Unexpected Disconnect Message to NAS

Alan DeKok aland at deployingradius.com
Mon Feb 18 13:52:56 CET 2019 

On Feb 18, 2019, at 7:31 AM, Vladimir Cvetic <vcvetic.vc at gmail.com> wrote:
> I have the following setup:
> An OpenWRT AccessPoint with EAP configured authenticating against
> freeradius with a mariadb backend. Accounting on freeradius is enabled to
> cover two use cases:
> 
> 1. restrict daily session time for users (working):
> freeradius sends disconnect messages to my NAS (based on OpenWRT) by
> checking the max-daily-session attribute.
> 
> 2. restrict login time for users (not working)
> user are only allowed to login at certain times.

  OK.

> In the accounting section I have the following sql check in order to send
> disconnect messages to the NAS:
> 
> if ( "%{sql: SELECT IFNULL (SUM(AcctSessionTime),0) FROM radacct where
> UserName='%{User-Name}'}" > "%{sql: SELECT value from radcheck where
> username='%{User-Name}' and attribute='Max-Daily-Session'}" ) {
>     update disconnect {
>        &Acct-Session-Id = "%{Acct-Session-Id}"
>        &User-Name = "%{User-Name}"
>        &Calling-Station-Id = "%{Calling-Station-Id}"
>                }
>        }

  That should work, mostly. 

> The user I'm trying to login doesn't have the attribute Max-Daily-Session
> in the radcheck table:

> Expected behaviour:
> user can login according login-time attribute without having
> max-daily-session attribute defined. the if statement should return false.
> 
> Actual behaviour:
> the if statement always evaluates to 'True' and kicks the user out. Even
> with an empty radacct table the statement evaluates to 'True'.

  Reading the debug output helps here.  The left side of the "if" statement evaluates to "0".  The right side evaluates to "".  Since they're both empty, they're both zero, and they're equal.

  The dynamic expansion syntax allows for "if this is empty, expand something else.  See "man unlang".  You can do

	"%{%{sql:SELECT ...}:-86400}"

  To select the Max-Daily-Session, and if it doesn't exist, set the Max-Daily-Session to 86400 seconds.

> I have two questions:
> 
> 1. How can I avoid defining Max-Daily-Sesion and login-time attributes for
> the second use case (restrict login time for users)?
> 2. how to disconnect user based on defined login-time?

  The NAS disconnects the user when Session-Timeout is reached.  That's supposed to be handled automatically for Max-Daily-Session.  But the server has to be receiving accounting packets.

  Alan DeKok.

More information about the Freeradius-Users mailing list