600 for the user bob. I can
>> see the radius sending the Session-Timeout to NAS. But the radius get a "*eap_peap
>> : Got tunneled reply code 11." *My NAS is receiving other
>> Access-Challenge requests but not this one.
>>
>> I tried to find out what code 11 but I cannot find a simple answer.
>>
>> Do I need to configure my inner-tunnel?
>>
>> Jake He
>>
>>
>> *Sending Access-Challenge of id 155 from 10.1.1.2 port 135 to
>> 27.33.228.125 port 45095*
>> * Session-Timeout := 600*
>> * Idle-Timeout := 30*
>> * EAP-Message = 0x010200061920*
>> * Message-Authenticator = 0x00000000000000000000000000000000*
>> * State = 0xb77514c3b6770d58e310744eea16afdc*
>> *(1) Finished request 1.*
>>
>> (8)   [pap] = noop
>> (8)  } #  authorize = updated
>> (8) Found Auth-Type = EAP
>> (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
>> (8)   authenticate {
>> (8) eap : Expiring EAP session with state 0x7b061f337b0e0549
>> (8) eap : Finished EAP session with state 0x7b061f337b0e0549
>> (8) eap : Previous EAP request found for state 0x7b061f337b0e0549,
>> released from the list
>> (8) eap : Peer sent MSCHAPv2 (26)
>> (8) eap : EAP MSCHAPv2 (26)
>> (8) eap : Calling eap_mschapv2 to process EAP data
>> (8) eap_mschapv2 : # Executing group from file
>> /etc/freeradius/sites-enabled/inner-tunnel
>> (8) eap_mschapv2 :  Auth-Type MS-CHAP {
>> (8) mschap : Found Cleartext-Password, hashing to create LM-Password
>> (8) mschap : Found Cleartext-Password, hashing to create NT-Password
>> (8) mschap : Creating challenge hash with username: bob
>> (8) mschap : Client is using MS-CHAPv2 for bob, we need NT-Password
>> (8) mschap : adding MS-CHAPv2 MPPE keys
>> (8)   [mschap] = ok
>> (8)  } # Auth-Type MS-CHAP = ok
>> MSCHAP Success
>> (8) eap : New EAP session, adding 'State' attribute to reply
>> 0x7b061f337a0f0549
>> (8)   [eap] = handled
>> (8)  } #  authenticate = handled
>> } # server inner-tunnel
>> *(8) eap_peap : Got tunneled reply code 11*
>> * Session-Timeout := 600*
>> * Idle-Timeout := 30*
>> * EAP-Message =
>> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738*
>> * Message-Authenticator = 0x00000000000000000000000000000000*
>> * State = 0x7b061f337a0f0549d125cd93a8b94882*
>> (8) eap_peap : Got tunneled reply RADIUS code 11
>> Session-Timeout := 600
>> Idle-Timeout := 30
>> EAP-Message =
>> 0x010900331a0308002e533d32374134353837324635433545353846434334433734383546333732324530414444373730393738
>>  Message-Authenticator = 0x00000000000000000000000000000000
>> State = 0x7b061f337a0f0549d125cd93a8b94882
>> (8) eap_peap : Got tunneled Access-Challenge
>> (8) eap : New EAP session, adding 'State' attribute to reply
>> 0xb77514c3bf7c0d58
>> (8)   [eap] = handled
>> (8)  } #  authenticate = handled
>>
>>
>>
>>
>>
>> On Tue, May 13, 2014 at 9:32 PM, Russell Mike <radius.sir at gmail.com>wrote:
>>
>>>
>>>
>>>
>>> On Tue, May 13, 2014 at 12:30 PM, * <zhex900 at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thank you for your patience. I am very happy someone can help me. Now I
>>>> made some progress.
>>>>
>>>> I find out what the problem is now. In the query you provided I need to
>>>> put quotes around radacct. Like this:
>>>>  query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(),
>>>> MIN(AcctStartTime))),0) FROM *`radacct` *WHERE UserName='%{%k}' ORDER
>>>> BY AcctStartTime LIMIT 1;"
>>>>
>>>> Okay, good, there was error in username veritable as well in your
>>> previous query ('%{%k}' ). Anyways. happy it worked !!
>>>
>>>
>>>> Now, have one more problem.
>>>>
>>>> My NAS (Mikrotik) is not receiving the Session-Timout. I cannot see it
>>>> in the NAS log. I only can see Acct-Session-Time. Therefore it is not
>>>> terminating the session. For testing I have set the time limit to 60
>>>> seconds.
>>>>
>>>> Freeradius is sending it:
>>>>
>>>> (2) dailycounter : Sent Reply-Item for user hello,
>>>> Type=Session-Timeout, value=60
>>>> (2)   [dailycounter] = ok
>>>>
>>>> Sending Access-Challenge of id 232 from 10.1.1.2 port 135 to
>>>> 27.33.228.125 port 47097
>>>> Session-Timeout = 60
>>>>  EAP-Message = 0x010200061920
>>>> Message-Authenticator = 0x00000000000000000000000000000000
>>>> State = 0x543a9074553889da6f504855ab4e7a4b
>>>> (2) Finished request 2.
>>>>
>>>> I did not put anything in the radreply for the user. When I did put
>>>> Session-Timeout=60 in radreply, I still cannot see it in the NAS log.
>>>>
>>>> Is it my a problem with NAS configuration?
>>>>
>>>> What should I do now?
>>>>
>>>
>>> The way FreeRADIUS works is that, it does not disconnect users him self.
>>> But rather tells the NAS to disconnect user. if i say that, how FreeRADIUS
>>> would tell NAS to disconnect user ? using REPLY ITEM. So put
>>> "Session-Timeout" in Reply as well. You said even if you add
>>> "Session-Timeout" in reply make no difference, no problem leave
>>> "Session-Timeout" in reply-item, it must to be there. And you have more
>>> than one problem. 60 seconds are too less, minimum test should be done with
>>> 600 seconds for better results.
>>>
>>> FreeRADIUS is now fine. Configure your NAS properly
>>>
>>> NOTE: Check item is for FreeRADIUS. reply item is for NAS.
>>>
>>> Thanks / Regards
>>>
>>> --RM
>>>
>>>
>>>
>>>> Jake He
>>>>
>>>>
>>>> On Tue, May 13, 2014 at 5:12 PM, Arran Cudbard-Bell <
>>>> a.cudbardb at freeradius.org> wrote:
>>>>
>>>>>
>>>>> On 13 May 2014, at 08:46, * <zhex900 at gmail.com> wrote:
>>>>>
>>>>> > You mean I need to upgrade to 3.0.3?
>>>>>
>>>>> yes.
>>>>>
>>>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>>>>> FreeRADIUS Development Team
>>>>>
>>>>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140515/d0f5c8d5/attachment-0001.html>


More information about the Freeradius-Users mailing list