Weird behaviour of sqlcounter / dailycounter

Robert Senger robert.senger at lists.microscopium.de
Wed May 31 16:43:45 UTC 2023


Hi Alan,

okay, I assumed that if I have enabled the inner-tunnel to copy
attributes to the outer reply (by setting "if (0)" to "if(1)" as
documented), the attribute will be available as it is sent to the nas.
That was a misunderstanding. Now, as I added the code to the inner-
tunnel file, it works.

However, I discovered that neither logintime nor dailycounter get
checked if a station uses EAP-TLS. So, I've enabled the check-eap-tls
module, activated it in mods-enabled/eap file, added "sql" (to get the
Login-Time and Max-Daily-Session attributes), added "logintime" and
"dailycounter" in the mods-enables/check-eap-tls file, and as far as
I've tested this by now it seems to work. Is that a correct way to
enable logintime and dailycounter for EAP-TLS?

Thanks a lot for now for your help!

Robert


Am Mittwoch, dem 31.05.2023 um 09:29 -0400 schrieb Alan DeKok:
> On May 31, 2023, at 1:43 AM, Robert Senger
> <robert.senger at lists.microscopium.de> wrote:
> > I did not set a time resolution of one second,
> 
>   Please read what I wrote.  This isn't difficult.
> 
>   The *RADIUS PROTOCOL* has a time resolution of one second.  I
> didn't ask if you set that.  I was explaining to you that this is a
> fundamental limitation of how RADIUS works.
> 
> > this is done by the
> > sqlcounter module with it's default settings. I was looking for a
> > configuration option like "Min-Session-Timeout" or something like
> > that,
> > but there is none.
> 
>   Exactly.  I gave you an example to set a minimum session timeout.
> 
> > > post-auth {
> > >        if (&reply:Session-Timeout < 30) {
> > >                reject
> > >        }
> > >        ...
> > > }
> > 
> > This looks good, just tried that (in the sites-available/default
> > file),
> > but won't work:
> > 
> > (342)   post-auth {
> > (342)     if (&reply:Session-Timeout < 30) {
> > (342)     ERROR: Failed retrieving values required to evaluate
> > condition
> > 
> > ? :)
> 
>   Read the debug output and think about it.
> 
>   The other debug output you posted shows it setting the Session-
> Timeout in the "inner-tunnel" virtual server.  Which means it's not
> being set in the "default" virtual server.
> 
>   You can out the example config I posted in the inner-tunnel virtual
> server, instead of "default".  I only suggested to put it in
> "default", because that's normally where it goes.
> 
>   But if you're running the counter module in the "inner-tunnel"
> virtual server, then the check for &reply:Session-Timeout needs to go
> there, too.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
-- 
Robert Senger




More information about the Freeradius-Users mailing list