Re: User disconnects but stays online in radius
On 19/02/13 06:53, Russell Mike wrote: Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. It's a pretty simple script. Depending on your SQL database, you just do a select from radacct where acctstarttime + acctsessiontime 'now - 2 hours' or whatever. It should be a 1-line SQL query. However - I should emphasise that interim accounting and expiring dead SQL sessions is no substitute for a resilient RADIUS service; you should really have two servers, and look to use robust accounting *as well* as interim acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike radius@gmail.com wrote: On Monday, February 18, 2013, Mobin Yazarlou wrote: On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, That you for the quick reply Phil. The solutions you have provided brought new thing into my mind. I was thinking about similar scenarios that I found out if NAS crashes, same thing will happen. Clients will get disconnected due to NAS unavailability and when NAS is unavailable, radius won't be notified about users getting disconnected. By taking this into consideration, the most effective solution would be the first or the third approach you have listed. And between this two solutions, the last one seems to be easier to implement. Please correct me if I am wrong. Thank you, Moby Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. Thanks / RM-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Mike, Now it is an hour that I am looking for a built-in solution or a ready-to-use script. The only thing I found was Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute. This problem could be solved if RADIUS was responsible for handling this attribute but from what I read, it's the NAS's responsibility. I hope someone helps us to find the easiest and most effective solution. Thank you, Moby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 11:08 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/02/13 06:53, Russell Mike wrote: Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. It's a pretty simple script. Depending on your SQL database, you just do a select from radacct where acctstarttime + acctsessiontime 'now - 2 hours' or whatever. It should be a 1-line SQL query. However - I should emphasise that interim accounting and expiring dead SQL sessions is no substitute for a resilient RADIUS service; you should really have two servers, and look to use robust accounting *as well* as interim acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Dear Phil, Thanks for the guidelines again, maintaing two radius seems to be simple and right solution, whereas it also offer high availability within the fix. do you think problem would be solve? if i have two radius configured in coova config Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 11:23 AM, Mobin Yazarlou yazarlo...@gmail.comwrote: On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike radius@gmail.comwrote: On Monday, February 18, 2013, Mobin Yazarlou wrote: On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, That you for the quick reply Phil. The solutions you have provided brought new thing into my mind. I was thinking about similar scenarios that I found out if NAS crashes, same thing will happen. Clients will get disconnected due to NAS unavailability and when NAS is unavailable, radius won't be notified about users getting disconnected. By taking this into consideration, the most effective solution would be the first or the third approach you have listed. And between this two solutions, the last one seems to be easier to implement. Please correct me if I am wrong. Thank you, Moby Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. Thanks / RM-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Mike, Now it is an hour that I am looking for a built-in solution or a ready-to-use script. The only thing I found was Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute. This problem could be solved if RADIUS was responsible for handling this attribute but from what I read, it's the NAS's responsibility. I hope someone helps us to find the easiest and most effective solution. Thank you, Moby Dear Moby, That is brilliant, i also read after your advise, and i feel that nothing can be easiest and effective than this, once Freeraiuds knows the ideal timeout value, user can be logged out by Freeradius this is what we were trying to do. Lets use it and see, i trust that it would do. Great Thanks !! For Helping Community By Sharing Solutions. Thanks Moby Phil Regards --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On 19/02/13 11:23, Mobin Yazarlou wrote: Hi Mike, Now it is an hour that I am looking for a built-in solution or a ready-to-use script. The only thing I found was Idle-Timeout http://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute. This problem could be solved if RADIUS was responsible for handling this attribute but from what I read, it's the NAS's responsibility. I think you're confused. Idle-Timeout serves a specific purpose; it tells the NAS to disconnect the client if the client is idle for a certain amount of time. It's nothing to do with stale/dead accounting sessions. I've already spelt out the options there, and they revolve entirely around trying to make your accounting robust, and dealing with the edge cases where it is not. To repeat: 1. Have two RADIUS servers, and have each NAS talk to both 2. Setup robust accounting-SQL on both RADIUS servers - see the example configs that come with the server for this 3. Use interim accounting 4. Use a script to expire sessions without an update in X*interim-interval That should get you pretty much all the way there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 2:38 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/02/13 06:53, Russell Mike wrote: Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. It's a pretty simple script. Depending on your SQL database, you just do a select from radacct where acctstarttime + acctsessiontime 'now - 2 hours' or whatever. It should be a 1-line SQL query. However - I should emphasise that interim accounting and expiring dead SQL sessions is no substitute for a resilient RADIUS service; you should really have two servers, and look to use robust accounting *as well* as interim acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html The more I read about this, the more complicated it gets! Dear Phil, the first and third solutions you provided will work great but their implementation is not that easy. As you said above, following the first approach needs packet monitoring as well, which is not easy to implement unless there be a log file/table in freeradius for this packets. And the value for acctsessiontime is 0 until the user disconnects and freeradius sets the correct value for this field and some other fields in radacct table. I also found that sometimes removing the last accounting record for the locked user in the radacct table won't work and you need to set /var/log/freeradius/radutmp to null, to unlock that user. I wish there was a table for online users in NAS and we could compare online user in NAS and online users in RADIUS and decide what to do. I am still looking forward for your helpful comments and suggestion on this topic. Thank you, Moby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 4:31 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/02/13 11:23, Mobin Yazarlou wrote: Hi Mike, Now it is an hour that I am looking for a built-in solution or a ready-to-use script. The only thing I found was Idle-Timeout http://freeradius.org/rfc/**rfc2865.html#Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute. This problem could be solved if RADIUS was responsible for handling this attribute but from what I read, it's the NAS's responsibility. I think you're confused. Idle-Timeout serves a specific purpose; it tells the NAS to disconnect the client if the client is idle for a certain amount of time. It's nothing to do with stale/dead accounting sessions. I've already spelt out the options there, and they revolve entirely around trying to make your accounting robust, and dealing with the edge cases where it is not. To repeat: 1. Have two RADIUS servers, and have each NAS talk to both 2. Setup robust accounting-SQL on both RADIUS servers - see the example configs that come with the server for this 3. Use interim accounting 4. Use a script to expire sessions without an update in X*interim-interval That should get you pretty much all the way there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Thanks for your help Phil, your comments helped me a lot on this topic, But I am not confused :). I am just trying to find the easiest *practical* approach. I agree that Idle-Timeout can not help us with this problem and I said *it could be* a solution if radius was in charge of handling this attribute. But since NAS takes care of this attribute, it won't help us. Please read my previous message, I wrote some other tips about fixing this problem but I didn't come up with the complete solution yet. I would be thankful if you keep participating until we achieve to a practical solution. Thank you, Moby On Tue, Feb 19, 2013 at 4:22 PM, Russell Mike radius@gmail.com wrote: Dear Moby, That is brilliant, i also read after your advise, and i feel that nothing can be easiest and effective than this, once Freeraiuds knows the ideal timeout value, user can be logged out by Freeradius this is what we were trying to do. Lets use it and see, i trust that it would do. Great Thanks !! For Helping Community By Sharing Solutions. Thanks Moby Phil Regards --RM Hi Mike, Thank you for showing your interest in this. I wish this could be fixed using Idle-Timeout attribute but since NAS is responsible for handling it, It won't help us much. When NAS handles Idle-Timeout, this attribute won't change anything if radius is down. But if radius was responsible for checking connections against Idle-Timeout value, this problem could be fixed even when NAS was down. Thank you, Moby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
Mobin Yazarlou wrote: The more I read about this, the more complicated it gets! It's because UDP packets can be lost, and you can't realistically get information out of the NAS. The result is that any solution ends up being complicated, and patchy. I also found that sometimes removing the last accounting record for the locked user in the radacct table won't work and you need to set /var/log/freeradius/radutmp to null, to unlock that user. That depends on how you have the system set up. If you do Simultaneous-Use checking in SQL, you don't need to use radutmp. I wish there was a table for online users in NAS and we could compare online user in NAS and online users in RADIUS and decide what to do. There should really be a separate table *only* for online users. The Simultaneous-Use checking should use that. The table should also be used to determine when a session has been closed, even if the NAS isn't sending packets. It shouldn't be hard. All it requires is for someone to do the work. i.e. the table should be similar to the current one, but with a few fields deleted, and a few fields added. It needs to track user, NAS, NAS port, session start time, last update time, and maybe a few other things. When a session is started, a new row is inserted. When a session is stopped, the row is deleted. The current accounting table can be used to double-check for lost / delayed packets. There should also be a periodic shell script to clean up the table. If a particular session hasn't seen updates for a long time, the script should send a fake accounting stop packet to the server. That lets the server close the session. It's probably more complicated than that, but that's the basic idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On 19/02/13 13:28, Mobin Yazarlou wrote: The more I read about this, the more complicated it gets! It's quite simple in principle. Dear Phil, the first and third solutions you provided will work great but their implementation is not that easy. As you said above, following the first approach needs packet monitoring as well, which is not easy to implement unless there be a log file/table in freeradius for this I don't know what this means, I'm afraid. packets. And the value for acctsessiontime is 0 until the user disconnects and freeradius sets the correct value for this field and some other fields in radacct table. As I said, you need to enable interim accounting. If you do this, the NAS should send accounting packets at frequent intervals that update acctsessiontime, amongst other things. If your NAS doesn't support interim accounting, you're stuck. If it does, you should just need to set the interim interval, either statically on the NAS or dynamically in the Access-Accept, like so: post-auth { ... update reply { # accounting packets every 15 minutes Acct-Interim-Interval = 900 } ... } You also need to ensure the accounting_update_query{,_alt} are configured in your sql.conf; this is the default. I also found that sometimes removing the last accounting record for the locked user in the radacct table won't work and you need to set /var/log/freeradius/radutmp to null, to unlock that user. Don't use utmp; disable the module if you are using SQL, it's unnecessary and bug prone. I wish there was a table for online users in NAS and we could compare online user in NAS and online users in RADIUS and decide what to do. Some devices do have this. It's vendor-specific, and often accessible via SNMP. Consult the docs for your NAS. Since this isn't a RADIUS question, it's best to look elsewhere for this. I am still looking forward for your helpful comments and suggestion on this topic. As above: enable interim accounting. The effects should be obvious if it works, and the next steps clear. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On 19/02/13 16:09, Russell Mike wrote: *A.) *Enable interim accounting Yes *B.)* Enable post-auth { update reply { Acct-Interim-Interval = 900 } } Yes C.) *You Said:* You also need to ensure the accounting_update_query{,___alt} are configured in your sql.conf; this is the default. C1.) Unclear to this, i have nothing like this in my sql.conf $INCLUDE sql/${database}/dialup.conf See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf *D.) * *You Said:* I also found that sometimes removing the last accounting record for the locked user in the radacct table won't work and you need to set /var/log/freeradius/radutmp to null, to unlock that user. No, I didn't say that. Someone else did. *D1.)* I use radutmp For Simultaneous-Use tracking. Do you mean it should be disable ? radutmp is inferior to SQL. There is no point in using both, and radutmp has problems. I am clear with AB. I need more help to tell us more about *C* what exactly should be added in sql.conf and *D* how to set null The default SQL schema and queries that come with the server support interim accounting. If you haven't changed them, you don't need to do thing for C. Just tell the NAS to send interim accounting, and then check using debug/tcpdump/radsniff/whatever that it's actually doing that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 5:28 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/02/13 16:09, Russell Mike wrote: *A.) *Enable interim accounting Yes *B.)* Enable post-auth { update reply { Acct-Interim-Interval = 900 } } Yes C.) *You Said:* You also need to ensure the accounting_update_query{,___**alt} are configured in your sql.conf; this is the default. C1.) Unclear to this, i have nothing like this in my sql.conf $INCLUDE sql/${database}/dialup.conf See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf *D.) * *You Said:* I also found that sometimes removing the last accounting record for the locked user in the radacct table won't work and you need to set /var/log/freeradius/radutmp to null, to unlock that user. No, I didn't say that. Someone else did. *D1.)* I use radutmp For Simultaneous-Use tracking. Do you mean it should be disable ? radutmp is inferior to SQL. There is no point in using both, and radutmp has problems. I am clear with AB. I need more help to tell us more about *C* what exactly should be added in sql.conf and *D* how to set null The default SQL schema and queries that come with the server support interim accounting. If you haven't changed them, you don't need to do thing for C. Just tell the NAS to send interim accounting, and then check using debug/tcpdump/radsniff/**whatever that it's actually doing that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Dear Phil Mayers, Thank you very much for your kind assistance also being patience with slow learners. You are so gental man indeed, i have no words to thank you for helping us out step by step. Everything is clear at this point after reading your message. i wish to thank once again for attending to us in your time. Thanks / REGARDS --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
Thank you guys. I've learned many useful tips in the last comments. Now I know the idea of comparing online users in RADIUS and NAS can be a good solution but since I use two different NAS types on my network, and I am almost sure both of them don't have standard API to allow other apps read their online users, It will be a little bit challenging and maybe time consuming to implement. But whatever it is, I happy that we could come up with a solution in about 24 hours on this mailing list. :) Thank you, Moby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Phil Mayers wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, Very good elaborated response, it also helped me. Quality of Information was superB. Thanks Man RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Mobin Yazarlou wrote: On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukjavascript:_e({}, 'cvml', 'p.may...@imperial.ac.uk'); wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, That you for the quick reply Phil. The solutions you have provided brought new thing into my mind. I was thinking about similar scenarios that I found out if NAS crashes, same thing will happen. Clients will get disconnected due to NAS unavailability and when NAS is unavailable, radius won't be notified about users getting disconnected. By taking this into consideration, the most effective solution would be the first or the third approach you have listed. And between this two solutions, the last one seems to be easier to implement. Please correct me if I am wrong. Thank you, Moby Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. Thanks / RM-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html