How to get FR user check items override group check items

Abraham Jacob abrahamj at gmail.com
Mon Nov 18 11:02:20 UTC 2024 

On Mon, Nov 18, 2024 at 12:15 AM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Nov 17, 2024, at 9:57 AM, Abraham Jacob <abrahamj at gmail.com> wrote:
> >> Why are you matching it as a check item?  You're trying to send it as a reply.
> >
> > Sorry, I missed to mention that I am using the sqlcounter module with
> > the following configuration.
>
>   That has nothing to do with the sql module.

Ok

>  You're putting attributes into the radgroupcheck table, and are expecting the server to add them to the reply.  Use the radgroupreply table instead.
>
>   Once you do that, the "=" operator will work as I said.

Yes, when I put Session-Timeout in reply tables it is working except
for the limiting the user using sqlcounter dailycounter. Suppose if
the disconnects after cosuming 600  seconds long session and connects
again, FR replies with Session-Timeout 3600. This is expected as there
is no module to compute this.

Following is the dailycounter config:
sqlcounter dailycounter {
        sql_module_instance = sql
        dialect = mysql

        counter_name = Daily-Session-Time
        check_name = Session-Timeout
        reply_name = Session-Timeout

        key = User-Name
        reset = daily

        $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}


mods-config/sql/counter/mysql/dailycounter.conf:
query = "\
        SELECT SUM(acctsessiontime - GREATEST((%%b -
UNIX_TIMESTAMP(acctstarttime)), 0)) \
        FROM radacct \
        WHERE username = '%{${key}}' \
        AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'"


Following is the sql contents;
Table radcheck:
+----+----------+----------------+----+------------------------------------+
| id | username | attribute      | op | value                              |
+----+----------+----------------+----+------------------------------------+
| 19 | vpn-user | Crypt-Password | := | $1$bd1rxwue$ab3wiY34Cjfk5QM13/vNy0 |
+----+----------+----------------+----+------------------------------------+

Table radreply - No attributes

Table radusergroup:
+----------+------------+----------+
| username | groupname  | priority |
+----------+------------+----------+
| vpn-user | VPN-60-Min |        1 |
+----------+------------+----------+

Table radgroupcheck - No attributes

Table radgroupreply
+----+------------+-----------------+----+-------+
| id | groupname  | attribute       | op | value |
+----+------------+-----------------+----+-------+
| 12 | VPN-60-Min | Session-Timeout | =  | 3600  |
+----+------------+-----------------+----+-------+


FR debug output for dailycounter

(7)     [sql] = ok
(7)     [expiration] = noop
(7)     [logintime] = noop
(7) dailycounter: WARNING: Couldn't find check attribute,
control:Session-Timeout, doing nothing...
(7)     [dailycounter] = noop
(7)     [pap] = updated
(7)   } # authorize = updated

As per my understanding, when Session-Time attribute was put in check
tables,  it was the dailycounter that computes remaining session time
by deducting any used session from the radacct table and populating
Session-Timeout reply attribute.

Hope my understanding on how FR dailycounter module works is right and
for this to work, the attribute has to be in one of the check tables
and when it does, FR is working like a charm. Except that I am not
able to find a method to override Session-Timeout in radgroupcheck for
specific users by putting the attribute in radcheck table.

Thanks,
Abraham

More information about the Freeradius-Users mailing list