How to get FR user check items override group check items

Abraham Jacob abrahamj at gmail.com
Fri Nov 15 15:49:48 UTC 2024 

I have been using FreeRADIUS 1.1 (yeah very old) on an old Debian
server over the years without any issues. Thank you for wonderful
software!

Now, as part of the server upgrade, I tried installing version 3.2.1
in Debian 12 and I was able to configure it except for one issue. In
v1.1 user attributes get priority over group items. I am using the
same SQL tables from v1.1. There I am setting Session-Timeout to 3600
in the radgroupcheck table. For some select users I set
Session-Timeout differently, say 7200.

In v1.1, I am seeing Session-Timeout = 7200 for Access-Accept while in
v3.2.1 it is 3600.

I checked the server in debug mode and found following

<snip>
....
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Session-Timeout := 7200
(0) sql:   Crypt-Password := "$1$bd1rxwue$ab3wiY34Cjfk5QM13/vNy0"
....
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{S
QL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'VPN
-60-Min' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE
 groupname = 'VPN-60-Min' ORDER BY id
(0) sql: Group "VPN-60-Min": Conditional check items matched
(0) sql: Group "VPN-60-Min": Merging assignment check items
(0) sql:   Session-Timeout := 3600
....
(0) dailycounter: Allowing user, &control:Session-Timeout value (3600)
is greater than counter value (0)
(0) dailycounter: Setting &reply:Session-Timeout value to 3600
....
 Sent Access-Accept Id 55 from 192.168.3.180:1812 to
192.168.3.180:39999 length 32
(0)   Idle-Timeout = 600
(0)   Session-Timeout = 3600
(0) Finished request
</snip>

So I think this is the expected behaviour in the new version.

Following are the sql contents.

Table radgroupreply:
+----+------------+--------------+----+-------+
| id | groupname  | attribute    | op | value |
+----+------------+--------------+----+-------+
|  9 | VPN-60-Min | Idle-Timeout | := | 600   |
+----+------------+--------------+----+-------+

Table radgroupcheck:
+----+------------+-----------------+----+-------+
| id | groupname  | attribute       | op | value |
+----+------------+-----------------+----+-------+
|  2 | VPN-60-Min | Session-Timeout | := | 3600  |
+----+------------+-----------------+----+-------+

Table: radcheck:
+----+----------+-----------------+----+------------------------------------+
| id | username | attribute       | op | value                              |
+----+----------+-----------------+----+------------------------------------+
| 18 | vpn-user | Session-Timeout | := | 7200                               |
| 19 | vpn-user | Crypt-Password  | := | $1$bd1rxwue$ab3wiY34Cjfk5QM13/vNy0 |
+----+----------+-----------------+----+------------------------------------+


Now my question: Is there any configuration options available to get
the old v1.1 behaviour? This way I don't have to set Session-Timeout
for all my users, just a select few who need to be different from
default.

Thanks
Abraham

More information about the Freeradius-Users mailing list