freeradius + mikrotik hotspot -> limiting access

candeller · October 18, 2009, 10:28pm

Hello.

I have managed to get a successful freeradius installation and integrated it with mikrotik's hotspot service backed up with MySQL for storing accounts and passwords.

With these simple values in the radcheck table, a user can connect (Gets assigned a dynamic IP address) and stay online for an infinite amount of time:

RADCHECK:
+----+----------+-----------------+----+------------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------------+----+------------+
| 1 | user | Password | == | mypass3 |
+----+----------+-----------------+----+------------+

What I would like is to limit a user's access based on session time, i.e.

User logs in, has 2 hours of online time to use. Then once the user reaches the 2 hour limit he gets logged off from the hotspot service and cant log in back again.

I followed these steps located here: http://wiki.freeradius.org/Rlm_sqlcounter

and added a new entry to the Radcheck table:

+----+----------+-----------------+----+------------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------------+----+------------+
| 1 | user | Password | == | mypass3 |
| 2 | user | Max-All-Session | := | 120 | #120 seconds for testing purposes
+----+----------+-----------------+----+------------+

Unfortunately this has no effect.

I am wondering if someone could give me some tips on what kind of attributes need to be passed to the freeradius table entries in order to get it working.

The subject is quite broad and I am having a hard time reaching my goal. Not knowing freeradius and mikrotik much does not help me neither.

I would appreciate any help. Thank you!

fewi · October 19, 2009, 2:26am

You want to pass on the Session-Timeout attribute, which takes an integer value for the number of seconds after which the user session is terminated.

http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php lists the attributes you can send back to the router - paired with Google (or, if you like paper, O’Reilly’s outstanding RADIUS book http://oreilly.com/catalog/9780596003227) that should pretty much cover you.

candeller · October 19, 2009, 6:31am

Thanks for your answer Fewi,

I had actually tried the Session-timeout attribute before in the RADREPLY table. Indeed it sets the session time for the user, but when the session times out, the user automatically connects back again and is given a ‘new session’.

The trick must lie somewhere within the sqlcounter. Perhaps the Session-timeout attribute needs to be paired somehow with sqlcounter, but I got no clue : (

savage · October 19, 2009, 9:04am

You need to ammend your Radius Configuration files, and actually -configure- the rlm_sqlcounter module to work before just slapping the attributes in SQL.

Read the documentation and example configurations provided by FreeRadius.