After fighting with the program all day, I finally figured out how to get
the counter module to kick people off after a certain time limit. For all
those who do not wish to rip their hair out in trying to get this working,
here is a little howto.
First, on your NAS you should specify your *primary* authentication and
accounting servers as the same IP. I say primary here because a lot of
NASes support multiple auth/accounting servers, and for accounting most
(that I know of) only log to one until it fails.
The counter section in the radiusd.conf file should be fine as it comes in
the package. The part you have to modify is down below in the "authorize"
section. How the package comes configured usually places the "files"
module below the "counter" module. This needs to be this way in order for
the counter module to define some variables that are used by the files
module. Your server will go down in a fantastic ball of flames if you
violate this rule. The change you need to make is, you need to add a
*second*, yes, a second call to the "counter" module immediately after the
"files" module. I'll explain why this needs to be done in the bug section
below. So your new authorize section should look something like this:
authorize {
preprocess
{more stuff here}
counter
files
counter
{more stuff here}
}
Next you need to modify the users file. There are two separate entries you
should make in here; the first is really only to save some time on the
users part if they have already exceeded their time limit for the day. The
line:
DEFAULT Daily-Session-Time > 7200, Auth-Type = Reject
Reply-Message = "You have exceeded your time limit for today"
will prevent the user from ever authenticating if they are over their
limit. If you do not include this line, but do include the below line,
they will successfully authenticate but it will disconnect them immediately
afterwards (so what's the point, right?).
The line:
DEFAULT Max-Daily-Session := 7200
Fall-Through = Yes
will cause the counter module to append a "Session-Timeout" attribute to
the authenticate response sent back to your NAS, and its value will be set
to your max-session time (7200 here) minus the total time they have already
spent online today. This keeps to the truth in that the Radius server
doesn't actually tell the NAS to disconnect a user once their limit has
expired, but it instead tells the NAS at authentication time what is the
longest their session can last.
After you've done all this, send a SIGHUP to your radiusd and it should work.
* * * * * * *
Why do I think this is a bug?
Well, it is clear that when it starts up, freeradius parses its config
files in order, and if it finds an attribute it doesn't recognize it
dies. The need to define the counter module the first time just to define
the Max-Daily-Session attribute seems unnecessary, because if something
like an undefined attribute error were to be held off until the end of the
"function" (i.e. the 'authorize' area of the radiusd.conf file), it would
eliminate the need to call the module that first time, since it really
isn't needed (or isn't able to work) until after the 'files' module is parsed.
Just my $0.02.
Regards,
Eric
*********************************************************************
Eric Reischer [EMAIL PROTECTED]
"The universe is full of magical things patiently
waiting for our wits to grow sharper." -- Eden Phillpots
*********************************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
