[RADIATOR] possible bug when AcctTotalSinceQuery == Max-Daily-Session

Heikki Vatiainen hvn at open.com.au
Wed Oct 16 15:53:04 CDT 2013


On 10/15/2013 05:47 PM, Francesc Romà i Frigolé wrote:

> When the total session time used for the day as given by the
> AcctTotalSinceQuery is exactly the same as Max-Daily-Session in the
> authentication request Radiator allows the user to log in. 
> 
> Only if the session time exceed the max daily session, even by just one
> second, will Radiator complain about max session exceeded.

I would need to see your configuration to say what happens exactly, but
most likely this can happen. If the amount of used seconds is 86400,
this does not *exceed* one day, yet.

> Is this the correct behaviour? I'd expect also to get a session exceeded
> error when AcctTotalSinceQuery == Max-Daily-Session.

I think it currently does work as documented ' ... If it is exceeded,
the user is rejected. ...' says the reference manual for Max-Daily-Session.

> This behaviour is causing  issues for us because Radiator is returning
> an authentication "accept" with a zero session time, which Mikrotik
> RouterOS hotspotl interprets as infinite session length, rather than a
> session exceeded error.

I can see that returning Session-Timeout of 0 with Access-Accept will
cause problems in your case. The RADIUS RFC is silent about 0 being a
special value, but it appears there are other implementations too which
consider 0 to mean inifinity.

> Is this a bug or there is something wrong with my settings?

Maybe this is a gray area? You could consider e.g., a PostAuthHook to
see if Session-Timeout is going to be 0 and then switch the result to
reject. Might even be a good time to reject sessions that have only a
few seconds left?

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list