UTM5 radius + mikrotik sessions is keeping opened

[ludnix]

Hello,
I'm using UTM5 3.0 build version 11994
We are a WISP, we are using mikrotik hotspot to authorize clients.

the problem is that after unexpected shutdown or after something else I didn't understand it yet clients cannot login in by https It's giving bad username and password error.
in users session it showing that session is updated.

below is configuration on mikrotik side.

name="hsprof1" hotspot-address=172.16.0.1 dns-name="hotspot.example.com"
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,https http-cookie-lifetime=1d
ssl-certificate=ExCrt split-user-domain=no use-radius=yes
radius-accounting=yes radius-interim-update=10m
nas-port-type=wireless-802.11 radius-default-domain=""
radius-location-id="" radius-location-name=""
radius-mac-format=XX:XX:XX:XX:XX:XX

and configuration on utm side (radius5.cfg)

#
## /netup/utm5/radius5.cfg
## UTM5 RADIUS server configuration file
##

## =============================================================================
## MAIN RADIUS SERVER PARAMETERS
## =============================================================================

## core_host
## Description: IP address of a host running the utm5_core
## Possible values: an IP address
## Required field.
core_host=127.0.0.1

## core_port
## Description: UTM5 core listening port. Equal to stream_bind_port parameter
## in utm5.cfg.
## Possible values: an integer from 1 to 65534
## Required field.
core_port=12758

## radius_login
## Description: A system user login to access the UTM5 core.
## Possible values: <string>
## Default value: radius
radius_login=XXXXXXXXXXX

## radius_password
## Description: A system user password to access the UTM5 core.
## Possible values: <string>
## Default value: radius
radius_password=XXXXXXXXXXXXXXX

## radius_ssl_type
## Description: SSL connection type. If 'none' is set, the connection
## is unencrypted.
## Possible values: tls1, ssl3, none
## Default value: none
#radius_ssl_type=none

## radius_acct_host
## Description: IP address of the host receiving Accounting-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0

## radius_acct_port
## Description: Port of the host receiving Accounting-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1813

## radius_auth_host
## Description: IP address of the host receiving Access-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0

## radius_auth_port
## Description: Port of the host receiving Access-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1812

## Description: Enables MPPE 128 bit key generation used for authorization
## via MS-CHAP-v2 protocol.
## Possible values: enable
## Default value: the keys are not generated
radius_auth_mppe=enable

## radius_auth_vap
## Description: If the value is set, authorization of blocked users, whose
## logins are set in IP traffic service link, is disallowed.
## Possible values: 1
## Default value: authorization is allowed

## radius_ippool_acct_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after sending Access-Accept.
## Possible values: time in seconds
## Default value: 30

## radius_ippool_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after receiving Accounting-Start.
## Possible values: time in seconds
## Default value: The address is labeled as occupied until coming of the
## Stop packet

## radius_auth_null
## Description: If enabled, the RADIUS server authorizes requests without
## User-Password(2) attribute, if the user's password, defined in the
## service link, is empty.
## Possible values: yes, enable
## Default value: authorization without a password is not performed
#radius_auth_null=yes

## radius_auth_h323_remote_address
## Description: If enabled, then telephone calls authentication is performed
## using h323-remote-address(9;23) attribute value, but not using
## User-Name(1) attribute. The attribute value is used as a login.
## Possible values: enable, on, yes
## Default value: replacement of login with h323-remote-address is not
## performed

## radius_nas_port_vpn
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the IP traffic service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: Checking against NAS-Port-Type for the IP traffic service
## link is not performed

## radius_nas_port_dialup
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Dial-up service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Dial-up service link
## is not performed

## radius_card_autoadd
## Description: If 'yes' is set, the automatic registration of users is
## enabled via the RADIUS server using prepaid cards. In this case in the
## Login field a user enters the card number and in the Password field - the
## PIN code. In case of the Telephony service, in the Login field it is
## entered the PIN code or its first part and the remainder is used as a
## password.

## Possible values: yes, on, enable
## Default value: automatic registration is not performed
#radius_card_autoadd=no

## send_xpgk_ep_number
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value:
## xpgk-ep-number=<a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests

## send_h323_ivr_in
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value: h323-ivr-in=terminal-alias:
## <a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests

## enable_fast_telephony
## Description: This option enables the rapid mechanism for determination of
## directions and zones when rating telephone calls. In this case templates
## for telephone directions must contain the digits from 0 to 9 and the
## symbols: ^ $ + )( |.
## Possible values: enable, yes
## Default value: the default mechanism for determination of zone/direction
## is used

## h323_origin_reject
## Description: Sets zero cost for Accounting-Requests in which the
## h323-call-origin(9;26) attribute equals the value of this parameter.
## Possible values: <string>
## Default value: unset
#h323_origin_reject=originate {answer|callback|etc}

## interim_update_interval
## Description: Enables session control mechanism using Interim-Update
## packets. The value is transmitted in the Acct-Interim-Interval(85)
## attribute of the Access-Accept packet.
## Possible values: time in seconds, more than 61
## Default value: the default session closure control mechanism is used
interim_update_interval=600


## radius_default_session_timeout
## Description: A value of the Session-Timeout(27) attribute transmitted in
## Access-Accept for the IP traffic service link.
## Possible values: a positive integer
## Default value: 86400

## radius_callback_avpair_enable
## Description: Enables transmission of the Cisco-AVPair(9;1) attribute with
## the value lcp:callback-dialstring=<callback number>, where
## <callback number> is the part of the login from the beginning to the
## ':'-symbol.
## Possible values: <any>
## Default value: unset

## radius_acct_rewrite_login_answer
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'originate', then setting this parameter enables replacing of the login
## with the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset

## radius_acct_rewrite_login_originate
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'answer', then setting this parameter enables replacing of the login with
## the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset


problem solving only when I restarting utm5_radius service.

as you can see from debug log file Dialup session limit:1 session count:1 for user:XXXXXX session limit is 1 and when client wants to connect again
It's giving him error.


?Debug : Dec 13 12:53:06 b730eb70 AuthServer: User <XXXXXX> connecting
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: Session for sessionid <XXXXXX> not found in <192.168.4.111> cache
?Debug : Dec 13 12:53:06 b730eb70 RADIUS DBA: Info for login <z0000XXX> found. type <2>
?Debug : Dec 13 12:53:06 b730eb70 RADIUS DBA: login_store iter->second.dialup.session_count:0
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: Auth scheme: PAP
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: PAP: <XXXXXX> vs <XXXXXX>
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: PAP: Authorized user <XXXXXX>
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: Dialup session limit:1 session count:1 for user:XXXXXX
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: Session limit exceeded for user XXXXXX
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: Calling fill radius attributes for NAS. Attr storage size <1>
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: fill_radius_data Vendor:<0> Attr:<88> String val:<OxPublic> Size:<8> Result:<0>
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: fill_radius_data verify Size:<8>
Notice: Dec 13 12:53:06 b730eb70 AuthServer: Login incorrect <XXXXXX> from NAS <192.168.4.111> CLID <XXXXX 2> Calling-station <XX:XX:XX:XX:XX:XX>
?Debug : Dec 13 12:53:06 b730eb70 AuthServer: Auth reply: RPacket:

what can case problem?

please give me solution how can I resolve this.

Thank you

[serjk]

Hello,
You should decrease interim_update_interval, cause now the old session is kept alive on the RADIUS server during 3*interim_update_interval=30 minutes after the last Interim-Update packet.

Try to set

interim_update_interval=120

in radius5.cfg and then restart the utm5_radius procress

[ludnix]

Hello,
You should decrease interim_update_interval, cause now the old session is kept alive on the RADIUS server during 3*interim_update_interval=30 minutes after the last Interim-Update packet.

Try to set

interim_update_interval=120

in radius5.cfg and then restart the utm5_radius procress

thank you for your fast reply.

I already changed it.

I didn't think it will help, because my sessions keeping open more then day
anyway I will check and reply.

Thank you

[ludnix]

Hello,
You should decrease interim_update_interval, cause now the old session is kept alive on the RADIUS server during 3*interim_update_interval=30 minutes after the last Interim-Update packet.

Try to set

interim_update_interval=120

in radius5.cfg and then restart the utm5_radius procress

thank you for your fast reply.

I already changed it.

I didn't think it will help, because my sessions keeping open more then day
anyway I will check and reply.

Thank you

I see that It doesn't take effect anyone else have problem like this?

what is a solution?