On Wednesday 17 September 2003 8:05 am, Yacine BOUKABA wrote: > [...] for example if a user is allowed to for 600 sec: > 1- in the first connection radius will send a session-timeout of 600 to > the nat, and if the user disconnect after 300 sec, and here the user will > have 300 sec left. > 2- in the seconde connection the radius will send an updated > session-timeout of 300 sec to the nat and the user will be disconnected > after 300 sec.
Is this a question or a statement? [note, I'm being a bit of a smart-A.. :) ] What you listed is exactly how it works, but there are a couple of other things that have to happen: 1) initial logon -- as you indicate, FR will return a session-timeout response token with the value "600" [seconds] 2) the NAS should send and accounting START record 3) at some point [presumably 300 seconds later per your example] the user "logs off" -- the NAS needs to send an accounting STOP record 4) FR will take the info from the STOP record and increment the counter(s) you've specified 5) the next logon for the user will subtract the amount accumulated thus far [300] from the "limit" amount [600] and return the result as the session limit. [again, 300] Where this can fall apart: -- no start or stop records: without these records, the "counter" module won't have anything to count -- simultaneous use: the user logs on from 4 workstations one right after another -- all 4 will get a 600-second limit, but after the last workstation logs out, the accumulated time will be close to 2400 seconds -- overlapped use: very similar: the user logs on to one workstation, AND watches the clock very carefully -- at 590 seconds into the session, the user logs on from a second workstation. This second workstation gets 600 seconds from THAT point, or nearly 1200 continuous seconds [the third overlap should fail as the first "logout" will set the accumulated time to 600...] [this particular problem can be mitigated somewhat by using interim messages from the NAS] -- Yet another Blog: http://osnut.homelinux.net
pgp00000.pgp
Description: signature
