(RADIATOR) how do you guys handle your users' left time, using Radiator?

Hugh Irvine hugh at open.com.au
Thu Oct 25 19:15:16 CDT 2001


Hello Masoud -

It looks like you are doing most things correctly in your Radiator 
configuration, but I suspect you may have a problem because you are not 
sending the addtional attributes required by the Cisco.

You will need to add at least what is shown below:

<AuthBy SQL>
         DBSource                dbi:ODBC:NTTacDB
         DBUsername      sa
         DBAuth          xxxxx
         Identifier      SQL1
         AuthSelect         select passwd,timeleft from users where id='%n'
         AuthColumnDef   0, User-Password, check
         AuthColumnDef   1, Session-Timeout, reply       
         AcctSQLStatement update users set \
                  timeleft=timeleft-0%{Acct-Session-Time} \
                  where id = '%n'
         AddToReply Service-Type = Framed-User,
                  Framed-Protocol = PPP
         NoDefault
</AuthBy>

There may be additional reply attributes required depending on what else you 
are doing on the Cisco.

BTW - you should watch what is going on on the Cisco by looking at the Cisco 
"debug" information.


regards

Hugh



On Friday 26 October 2001 00:15, Masuod - wrote:
> Dear anybody,
> In order to ba able to automatically end the remote users' sessions
> on our Cisco NAS, we need to enable session-timeout attr on the
> Radiator, and Cisco. I've read lots and lots of your mails, and Cisco
> documents, which have helped me a lot, but still no good!
> Has anyone solved this issue? I'd really appreciate your help.
> Followings are the configurations I've done on my cisco and radiator.
> I know that the Radiator sends the attribute correctly,(according to
> the log included below) but somehow Cisco discards this information.
>
> If this is not possible, how do you guys handle your users' left
> time, using Radiator?(disconnecting it when the time is over!)
>
>
> MANY MANY THANKS ALREADY!
>
>
>
>
>
> Thu Oct 25 16:46:31 2001: DEBUG: Packet dump:
> *** Received from x.x.x.x port 1645 ....
> Code:       Access-Request
> Identifier: 43
> Authentic:  <227><226><225>@z<218>[<137><15><29>i<6>z<0><136><175>
> Attributes:
> 	NAS-IP-Address = x.x.x.x
> 	NAS-Port = 47
> 	NAS-Port-Type = Async
> 	User-Name = "14w560"
> 	User-Password = "|<219><243><164>f<135><17><14>4#V<23><244>1<242>+"
> 	Service-Type = Framed-User
> 	Framed-Protocol = PPP
>
> Thu Oct 25 16:46:31 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Oct 25 16:46:31 2001: DEBUG:  Deleting session for 14w560,
> 217.219.1.12, 47
> Thu Oct 25 16:46:31 2001: DEBUG: Handling with Radius::AuthSQL
> Thu Oct 25 16:46:31 2001: DEBUG: Handling with Radius::AuthSQL:
> IrangateSQL
> Thu Oct 25 16:46:31 2001: DEBUG: Query is: select passwd,timeleft
> from users where tac_id='14w560'
>
> Thu Oct 25 16:46:31 2001: DEBUG: Radius::AuthSQL looks for match with
> 14w560
> Thu Oct 25 16:46:31 2001: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Oct 25 16:46:31 2001: DEBUG: Access accepted for 14w560
> Thu Oct 25 16:46:31 2001: DEBUG: Packet dump:
> *** Sending to 217.219.1.12 port 1645 ....
> Code:       Access-Accept
> Identifier: 43
> Authentic:  <227><226><225>@z<218>[<137><15><29>i<6>z<0><136><175>
> Attributes:
> 	Session-Timeout = 733
>
>
>
>
>
> ----------------Radiator configuration follows:
>
> Foreground
> LogStdout
> LogDir		.
> DbDir		.
> Trace 4
>
> <Client DEFAULT>
> 	Secret	mysecret
> 	DupInterval 0
> </Client>
>
> <Client x.x.x.x>
> 	Secret	xxxx
> 	DupInterval 0
> </Client>
>
> <AuthBy SQL>
> 	DBSource		dbi:ODBC:NTTacDB
> 	DBUsername	sa
> 	DBAuth		xxxxx
> 	Identifier	SQL1
> 	AuthSelect         select passwd,timeleft from users where id='%n'
> 	AuthColumnDef 	0, User-Password, check
> 	AuthColumnDef 	1, Session-Timeout, reply
> 	NoDefault
> </AuthBy>
>
>
> <Realm DEFAULT>
> 	AuthBy	SQL1
> </Realm>
>
>
> ------ NAS configuration follows:
>
> Current configuration : 4587 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Access_Srv3
> !
> aaa new-model
>
> aaa authentication ppp default group radius
> aaa accounting network default start-stop group radius
> enable secret 5 xxxxxxx
> enable password password
> !
> ip subnet-zero
>
> ip name-server 198.81.209.2
> ip name-server 195.146.32.1
> !
> !
> !
> !
> interface Ethernet0/0
>  ip address x.x.x.x 255.255.255.0 secondary
>
>  ip address x.x.x.x 255.255.255.0
>
> !
> interface Group-Async1
>  ip unnumbered Ethernet0/0
>  ip access-group 190 in
>  ip wccp web-cache redirect out
>  encapsulation ppp
>  async mode interactive
>  peer default ip address pool (213)
>  ppp authentication pap
>  group-range 33 48
> !
> ip local pool (213) x.x.x.x x.x.x.x
> ip local pool (217) x.x.x.x x.x.x.x
> ip classless
> ip route 0.0.0.0 0.0.0.0 x.x.x.x
> no ip http server
> !
> tacacs-server host x.x.x.1
> tacacs-server host x.x.x.2
> tacacs-server timeout 10
> tacacs-server key xxxxxxxxx
> snmp-server community xxxxx RO 15
> radius-server host x.x.x.x auth-port 1645 acct-port 1646
> radius-server retransmit 3
> radius-server key xxxxxxx
> !
> line con 0
>  transport input none
> line 33 48
>  session-timeout 15
>  modem InOut
>  modem autoconfigure discovery
>  autocommand  ppp
>  transport input all
>  autoselect during-login
>  autoselect ppp
>  stopbits 1
>  flowcontrol hardware
> line aux 0
> line vty 0 4
>  password xxxxxxx
> !
> end
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list