On Thursday 12 June 2003 5:48 am, Mauro wrote: > Hi everybody > I run freeradius + mysql and I like to know how can I limit an user > lifetime (ex. I wan some user last for 2 Hours, other 1 Day ....)
This can be done with the "counter" module
-- set up a counter with "reset=never"
-- add an entry in "radcheck" [or radgroupcheck] for the user
setting the "max" variable to the limit
For example, I'm doing that with some "one time use" accounts for a coffee
shop [pre-printed "one hour of access" type deal] and this is what I have:
counter lifetime {
filename = ${raddbdir}/db.lifetime
key = User-Name
count-attribute = Acct-Session-Time
reset = never
counter-name = lifetime-session-counter
check-name = lifetime-limit
cache-size = 5000
}
(per a comment in the .conf file, "lifetime" should be listed in the
"instantiate" section) In the authorize section, you need things in the
following order:
authorize {
[any "pre-process" items, like realm, suffix, etc.]
sql
lifetime
[any other sections/post processing]
}
and of course "lifetime" is listed in "accounting" [so "stop" records get
totalled into the appropriate counter]
In my SQL tables, I'm doing the following:
radcheck: user=sample01; atttribute=password; op="=="; value=<whatever>
usergroup: user=sample01; group=one_hour
radgroupcheck: group=onehour; attribute=lifetime-limit; op=":="; value=3600
My understanding of how and why this works:
- during the "sql" processing phase, the radcheck and radgroupcheck records
are retrieved for user "sample01" [the groupcheck is retrieved due to the
linkage from "usergroup"]
- the radcheck record, having an "==" operand, requires a match to continue
- the radgroupcheck with operand ":=" adds "lifetime-limit" to the check
list
- the "lifetime" counter module compares the "lifetime-limit" set in the
earlier segment against the total "acctsessiontime" accumulated for user
"sample01" -- if the total is less than 3600, all is well AND as a special
side-effect of the counter module, the value pair "session-timeout" is set to
the "remaining" time left (3600 - whatever has accumulated)
Some caveats:
version 0.8.1 "has a bug" in regards to the "reset=never" handling -- if
the radius server is restarted, any previously accumulated totals are reset.
This is reported as "fixed" in the development version (0.9) due out "real
soon now" [see other threads]
if you count against anything OTHER than "acctsessiontime", the radius.log
file will erroneously report "setting session-timeout to <remainder>",
however no such attribute is actually created [very annoying if you rely on
the DEBUG output to be accurate] [from what I remember in skimming the
source, this "log" entry is done outside of any "if" tests]
if a user has used more than the limit, the response string reads a little
funny [not a problem if the NAS ignores the string, but can generate some
funny looks on your customer's faces if it passes it along] IN particular,
the name of the "reset" interval is included. Normally, the reset values are
"daily", "monthly", and so on, so the response
Maximum daily usage time reached
looks ok, but for the case of "never", it reads
Maximum never usage time reached
cosmetic, I know, but still a little funky... ;)
--
Yet another Blog: http://osnut.homelinux.net
pgp00000.pgp
Description: signature
