[RADIATOR] Updating Session Timeout Max-Hourly

Heikki Vatiainen hvn at open.com.au
Mon Oct 31 11:08:43 CDT 2011 

On 10/29/2011 02:14 PM, SimonM123 wrote:
> 
> With this query, I end up with a negative session timeout after several
> logins:
> 
>        AcctSQLStatement update SUBSCRIBERS set SESSIONTIMEOUT =
> SESSIONTIMEOUT - 0%{Acct-Session-Time} where USERNAME='%n'

Checking your AuthSelect, that will happen. Try this instead:

AuthSelect select PASSWORD, MAXDAILYSESSION, SESSIONTIMEOUT
from
SUBSCRIBERS where USERNAME=%0 AND SESSIONTIMEOUT > 0

Since these are just normal SQL queries, you need a check like that to
keep you from allowing authentications with no time left.

> Surely this needs to be more like:
> 
> AcctSQLStatement update SUBSCRIBERS set SESSIONTIMEOUT =
> 0%{AcctTotalSinceQuery} - 0%{Acct-Session-Time} where USERNAME='%n'
> 
> But that doesn't work for both daily and all time counters.

Check ref.pdf section "5.2 Special characters" for more about % escapes.
%{AcctTotalSinceQuery} tries too look up attribute with this name from
the incoming request. It does not run any SQL query.

So in summary, I would do something like this:
- list what kind of information needs to be kept in database
- see if the existing queries can lookup and update the info
- maybe use hooks, stored procedures or cron for the rest the existing
queries can not do

Thanks!
Heikki


> S
> 
> Heikki Vatiainen-4 wrote:
>>
>> On 10/28/2011 08:44 PM, SimonM123 wrote:
>>
>>> Thanks. The problem is now my session timeout col. Do I need this and
>>> what
>>> should the value be before forst session? The first time a user logs in,
>>> the
>>> session timeout value is null? Do I need more logic in here ??
>>
>> Since SESSIONTIMEOUT column value is returned as Session-Timeout reply
>> attribute, it would need to be initialised to seconds user is allowed to
>> stay logged in initially. Once the user is logged in, each accounting
>> request would then reset the time to (time left when this session
>> started - time currently logged in).
>>
>> See http://tools.ietf.org/html/rfc2865#section-5.27 for more about
>> Session-Timeout
>>
>> Thanks!
>> Heikki
>>
>>> Heikki Vatiainen-4 wrote:
>>>>
>>>> On 10/27/2011 12:10 PM, SimonM123 wrote:
>>>>
>>>>> If I've posted this twice, I'm sorry - couldn't find the email I sent
>>>>> yesterday.
>>>>
>>>> Probably did not reach the list. I did not see it either.
>>>>
>>>>> We're using the Max-All and Max-Daily session in a customised sql.cfg.
>>>>>
>>>>>
>>>>>         AuthColumnDef     0,User-Password, check
>>>>>         AuthColumnDef     1,Max-Daily-Session,check
>>>>>         AuthColumnDef     2,Session-Timeout,reply
>>>>>
>>>>>
>>>>>         AuthSelect select PASSWORD, MAXDAILYSESSION, SESSIONTIMEOUT
>>>>> from
>>>>> SUBSCRIBERS where USERNAME=%0
>>>>>
>>>>>
>>>>>         AcctTotalQuery SELECT SUM(AcctSessionTime) FROM ACCOUNTING
>>>>> WHERE
>>>>> UserName=%0B
>>>>
>>>> The above should run when Max-All-Session is a check item.
>>>>
>>>>>         AcctTotalSinceQuery SELECT SUM(AcctSessionTime - GREATEST((%1 -
>>>>> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM ACCOUNTING WHERE UserName=%0
>>>>> AND
>>>>> UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %1
>>>>
>>>> This should run with Max-Daily-Session. So it should run for your
>>>> Max-Daily-Session check item. When you run Radiator with Trace 4 you
>>>> should see this query in Radiator log when it runs.
>>>>
>>>>>        AcctSQLStatement update SUBSCRIBERS set SESSIONTIMEOUT =
>>>>> SESSIONTIMEOUT - 0%{AcctTotalSinceQuery} where USERNAME='%n'
>>>>>
>>>>> The last one I thought might decrease the session timeout on successful
>>>>> auth
>>>>> but it's not working.
>>>>
>>>> Try 0%{Acct-Session-Time} instead of 0%{AcctTotalSinceQuery}. This will
>>>> try to minus the value of Acct-Session-Time attribute for every received
>>>> accounting message. Also, it runs when accounting message is received,
>>>> not during auth(entication).
>>>>
>>>> You should see this in Trace 4 log too.
>>>>
>>>>> What's the best way to do this?
>>>>
>>>> Does the above help?
>>>>
>>>> Heikki
>>>>
>>>>
>>>> -- 
>>>> Heikki Vatiainen <hvn at open.com.au>
>>>>
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>>> NetWare etc.
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>
>>
>>
>> -- 
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list