Session-Timeout Problem
Selahattin Cilek
selahattin_cilek at hotmail.com
Thu Feb 2 15:26:33 CET 2017
I do not want to turn this into a clash of egos, I just want to understand the problem and solve it.
This is what I want to achieve:
I want to keep user data and statistics in a MySQL database. I want to enforce quota based on the data received by FreeRADIUS 2.2.8 from any NAS.
This is my plan:
The NAS regularly informs FreeRADIUS how much a user has been using the network. FreeRADIUS keeps the data in a MySQL database and regularly checks if the user has reached his quota. When a user reaches his quota, it tells the NAS not to let him use the network. In order to be able to grant or deny access to a user, the NAS is supposed to ask FreeRADIUS at regular intervals what to with the authentication request. The only way the NAS can know about these intervals is through the "Session-Timeout" attribute. At the end of each session, the NAS sends FreeRADIUS a packet that contains data about how much bandwidth the user has consumed. FreeRADIUS commits the to a local MySQL schema, which I have programmed to update some other custom tables through triggers.
This is my problem:
The NAS receives and recognises the "Session-Timeout" attribute. It authenticates the user and starts counting data. A row is inserted into the "radacct" table. At the end of the first session, the row is updated with the fields:
acctsessiontime -> 600 (the same as the Session-Timeout attribute)
acctinputoctets -> whatever the user has uploaded
acctaoutputoctets -> whatever the user has downloaded
acctterminatecause -> Session-Timeout
Then the user is authenticated a second time, and therefore a second row is inserted into the radacct table, with an incremented session ID, of course. But strangely, this session never expires and is never updated through Acct-Interim-Updates attribute. The second session lasts forever; that is, until the user turns off WiFi or shuts down his machine. I believe this explains what happens between the NAS and FreeRADIUS:
SELECT * FROM radacct;
radacctid acctsessionid acctuniqueid username groupname realm nasipaddress nasportid nasporttype acctstarttime acctstoptime acctsessiontime acctauthentic connectinfo_start connectinfo_stop acctinputoctets acctoutputoctets calledstationid callingstationid acctterminatecause servicetype framedprotocol framedipaddress acctstartdelay acctstopdelay xascendsessionsvrkey
1 5892F172-00000000 06aefeead5872f8f scilek 192.168.2.3 0 Wireless-802.11 "2017-02-02 11:45:09" "2017-02-02 11:55:09" 600 RADIUS "CONNECT 0Mbps 802.11b" "CONNECT 0Mbps 802.11b" 34296191 34667792 80-2A-A8-AD-1E-F9:SCILEK.NET 00-22-FA-F5-B9-0A Session-Timeout 0 0
2 5892F172-00000001 19d67f917a5dbc29 scilek 192.168.2.3 0 Wireless-802.11 "2017-02-02 11:55:09" "2017-02-02 12:25:13" 1804 RADIUS "CONNECT 0Mbps 802.11b" "CONNECT 0Mbps 802.11b" 89525790 86476588 80-2A-A8-AD-1E-F9:SCILEK.NET 00-22-FA-F5-B9-0A User-Request 0 0
Here are my questions:
Why does the NAS terminate the first session as it is supposed to but not the second one? Who is supposed to inform who when the session is over? Is the NAS supposed to keep track of this and inform FreeRADIUS, or the other way around? Doesn't the idea of FreeRADIUS keeping track of session time and telling the NAS to terminate the user's session go against the design philosophy of RADIUS? Isn't RADIUS only supposed to inform and not enforce? Who is to blame if the session is not terminated when it should? Is there anything I can do with the FreeRADIUS configuration to make that NAS terminate the second session and start the third and so on? Is this a FreeRADIUS configuration issue or is there a bug in the AP firmware?
Thank you all.
________________________________
[Avast logo] <https://www.avast.com/antivirus>
This email has been checked for viruses by Avast antivirus software.
www.avast.com<https://www.avast.com/antivirus>
More information about the Freeradius-Users
mailing list