[RESOLVED] customize Post-Auth-Type REJECT

classic Classic list List threaded Threaded
13 messages Options
| Threaded
Open this post in threaded view
|

[RESOLVED] customize Post-Auth-Type REJECT

pawel_221
This post was updated on .
I'm trying to change user speed to lower when he reach transfer limit. Currently after reaching transfer limit NAS is disconnecting user and when he's trying to connect he is rejected. In debug log I can see:

rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user user01, check_item=50000000, counter=50062959
++[noresetbytescounter] returns reject

Could you help me with Post-Auth-Type REJECT? How can I read the control:counters in Post-Auth? I couldn't find an answer on forum... What should I write instead "if (%{control:counter} > %{control:check_item} ) {" in my config?

Post-Auth-Type REJECT {
            if (%{control:counter} > %{control:check_item} ) {
                update reply {
                      Reply-Message := "You have reached your transfer limit. Limited bandwitch"
                }
                update control {
                                Auth-Type := "Accept"
                                WISPr-Bandwidth-Max-Down = 1048576
                                WISPr-Bandwidth-Max-Up = 262144
                        }
}

My sqlcounter.conf:
sqlcounter noresetbytescounter {
            counter-name = Max-Total-Octets
            check-name = Max-Total-Octets
            reply-name = HotSpot-Max-Total-Octets
            sqlmod-inst = sql
            key = User-Name
            reset = never
            query = "SELECT SUM(AcctInputOctets)+SUM(AcctOutputOctets) FROM radacct WHERE UserName='%{%k}'"
}

Greetings
Pawel
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

EasyHorpak.com
pawel_221 wrote:
I'm trying to change user speed to lower when he reach transfer limit.
Currently after reaching transfer limit NAS is disconnecting user and when
he's trying to connect he is rejected. In debug log I can see:

rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user user01, check_item=50000000, counter=50062959
++[noresetbytescounter] returns reject

Could you help me with Post-Auth-Type REJECT? How can I read the
control:counters in Post-Auth? I couldn't find an answer on forum... What
should I write instead "if (%{control:counter} > %{control:check_item} ) {"
in my config?

Post-Auth-Type REJECT {
	    if (%{control:counter} > %{control:check_item} ) {
	        update reply {
		      Reply-Message := "You have reached your transfer limit. Limited
bandwitch"
		}
                update control {
                                Auth-Type := "Accept"
                                WISPr-Bandwidth-Max-Down = 1048576
	                        WISPr-Bandwidth-Max-Up = 262144
                        }
}

My sqlcounter.conf:
sqlcounter noresetbytescounter {
            counter-name = Max-Total-Octets
            check-name = Max-Total-Octets
	    reply-name = HotSpot-Max-Total-Octets
            sqlmod-inst = sql 
            key = User-Name 
            reset = never 
            query = "SELECT SUM(AcctInputOctets)+SUM(AcctOutputOctets) FROM
radacct WHERE UserName='%{%k}'" 
} 

Greetings
Pawel
  
you can not do that after  Post-Auth-Type REJECT

you must do after 
noresetbytescounter

read on my arti http://www.easyzonecorp.net/network/view.php?ID=1042

Freeradius unlang accept after chap reject.


and then apply it.

i know you can !!




--
http://www.EasyHorpak.com - แหล่งค้นหาหอพัก,อพาร์ทเมนท์,แมนชั่น,คอนโด,โรงแรม
http://www.EasyZoneCorp.net - ซอฟแวร์จัดการ internet คุณภาพสูง Hotpsot และ PPPoE ,Anti NetCut, Mac spoof
http://www.thai-school.net - เว็บไซต์โรงเรียน,ศิษย์เก่า สำเร็จรูป
EasyZone SuperLink - แลกหมื่นลิ้งคืในคลิ๊กเดียว

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

pawel_221
easyzonecorp.net wrote
you can not do that after  Post-Auth-Type REJECT

you must do after 
noresetbytescounter

read on my arti http://www.easyzonecorp.net/network/view.php?ID=1042 

Freeradius unlang accept after chap reject.


and then apply it.

i know you can !!
Thx for advice. It almost helped:) I've rewrited my config to:

        noresetbytescounter {
            reject = 1
        }
        if (reject) {
                update reply {
                        Reply-Message := "You have reached your transfer limit. Limited bandwitch"
            }
                update control {
                        Auth-Type := "Accept"
                        WISPr-Bandwidth-Max-Down = 131072
                        WISPr-Bandwidth-Max-Up = 131072
            }
        }

And it works - when user reach transfer limit he gets correct reply message, but he is rejeceted anyway. It looks like "update control" doesn't work.

Sending Access-Request of id 142 to xxx.xxx.xxx.xxx port 1812
        User-Name = "user01"
        User-Password = "user01"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 10
rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=142, length=119
        Acct-Interim-Interval = 60
        Idle-Timeout = 60
        WISPr-Bandwidth-Max-Down = 1048576
        WISPr-Bandwidth-Max-Up = 262144
        Session-Timeout = 360
        Reply-Message = "You have reached your transfer limit. Limited bandwitch"

Where should I look now?
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

Alan DeKok-2
pawel_221 wrote:
> And it works - when user reach transfer limit he gets correct reply message,
> but he is rejeceted anyway. It looks like "update control" doesn't work.

  You need to change the "reject" return code.  Do this by adding an
"ok" to the config:


        if (reject) {
                ok # over-ride "reject"

                update reply {
                        Reply-Message := "You have reached your transfer
limit. Limited bandwitch"
            }
                update control {
                        Auth-Type := "Accept"
                        WISPr-Bandwidth-Max-Down = 131072
                        WISPr-Bandwidth-Max-Up = 131072
            }
        }


  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

pawel_221

Alan DeKok-2 wrote
pawel_221 wrote:
> And it works - when user reach transfer limit he gets correct reply message,
> but he is rejeceted anyway. It looks like "update control" doesn't work.

  You need to change the "reject" return code.  Do this by adding an
"ok" to the config:


        if (reject) {
                ok # over-ride "reject"

                update reply {
                        Reply-Message := "You have reached your transfer
limit. Limited bandwitch"
            }
                update control {
                        Auth-Type := "Accept"
                        WISPr-Bandwidth-Max-Down = 131072
                        WISPr-Bandwidth-Max-Up = 131072
            }
        }


  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It helped - user has "rad_recv: Access-Accept packet" but does'nt change Bandwidth. User still have bandwitch which is assigned to his group.
I've tried to rewrite my config and move "update control" to post-auth section. I check in post-auth secion:
            if ( "%{reply:Reply-Message}" == "LIMITED" ) {
                update reply {
                Reply-Message := "You have reached your transfer limit. Limited bandwidth"
                }
                update control {
                        Auth-Type := "Accept"
                        WISPr-Bandwidth-Max-Down = 131072
                        WISPr-Bandwidth-Max-Up = 131072
            }
        }

but it also doesn't change bandwitch. It still sends:
        WISPr-Bandwidth-Max-Down = 1048576
        WISPr-Bandwidth-Max-Up = 262144
But it change of course Reply-Message from "LIMITED" to "You have reached your transfer limit. Limited bandwidth".

I debug mode I can see:

++? if ("%{reply:Reply-Message}" == "LIMITED" ) -> TRUE
++- entering if ("%{reply:Reply-Message}" == "LIMITED" ) {...}
+++[reply] returns ok
+++[control] returns ok
++- if ("%{reply:Reply-Message}" == "LIMITED" ) returns ok
Sending Access-Accept of id 151 to xxx.xxx.xxx.xxx port 59621
        Acct-Interim-Interval = 60
        Idle-Timeout = 60
        WISPr-Bandwidth-Max-Down = 1048576
        WISPr-Bandwidth-Max-Up = 262144
        Session-Timeout = 360
        Reply-Message = "You have reached your transfer limit. Limited bandwitch"
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

Alan DeKok-2
pawel_221 wrote:
> It helped - user has "rad_recv: Access-Accept packet" but does'nt change
> Bandwidth. User still have bandwitch which is assigned to his group.

  See "man unlang".  You are putting the bandwidth in the "control"
list, not the "reply" list.

  Go fix that.

  And read "man unlang" for how the operators work.  You probably want
":=" here.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

pawel_221

Alan DeKok-2 wrote
pawel_221 wrote:
> It helped - user has "rad_recv: Access-Accept packet" but does'nt change
> Bandwidth. User still have bandwitch which is assigned to his group.

  See "man unlang".  You are putting the bandwidth in the "control"
list, not the "reply" list.

  Go fix that.

  And read "man unlang" for how the operators work.  You probably want
":=" here.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thx a lot :) Now it works perfectly :)
greetings
| Threaded
Open this post in threaded view
|

Re: customize Post-Auth-Type REJECT

EasyHorpak.com
pawel_221 wrote:

Alan DeKok-2 wrote:
  
pawel_221 wrote:
    
It helped - user has "rad_recv: Access-Accept packet" but does'nt change
Bandwidth. User still have bandwitch which is assigned to his group. 
      
  See "man unlang".  You are putting the bandwidth in the "control"
list, not the "reply" list.

  Go fix that.

  And read "man unlang" for how the operators work.  You probably want
":=" here.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


    

Thx a lot :) Now it works perfectly :)
greetings
  
add [RESOVLED] to your mail subject.

Please.

--
http://www.EasyHorpak.com - แหล่งค้นหาหอพัก,อพาร์ทเมนท์,แมนชั่น,คอนโด,โรงแรม
http://www.EasyZoneCorp.net - ซอฟแวร์จัดการ internet คุณภาพสูง Hotpsot และ PPPoE ,Anti NetCut, Mac spoof
http://www.thai-school.net - เว็บไซต์โรงเรียน,ศิษย์เก่า สำเร็จรูป
EasyZone SuperLink - แลกหมื่นลิ้งคืในคลิ๊กเดียว

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

[RESOVLED] Re: customize Post-Auth-Type REJECT

pawel_221
easyzonecorp.net wrote
add [RESOVLED] to your mail subject.

Please.
| Threaded
Open this post in threaded view
|

Re: [RESOVLED] Re: customize Post-Auth-Type REJECT

jaydorado
Newbie here.. I badly need help!!  This is exactly what I want to achieve.  But it isn't clear to me as to where to place those configurations. Should it be in the authorize section?? or in the sqlcounter module?

Could someone post their configurations please..

Thanks so much in advance..

Regards,

Jay
| Threaded
Open this post in threaded view
|

Re: [RESOVLED] Re: customize Post-Auth-Type REJECT

jaydorado
Never mind.  was able to figure out myself..
| Threaded
Open this post in threaded view
|

Re: [RESOVLED] Re: customize Post-Auth-Type REJECT

bishalpun
This post has NOT been accepted by the mailing list yet.
Hi,
 I am trying to do the same things but I am not able to success. I am getting rejected after user Max-Total-Octets is reached. below is my config file in /etc/freeradius/site-enable/default

authorize {
..
       Auth-Type LDAP {
                ldap
        }

        #
        #  Allow EAP authentication.
        #eap
}
        noresetbytescounter{
        reject = 1
        }
          if(reject) {
               update reply {
               Reply-Message := "You have reached your data volume limit. Connecting with Limited Bandwidth."
               Filter-Id := "64/64"
               }
                update control {
                Auth-Type := "Accept"
                }
        ok
          }

| Threaded
Open this post in threaded view
|

Re: [RESOVLED] Re: customize Post-Auth-Type REJECT

bishalpun
Hi,
 I am trying to do the same things but I am not able to success. I am getting rejected after user Max-Total-Octets is reached. below is my config file in /etc/freeradius/site-enable/default

authorize {
..
       Auth-Type LDAP {
                ldap
        }

        #
        #  Allow EAP authentication.
        #eap
}
        noresetbytescounter{
        reject = 1
        }
          if(reject) {
               update reply {
               Reply-Message := "You have reached your data volume limit. Connecting with Limited Bandwidth."
               Filter-Id := "64/64"
               }
                update control {
                Auth-Type := "Accept"
                }
        ok
          }