i'm getting my sea legs with freeradius and am having problems setting
up per user session limits and timeouts. i've read the documention,
googled the archives, read the faq and the online chapter of the new
book and am still stumped, so hopefully i've not missed the forrest for
the trees.
i'm running the stock freeradius 0.71 download on a plain vanilla redhat
box. to reduce the number complicating factors, i'm currently using the
user flat files for authentication and logging to detail files for
accounting [ i.e. not using mysql ].
i'd like to be able to:
1. set per user [ not necessarily groups] session time limits that are
valid across multiple sessions [i.e. jane doe gets 3600 seconds of use
which are used up over multiple sessions ]
2. each time a user logs in, i'd like to return a session-timeout
attribute that reflects the time left [ i.e. total time minus used time ]
3. if a user is logged in when the time runs out, the user gets kicked
off and is not allowed to log back in. ever.
from what i gather requirements 1 and 3 should be satisfied if i can set
up the counter correctly, but i think i might have to use and
exec-program-wait script to satisfy requirement 2?
as far as the counter set-up is concerned, from the documentation and
previous posts, set up the counter and various modules according the the
following scheme as copied from my radiusd.conf file [1]. The counter
is working because I can put the following in my users file and have it
partly satisfy my requirements:
Jane Auth-Type:=Local, User-Password=="Doe", RAD-Max-Session-Time := 60
Class="0x101"
in this case, as is appropriate for the := operator, >each time< jane
logs in she gets a session-timout = 60 returned. if she stays logged
in for 60 full seconds she will get kicked off - however she can then
log back in. my apparently flawed logic would tell me that i could
fully satisfy requirements 1 and 3 by using something like the following:
Jane Auth-Type:=Local, User-Password=="Doe", RAD-Session-Time < 60
Class="0x101"
but this doesn't work - it just refused logins. and even if it did
work, i don't think it would return a session-timout that would reflect
the total time left for the user.
i apologize if this is a stupendously basic question. like i said, i've
done my best to look through the available resources and i'm wondering
if i'm just missing something simple or perhaps trying to stretch the
counter to work in ways that it wasn't meant to be stretched.
[1] counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = never
counter-name = RAD-Session-Time
check-name = RAD-Max-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
authorize {
preprocess
counter
suffix
files
counter
}
accounting {
detail
counter
unix
radutmp
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: per user session limits/timout issues Eric C. Snowdeal III
- Re: per user session limits/timout issues Alan DeKok
