Hi,
I’m looking for a complete listing of attributes a user (i.e. in file users or DB) can have.
Some, like Cleartext-Password are listed in users, but there are many more. Does anyone
can point me to such a list.
Even more in detail, what I’m looking for is the attribute to set the max online time and traffic
volume.
Any pointers are welcome, search didn’t bring up any helpful results.
Thanx, Matthias
Are you talking about RADIUS attributes to send back?
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_radius.php
Thanx. That is a good portion of it, but in the users file I still find options that arn’t in that list, i.e. “Reply-Message”, “Callback-Number” and others. Where to find those?
I’m not sure I understand the question, but the list I posted is the definitive list of RADIUS attributes supported by RouterOS. Anything else sent between the RADIUS server and RouterOS will be ignored. RADIUS is used for lots of things, and not all attributes that exist in the total of dictionaries available apply to all situations.
Maybe I’m wrong, but lets take the following two cases:
Similar as in the users file, what attribute does it need in the radreply table to send a text back, similar to the example in the users file
lameuser Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
What to reply to the request to dictate “max. uptime 1h”? The “WISPr-Session-Terminate-Time” expects a fixed timestamp.
Thanx for any advise or pointer,
Matthias
You need to do that on radius side, mikrotik has nothing to do with that. Look at freeradius documentation, search for counter module.
I guess you want to point out that this isn’t a freeradius forum, am I right?
Of course isn’t it, but I expected that many users here use freeradius too. Seems that I’m partly wrong (if I count the answers).
br Matthias
What are you talking about? If you’ve read my post carefuly you would see that i told you what exact feature to search for in radius setup. But, i guess it is lot easier to feal sorry for your self and try to gain some simpaty that way? Or do you expect me to search for it? Ok, here it is:
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
Should i also read it for you?
I know the counter section of the freeradius section, but you may (or may not) accept, that there is sometimes a little gap between an abstract description and a practical and working solution.
Even when I cannot avoid to say thank you (I learned it at school), I will not continue on the same level.
Thanx for helping, cool man.
nr Matthias
This is why i hate this kind of conversation. Maybe you didn’t mean to sound like you sounded to me. But, i felt like i was occused of being rude and telling you “go away”. Maybe you didn’t mean that, maybe you did. I don’t know. You should have been more precise in what you want. I am sorry if this was a missunderstanding, but, i sure did wanted to help. Sorry for my bad grammar, english is not my native language.
You can find examples here: http://wiki.freeradius.org/Rlm_sqlcounter
It’s not important if you are using Mikrotik as you NAS or Cisco or Juniper etc. This is why i told you that you have to do it on freeradius side. Because feature is not tied to any particular NAS. Freeradius will use counter to remember how many seconds user was online during one day. For every connection radius will send Session-Timeout attribute to, in your case, Mikrotik. After receving Session-Timeout attribute Mikrotik will start counting backwards from Session-Timeout value to zero. When counter reaches zero Mikrotik will disconnect user. In case user disconnect himself before counter reaches zero freeradius will remember how many seconds user has left. Next time user connects radius will use that value as starting point.
Again, sorry for my bad english. It would be preatier to read otherwise and maybe more understandable. 
What you def. did and do. Thanx.
Thanx for that detailed explanation. You hit the point I still couldn’t figure out until now: The parameter to be set in radreply to set the users session-timeout. With your pointers I found that Session-Timeout is the parameter I looked for.
The only thing left is:
Actually I did set a fixed value in radcheck “insert into radreply (username,attribute,op,value) VALUES (“matt”,“Session-Timeout”,”=",“600”);
Could you give me a hint how to I replace the 600 with the query result of these sql_counters? I still miss how to get the link.
Yea, yea, now YOU excuse for something that doesn’t need any excuse.
Huh, you got it wrong again, but at least your question was precise this time
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
at the end of authorize, accounting and instaantiate sections add
authorize {
…
…
…
daily
}
instantiate {
…
…
…
daily
}
accounting {
…
…
…
daily
}
in your database, in radcheck table insert this:
INSERT into radcheck VALUES (‘’,‘username’,‘Max-Daily-Session’,‘10800’,‘:=’);
Restart freeradius and of you go…
Now look at the bolded text, do you see the pattern?
your “daily” module will count Acct-Session-Time values and check those values against Max-Daily-Session. Counter will use “username” as key for counting, so he can only have one value for each user. Value is reset every day. Max-Daily-Sesion value is something module should check so it resides in radcheck table (obviously, table name is radcheck). We’ve inserted username and Max-Daily-Session, key and check value. Counters will be saved in db.daily file. Counter will also pay attention to type of service, in this case Framed-User. So, in case you have some other data in your database, or for example you are billing telnet sessions also, telnet session will not be affected by the counter, because of different type of service.
Your user will be allowed to be connected 10800 seconds per day in total, no matter how many times connected.
Freeradius will take care of session timeout value, not you, otherwise it wouldn’t make any sense.
So you see, also a 42 year young guy can develope…
I do. The missing part was, that the link between the result of SQL-query and the radcheck table is the check-name of the counter.
As I need to care that the user doesn’t use more than the ordered time, I guess I have to use reset=never, but that’s it. Will give it a try.
Thanx, for your help.
Br, Matthias
You need to limit user monthly? Or you are selling internet time and user has no time limit to spend it?
Maybe you don’t need this, it depends on what you exactly want to accomplish…
All options are possible. Of course is it more realistic to restrict the time the voucher is valid, not that it runs endless. In most cases I will run it with “month”.
As I understood your example, the user is able to connect the next day again. That is not what is wanted in the actual concept. After an account ran out, it would not be used anymore, that is what I think I achieve with reset = never.
What I also wonder with the sample conf you gave, is that it looks very much as it would be made for not using a database, but I will find that out.
Thanx, Matthias
Results:
The following is in radcheck:
“id”,“username”,“attribute”,“op”,“value”
3,“matthias”,“Cleartext-Password”,“:=”,“pwd”
7,“matthias”,“Max-Daily-Session”,“:=”,“3600”
When I try to login with this user the radius gives the following debug:
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "matthias" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
When I remove 7,“matthias”,“Max-Daily-Session”,“:=”,“3600” without any password change, login works again.
In every section (authorize,instantiate,accounting) daily counter is at the end? It looks like you have daily counter before chap, pap etc. modules?
Did it again from scratch…
In instantiate in needs to be only if is isn’t loaded anywhere else, so I removed it there, in accounting it isn’t accepted with an error message that sql_counters do not support this. So it is available in authorize.
Finally I have:
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(acctsessiontime) FROM radacct WHERE username = '%{%k}' AND acctstarttime > FROM_UNIXTIME('%b')"
}
Fri Oct 30 23:02:43 2009 : Info: [dailycounter] expand: %{sql:SELECT SUM(acctsessiontime) FROM radacct WHERE username = 'matthias' AND acctstarttime > FROM_UNIXTIME('1256857200')} -> 549
Fri Oct 30 23:02:43 2009 : Debug: rlm_sqlcounter: Check item is greater than query result
Fri Oct 30 23:02:43 2009 : Debug: rlm_sqlcounter: Authorized user matthias, check_item=3600, counter=549
Fri Oct 30 23:02:43 2009 : Debug: rlm_sqlcounter: Sent Reply-Item for user matthias, Type=Session-Timeout, value=3051
That looks fantastic so far. Further down the debug it shows:
Sending Access-Accept of id 109 to 192.168.178.222 port 49852
Session-Timeout = 3051
and WinBox shows an active radius user with the correct time.
So I have no idea what I did different this time, but it works. Thank you very much (lets look for the next question…)
br Matthias
Good, i am glad you got it working Good luck with your service
br