Message-ID: <200306111252170250.0006D97A@202.154.240.8> Date: Wed, 11 Jun 2003 12:52:17 +0500 From: "Kashan Sadiq" <kashan@wol.net.pk> Subject: RE: [RadiusNT] ServerAccess Probelm
Dear Dale,
I am sending you some files attached with this email. These are radius log
files. I have separated them according to the case study.
The file named "NULL.txt" have logs that actually show the problem. In this
file you will see the user with username 'psyco' has granted access only
for 148 minutes which is due to the time restriction in serveraccess
table, but you can see that there is no Session-Timeout field in start
packet. This user connects for unlimited time period, hence the time
restriction does not work(Mentioned in stop time field in serveraccess
table).
The second file named 'timeleft5min.txt' shows that there is no problem
with the users having positive value greater than zero in timeleft field
of subaccounts table. While access is allowed for 465 minutes, but user
have only 5 minutes in timeleft field, so the user will disconnect after 5
minutes i.e 300sec, which is perfectly ok.
In third file named 'Timeleft100Timeremaining6min.txt' , user is allowed
access only for 6 minutes, due to time restriction. He has 100 minutes
left in timeleft field of subaccounts table, which is again perfectly
alright.
Now you can well understand radius problem. This time we are using RadiusNT
Version 4.0.33 and this is the latest version available on IEA ftp site.
Kindly help me in this regard. I will be greatfull to you.
Kashan Sadiq
*********** REPLY SEPARATOR ***********
On 6/9/2003 at 9:42 AM Dale E. Reed Jr. wrote:
>> It means that user can connect between 1:00AM to 9:00AM
>> in the morning. Now during this time, whenever the user
>> connects, he connects like normal unlimited account, he
>> does not disconnect at 9:00AM or this restriction do not
>> impose on him.
>
>With time banking enabled, RadiusNT will send a Session-Timeout
>attribute with the value set to the difference in seconds between
>now and the end (9am). If you are using an Ascend Max/TNT, you
>may need to enable the Ascend Max Time option in the RadiusNT
>config server.
>
>You can also use radlogin to test the Authentication of the user
>during that time frame and see the Session-Timeout value RadiusNT
>returns. If you NAS doesn't support Session-Timeout or
>Ascend-Maximum-Time, then there is nothing RadiusNT can do to
>limit the session.
>
>Dale
>
>------------
>
>This is a user supported list. If you require assistance from IEA
Software's
>Support Engineers, please check out our Support resources at
>http://www.iea-software.com/support.
>
>For more information about this list (including removal) go to:
>http://www.iea-software.com/support/maillists/liststart
radrecv: Request from host ca9ae078 (PM) code=1, id=1, length=76
User-Name = "psycho"
Password = "jZA\200w\347\376?\004\367@\256\235\303\377\361"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
User-Service = Framed-User
Framed-Protocol = PPP
SQL Statement: {CALL RadGetUser('psycho',NULL)}
SQL Statement: {CALL RadGetConfigs(305780)}
Checking for duplicate logins.
SQL Statement: {CALL RadCheckOnline('psycho',305780)}
psycho found on-line 0 time(s).
Checking for port access.
Access allowed for 148 Minutes.
Sending Ack of id 1 to ca9ae078 (PM)
User-Service = Framed-User
Framed-Protocol = PPP
Class = "IEAS1\0063057802\0014"
Resp Time: 210 Auth: 1/0 -> 1 Acct: 0/0/0 -> 0
radrecv: Request from host ca9ae078 (PM) code=4, id=2, length=92
Acct-Session-Id = "01000000"
User-Name = "psycho"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 202.154.224.128
Acct-Delay-Time = 0
Adding to Calls ['20030610 6:32:32','01000000','psycho',1,'202.154.224.128',0,'2
02.154.224.120','1',4] The list has 0 items.
Sending Accounting Ack of id 2 to ca9ae078 (PM)
Resp Time: 10 Auth: 1/0 -> 1 Acct: 1/0/0 -> 1
radrecv: Request from host ca9ae078 (PM) code=4, id=3, length=116
Acct-Session-Id = "01000000"
User-Name = "psycho"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
Acct-Status-Type = Stop
Acct-Session-Time = 205
Acct-Authentic = RADIUS
Acct-Input-Octets = 791
Acct-Output-Octets = 815
Acct-Terminate-Cause = User-Request
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 202.154.224.128
Acct-Delay-Time = 0
Adding to Calls ['20030610 6:35:57','01000000','psycho',2,205,791,815,1,'202.154
.224.128',0,'202.154.224.120','1',4] The list has 0 items.
Sending Accounting Ack of id 3 to ca9ae078 (PM)
Resp Time: 0 Auth: 1/0 -> 1 Acct: 2/0/0 -> 2
radrecv: Request from host ca9ae078 (PM) code=1, id=4, length=76
User-Name = "psycho"
Password = "1z\320P\242~\313\346\320\024\005r&nZY"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
User-Service = Framed-User
Framed-Protocol = PPP
SQL Statement: {CALL RadGetUser('psycho',NULL)}
SQL Statement: {CALL RadGetConfigs(305780)}
Checking for duplicate logins.
SQL Statement: {CALL RadCheckOnline('psycho',305780)}
psycho found on-line 0 time(s).
Checking for port access.
Access allowed for 2 Minutes.
Sending Ack of id 4 to ca9ae078 (PM)
User-Service = Framed-User
Framed-Protocol = PPP
Class = "IEAS1\0063057802\0014"
Resp Time: 61 Auth: 1/0 -> 1 Acct: 0/0/0 -> 0
radrecv: Request from host ca9ae078 (PM) code=4, id=5, length=92
Acct-Session-Id = "01000001"
User-Name = "psycho"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 202.154.224.128
Acct-Delay-Time = 0
Adding to Calls ['20030610 8:58:32','01000001','psycho',1,'202.154.224.128',0,'2
02.154.224.120','1',4] The list has 0 items.
Sending Accounting Ack of id 5 to ca9ae078 (PM)
Resp Time: 10 Auth: 1/0 -> 1 Acct: 1/0/0 -> 1
radrecv: Request from host ca9ae078 (PM) code=4, id=6, length=116
Acct-Session-Id = "01000001"
User-Name = "psycho"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
Acct-Status-Type = Stop
Acct-Session-Time = 380
Acct-Authentic = RADIUS
Acct-Input-Octets = 792
Acct-Output-Octets = 815
Acct-Terminate-Cause = User-Request
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 202.154.224.128
Acct-Delay-Time = 0
Adding to Calls ['20030610 9:4:53','01000001','psycho',2,380,792,815,1,'202.154.
224.128',0,'202.154.224.120','1',4] The list has 0 items.
Sending Accounting Ack of id 6 to ca9ae078 (PM)
Resp Time: 0 Auth: 1/0 -> 1 Acct: 2/0/0 -> 2
radrecv: Request from host ca9ae078 (PM) code=1, id=179, length=76
User-Name = "psycho"
Password = "\200&\011\244\254.\277\033\207|\273\004\034\235\371\311"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
User-Service = Framed-User
Framed-Protocol = PPP
Checking for duplicate logins.
SQL Statement: {CALL RadCheckOnline('psycho',305780)}
psycho found on-line 0 time(s).
Checking for port access.
Access allowed for 465 Minutes.
Sending Ack of id 179 to ca9ae078 (PM)
User-Service = Framed-User
Framed-Protocol = PPP
Session-Timeout = 300
Resp Time: 0 Auth: 2/0 -> 2 Acct: 2/0/0 -> 2
SQL Statement: {CALL RadGetCacheUsers('20030604 0:15:37',1)}
radrecv: Request from host ca9ae078 (PM) code=4, id=180, length=92
Acct-Session-Id = "00000030"
User-Name = "psycho"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 202.154.224.128
Acct-Delay-Time = 0
Sending Accounting Ack of id 180 to ca9ae078 (PM)
Resp Time: 0 Auth: 2/0 -> 2 Acct: 3/0/0 -> 3
radrecv: Request from host ca9ae078 (PM) code=1, id=211, length=76
User-Name = "psycho"
Password = "\323\020\027L!\311\021\263*\310\035\022\336\212~n"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
User-Service = Framed-User
Framed-Protocol = PPP
SQL Statement: {CALL RadGetUser('psycho',NULL)}
SQL Statement: {CALL RadGetConfigs(305780)}
1 ODBC Users Loaded
Checking for duplicate logins.
SQL Statement: {CALL RadCheckOnline('psycho',305780)}
psycho found on-line 0 time(s).
Checking for port access.
Access allowed for 6 Minutes.
Sending Ack of id 211 to ca9ae078 (PM)
User-Service = Framed-User
Framed-Protocol = PPP
Session-Timeout = 360
Class = "IEAS1\0063057802\0014"
Resp Time: 50 Auth: 2/0 -> 2 Acct: 2/0/0 -> 2
radrecv: Request from host ca9ae078 (PM) code=4, id=212, length=92
Acct-Session-Id = "0000003A"
User-Name = "psycho"
NAS-Identifier = 202.154.224.120
NAS-Port = 1
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 202.154.224.128
Acct-Delay-Time = 0
Sending Accounting Ack of id 212 to ca9ae078 (PM)
Resp Time: 0 Auth: 2/0 -> 2 Acct: 3/0/0 -> 3