Re: saExpire not working

Dale E. Reed Jr. ( (no email) )
Thu, 09 Apr 1998 12:59:05 -0700

Sean Herr wrote:
> I cannot get the saExpire to block calls when it should be. The
> documention on the web says the following:
> The Expiration Date for this SubAccount. If this is NULL, the
> Expiration Date of the MasterAccount is used.
> What if it is not null? Here is the pertinent data out of
> SubAccounts.
> CreateDate~saExpireDate~Extension~Active~TimeLeft~LoginLimit
> 4/6/98 7:07:01 PM~4/7/98 7:07:00 PM ~-1~-99992
> When I expire the date - it still lets them login. If I expire
> maexpire it shutdown the account.

If you are using MS Access, the Sub Accounts expire date is
not supported. Its a limitation of the DateAdd() function of
MS Access. It works corretly with SQL Server and Sybase, though.

This is noted in the authentication process outline in the
RadiusNT 2.2 documentation:

Authentication Process

When RadiusNT receives an incoming authentication request, the following steps
are performed to authenticate the user:

1.Check to see if a record exists in the SubAccounts Table with either a
login or shell field matching the username attribute in the request, and neither
of the active flags are 0.
2.If no match is found, send a reject.
3.If the request password does not match the database password, send a
4.If the saExpireDate Field is not NULL and the SubAccount (plus extension)
is expired, then send a reject. (only applicable to SQL Server support, as this
is not supported by MS Access)
5.If the saExpireDate is NULL and the maExpireDate (plus extension and
overdue) is expired, then send a reject.
6.If Time banking is enabled and the SubAccounts's TimeLeft field is less
than 1, send a reject.
7.If concurrency checking is enabled, and the user is listed in the
callsonline view (with more entries than they are allowed), send a reject.
8.If Server Access checking is enabled, and the user's Account Type does not
have an entry in the ServerAccess table for the port they are logging into, send
a reject.
9.If there are matching records in the RadConfigs table for the user's
AccountID, send an ACK with them for the reply attributes.
10.If there are matching records in the RadATConfigs table for the user's
Account Type, send an ACK with them for the reply attributes.
11.Send a reject.

-- Dale E. Reed Jr.  (       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |