Unexpected Disconnect Message to NAS

Vladimir Cvetic vcvetic.vc at gmail.com
Mon Feb 18 14:52:45 CET 2019 

Thanks, dynamic expansion made the trick !!!

But unfortunately the NAS doesn't disconnect the user. How do I force
freeradius to send accounting packets to the NAS?

On Mon, Feb 18, 2019 at 1:53 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 18, 2019, at 7:31 AM, Vladimir Cvetic <vcvetic.vc at gmail.com> wrote:
> > I have the following setup:
> > An OpenWRT AccessPoint with EAP configured authenticating against
> > freeradius with a mariadb backend. Accounting on freeradius is enabled to
> > cover two use cases:
> >
> > 1. restrict daily session time for users (working):
> > freeradius sends disconnect messages to my NAS (based on OpenWRT) by
> > checking the max-daily-session attribute.
> >
> > 2. restrict login time for users (not working)
> > user are only allowed to login at certain times.
>
>   OK.
>
> > In the accounting section I have the following sql check in order to send
> > disconnect messages to the NAS:
> >
> > if ( "%{sql: SELECT IFNULL (SUM(AcctSessionTime),0) FROM radacct where
> > UserName='%{User-Name}'}" > "%{sql: SELECT value from radcheck where
> > username='%{User-Name}' and attribute='Max-Daily-Session'}" ) {
> >     update disconnect {
> >        &Acct-Session-Id = "%{Acct-Session-Id}"
> >        &User-Name = "%{User-Name}"
> >        &Calling-Station-Id = "%{Calling-Station-Id}"
> >                }
> >        }
>
>   That should work, mostly.
>
> > The user I'm trying to login doesn't have the attribute Max-Daily-Session
> > in the radcheck table:
>
> > Expected behaviour:
> > user can login according login-time attribute without having
> > max-daily-session attribute defined. the if statement should return
> false.
> >
> > Actual behaviour:
> > the if statement always evaluates to 'True' and kicks the user out. Even
> > with an empty radacct table the statement evaluates to 'True'.
>
>   Reading the debug output helps here.  The left side of the "if"
> statement evaluates to "0".  The right side evaluates to "".  Since they're
> both empty, they're both zero, and they're equal.
>
>   The dynamic expansion syntax allows for "if this is empty, expand
> something else.  See "man unlang".  You can do
>
>         "%{%{sql:SELECT ...}:-86400}"
>
>   To select the Max-Daily-Session, and if it doesn't exist, set the
> Max-Daily-Session to 86400 seconds.
>
> > I have two questions:
> >
> > 1. How can I avoid defining Max-Daily-Sesion and login-time attributes
> for
> > the second use case (restrict login time for users)?
> > 2. how to disconnect user based on defined login-time?
>
>   The NAS disconnects the user when Session-Timeout is reached.  That's
> supposed to be handled automatically for Max-Daily-Session.  But the server
> has to be receiving accounting packets.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list