On 10/29/2011 02:14 PM, SimonM123 wrote:
>
> With this query, I end up with a negative session timeout after several
> logins:
>
> AcctSQLStatement update SUBSCRIBERS set SESSIONTIMEOUT =
> SESSIONTIMEOUT - 0%{Acct-Session-Time} where USERNAME='%n'
Checking your AuthSelect, that will happen. Try this instead:
AuthSelect select PASSWORD, MAXDAILYSESSION, SESSIONTIMEOUT
from
SUBSCRIBERS where USERNAME=%0 AND SESSIONTIMEOUT > 0
Since these are just normal SQL queries, you need a check like that to
keep you from allowing authentications with no time left.
> Surely this needs to be more like:
>
> AcctSQLStatement update SUBSCRIBERS set SESSIONTIMEOUT =
> 0%{AcctTotalSinceQuery} - 0%{Acct-Session-Time} where USERNAME='%n'
>
> But that doesn't work for both daily and all time counters.
Check ref.pdf section "5.2 Special characters" for more about % escapes.
%{AcctTotalSinceQuery} tries too look up attribute with this name from
the incoming request. It does not run any SQL query.
So in summary, I would do something like this:
- list what kind of information needs to be kept in database
- see if the existing queries can lookup and update the info
- maybe use hooks, stored procedures or cron for the rest the existing
queries can not do
Thanks!
Heikki
> S
>
> Heikki Vatiainen-4 wrote:
>>
>> On 10/28/2011 08:44 PM, SimonM123 wrote:
>>
>>> Thanks. The problem is now my session timeout col. Do I need this and
>>> what
>>> should the value be before forst session? The first time a user logs in,
>>> the
>>> session timeout value is null? Do I need more logic in here ??
>>
>> Since SESSIONTIMEOUT column value is returned as Session-Timeout reply
>> attribute, it would need to be initialised to seconds user is allowed to
>> stay logged in initially. Once the user is logged in, each accounting
>> request would then reset the time to (time left when this session
>> started - time currently logged in).
>>
>> See http://tools.ietf.org/html/rfc2865#section-5.27 for more about
>> Session-Timeout
>>
>> Thanks!
>> Heikki
>>
>>> Heikki Vatiainen-4 wrote:
>>>>
>>>> On 10/27/2011 12:10 PM, SimonM123 wrote:
>>>>
>>>>> If I've posted this twice, I'm sorry - couldn't find the email I sent
>>>>> yesterday.
>>>>
>>>> Probably did not reach the list. I did not see it either.
>>>>
>>>>> We're using the Max-All and Max-Daily session in a customised sql.cfg.
>>>>>
>>>>>
>>>>> AuthColumnDef 0,User-Password, check
>>>>> AuthColumnDef 1,Max-Daily-Session,check
>>>>> AuthColumnDef 2,Session-Timeout,reply
>>>>>
>>>>>
>>>>> AuthSelect select PASSWORD, MAXDAILYSESSION, SESSIONTIMEOUT
>>>>> from
>>>>> SUBSCRIBERS where USERNAME=%0
>>>>>
>>>>>
>>>>> AcctTotalQuery SELECT SUM(AcctSessionTime) FROM ACCOUNTING
>>>>> WHERE
>>>>> UserName=%0B
>>>>
>>>> The above should run when Max-All-Session is a check item.
>>>>
>>>>> AcctTotalSinceQuery SELECT SUM(AcctSessionTime - GREATEST((%1 -
>>>>> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM ACCOUNTING WHERE UserName=%0
>>>>> AND
>>>>> UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %1
>>>>
>>>> This should run with Max-Daily-Session. So it should run for your
>>>> Max-Daily-Session check item. When you run Radiator with Trace 4 you
>>>> should see this query in Radiator log when it runs.
>>>>
>>>>> AcctSQLStatement update SUBSCRIBERS set SESSIONTIMEOUT =
>>>>> SESSIONTIMEOUT - 0%{AcctTotalSinceQuery} where USERNAME='%n'
>>>>>
>>>>> The last one I thought might decrease the session timeout on successful
>>>>> auth
>>>>> but it's not working.
>>>>
>>>> Try 0%{Acct-Session-Time} instead of 0%{AcctTotalSinceQuery}. This will
>>>> try to minus the value of Acct-Session-Time attribute for every received
>>>> accounting message. Also, it runs when accounting message is received,
>>>> not during auth(entication).
>>>>
>>>> You should see this in Trace 4 log too.
>>>>
>>>>> What's the best way to do this?
>>>>
>>>> Does the above help?
>>>>
>>>> Heikki
>>>>
>>>>
>>>> --
>>>> Heikki Vatiainen <[email protected]>
>>>>
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>>> NetWare etc.
>>>> _______________________________________________
>>>> radiator mailing list
>>>> [email protected]
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>
>>
>>
>> --
>> Heikki Vatiainen <[email protected]>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> [email protected]
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
