[RADIATOR] possible bug when AcctTotalSinceQuery == Max-Daily-Session
Francesc Romà i Frigolé
francesc at socialandbeyond.com
Mon Oct 28 12:01:53 CDT 2013
Hi Heikki,
Thank you for your suggestion. A PostAuth Hook sounds like a good solution,
and also an opportunity to clear to reject users with just a few seconds
left.
It happens as you describe, the Max-Daily-Session is not strictly exceeded,
it's just exactly reached.
1.
if( ${$_[0]}->get_attr(‘Session-Time’) < 120) {
${$_[0]}->set_attr(‘Session-Time’, -1)
}
Is the syntax for a setter set_attr() ? or is it add_attr() ? I haven't
found any example of the former in the manual
Thanks
Francesc Romà i Frigolé
CTO Social & Beyond
+34 93.1234.962
Torre Telefónica Diagonal 00, planta 11, Wayra
Plaça Ernest Lluch i Martín, 5
08019 Barcelona
On Wed, Oct 16, 2013 at 10:53 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 10/15/2013 05:47 PM, Francesc Romà i Frigolé wrote:
>
> > When the total session time used for the day as given by the
> > AcctTotalSinceQuery is exactly the same as Max-Daily-Session in the
> > authentication request Radiator allows the user to log in.
> >
> > Only if the session time exceed the max daily session, even by just one
> > second, will Radiator complain about max session exceeded.
>
> I would need to see your configuration to say what happens exactly, but
> most likely this can happen. If the amount of used seconds is 86400,
> this does not *exceed* one day, yet.
>
> > Is this the correct behaviour? I'd expect also to get a session exceeded
> > error when AcctTotalSinceQuery == Max-Daily-Session.
>
> I think it currently does work as documented ' ... If it is exceeded,
> the user is rejected. ...' says the reference manual for Max-Daily-Session.
>
> > This behaviour is causing issues for us because Radiator is returning
> > an authentication "accept" with a zero session time, which Mikrotik
> > RouterOS hotspotl interprets as infinite session length, rather than a
> > session exceeded error.
>
> I can see that returning Session-Timeout of 0 with Access-Accept will
> cause problems in your case. The RADIUS RFC is silent about 0 being a
> special value, but it appears there are other implementations too which
> consider 0 to mean inifinity.
>
> > Is this a bug or there is something wrong with my settings?
>
> Maybe this is a gray area? You could consider e.g., a PostAuthHook to
> see if Session-Timeout is going to be 0 and then switch the result to
> reject. Might even be a good time to reject sessions that have only a
> few seconds left?
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20131028/1c8afe2c/attachment.html
More information about the radiator
mailing list