Free Radius - Session Timeout, Idle Timeout (disconnecting idle users) - freeradius

I was wondering if someone could help clear something up for me.
I am currently using Freeradius with a Cisco NAS. I have control fo the free Radius, but I do not have control of the Cisco.
I am noticing that when a user reboots their equipment, a termination message is sent to FreeRadius/the Nas to release the IP and kill the connection. This seems to be working as expected and the next client can simply pick up this IP. However, should a user simply unplug their equipment or have a power cut, this termination message is never sent and effectively we have an IP allocated to a dead user. Obviously if we had say 300 IPs and 250 people, if they all had power cuts, only 50 would be able to get back online as the other 250 Ips are currently allocated albeit not in use.
Can someone tell me where I can locate the settings to specify when to release an IP if the user is idle or where the attribute needs to be specified, ie check every 2 minutes and if the user is idle, disconnect their session and release the IP for the next user.

There's nothing bundled with FreeRADIUS to do this. The recommended way to perform dead session detection is to record the interval between accounting start/accounting interval packets, and to turn on interim updates on the NAS.
If the session goes stale (no interims received) then the radclient binary can be used to send a fake accounting stop to close out the session.
If your NAS supports Session-Timeout and Idle-Timeout you can return those, but it doesn't help in the case of a power failure that takes out the NAS as well.

Related

Guacamole Disconnect Session on User Idle

I have google'ed a lot on this question but haven't found an answer. I have a Guacamole server that connects to a local VNC session and I would like for it to disconnect the user session if it detects no activity for an hour.
What I've tried and attempted
used xprintidle to show idle time of the user, this works so will be put in a script that might be used later to terminate an idle session.
I have looked at Guacamole's api-session-timeout and set it for a minute, I had hoped it would not reconnect to the same session once the VNC server stops abruptly. It seems this did not work.
I have tried to use guacamole's user-mappings.xml to specify the parameter "autoretry" and set that to "1". Restarted and this did not work, I'm thinking its not used this way.
I have went to the guacamole postgres database and manually inserted the entry for autoretry into the parameter table. Restarted, but this did not work.
I have went to the VNC side (I use TurboVNC) and looked at the flag -idletimeout and configuration option max-idle-timeout. This terminates the TurboVNC service when there are no active connections. It is not what I am after, I'm trying to only disconnect the session when the user is idle.
I figured that the VNC side would not work because even if the VNC session is terminated Guacamole would keep on retying forever to reconnect to that session.
From some posts on the Guacamole mailing list it seems that disabling auto reconnect is not possible without a recompile from source.
Is there a way to disconnect an active session after an idle timeout period? or maybe a way to stop Guacamole from reconnecting?

A way to detect that someone has shutdown the app

Is there an architecture that exists that could help me with something like this.
I'm working on a react-native app which allows people to optin, theres mechanisms for users to optout and while the app is in the background it will automatically optout users depending on the circumstances - [idle etc]
the problem arises when someone shutsdown/closes the app after optin. This leaves them as active on my server and confuses other users.
My nodeserver is current running on AWS.
Would it be quite server intensive to have optin users ping a lambda or something similar and if pings stop, i can mark them as opted out ?
Alternatively
https://facebook.github.io/react-native/docs/appstate
I can detect when the app state is inactive [because inactive state is the state you need to be in to shutdown the app - ios anyway]
after this - app state either resolves to foreground/background.
Inactive to ping the server which will then wait for another ping from background/foreground and if thats not received, it can opt out the user?
The first thing that comes to mind is like a heart beat signal sent with a frequency that doesn't impact the performance of your app. If the heartbeat doesn't come in the set time then you know that user is not available. I thinks that's how they do it on most messaging apps. I know you probably already tried to add a log out action in componentWillUnmount()
probably in your root component.

Twilio WebRTC TURN relay randomly stops working after a few minutes

I am using the Twilio Network Traversal Service as part of a native application I am working on to perform peer-to-peer remote desktop connections. We implement a subset of the WebRTC protocol stack that is equivalent to the WebRTC data channels (not the WebRTC video and audio protocols). When using a TURN relay, the TURN allocation seems to be invalidated randomly somewhere between a few minutes and a maximum of 12 minutes from the session start. This issue looks very similar to this one, but the proposed workaround (sending silent audio) is not acceptable in my case, since I do not implement the WebRTC audio/video protocols.
I have been pulling my hair on this problem for the last two weeks, and isolated the issue as being the Twilio service itself. To compare, I have used a web based WebRTC data channel demo using firefox and the Xirsys TURN server cloud. I have wireshark captures showing firefox getting disconnected with Twilio just like my native application, while the exact same firefox demo doesn't get disconnected when using the Xirsys servers.
I was using Xirsys originally, but I experienced some instability with their service that made me switch to Twilio, which is why I would rather have Twilio fix this issue instead of going back with Xirsys. At the bare minimum, I would rather have two WebRTC hosting providers I can choose from that I know should work fine. This is why I am taking the time to explain the issue in detail so it can get fixed.
Here are two wireshark captures (with the peer-to-peer data messages filtered out) showing firefox using WebRTC data channels and the Twilio TURN relay servers:
The traffic stops being relayed after 4 minutes in the first capture, and after about 11 minutes in the second capture. In both captures, firefox detects that traffic stops being relayed (at the data channel level) and attempts a graceful disconnection by sending a Refresh request packet with a lifetime of zero. Both graceful disconnections result in a 437 Allocation Mismatch error, indicating that the server doesn't even know about the allocation firefox is trying to close gracefully.
With my native application, this would often take the form of a CreatePermission Request message that fails with a 438 "Wrong nonce" error, which is basically what should happen if a client tries to update the permission on an allocation that no longer exists. The error code 438 usually means "Stale nonce", which is not really an error, but an indication that the nonce has expired and the client should try again using the new nonce contained in the "error" message. It took me a while to figure out, but even if the error code is 438, the error string is not the same. I have observed a true stale nonce error with Xirsys and successfully updated my permission with the new nonce from the error response, so I know I can properly handle this case in my implementation.
Here is the source code for the WebRTC data channel demo I have used:
https://github.com/devolutions/webrtc-demo
For comparison, here is the same firefox data channel demo using the Xirsys TURN server cloud:
In this capture, I have let the demo run for about 16 minutes (it works for much longer than that, the longest I have tried is two hours). We can see that the traffic keeps getting relayed for the entire duration of the session, and CreatePermission requests keep getting sent by firefox with success. At the end, the graceful disconnection is triggered by firefox closing the WebRTC data channel (instead of being closed due to traffic no longer being relayed). As opposed to the Twilio captures, the Refresh request with a lifetime of zero is successful: the Xirsys TURN server still knows about the allocation and sends back a success response, as expected.
It should be noted that the ICMP unreachable errors are normal because I think in this case firefox is no longer listening on the given port when the response comes back. In other words, it sends the Refresh request with a lifetime of zero and doesn't wait for the answer to come back.
For the time being, I have no other choice but to go back with Xirsys, but I would really like if the Twilio Network Traversal Service could be fixed. Let me know if you have more questions regarding the issue.
I have uploaded the wireshark captures here for reference.
EDIT: I have modified the webrtc demo page such that it doesn't close the connection when the ice connection state is set to 'disconnected'. Now I get the real disconnection when the ice connection state goes to 'failed'. However, it effectively didn't change anything, since in this case it takes just a few seconds more for the state to go from 'disconnected' to 'failed'.
Since I have new relevant screenshots and captures, I am updating the original question to clarify certain problems pointed out by Philipp Hancke:
First, here is a new capture with the ice connection state fix (the browser closes the connection only when the state goes to 'failed'):
It's interesting to see that this time, the session stayed up for a whole 18 minutes. This was taken on a saturday morning, so I'm guessing that the issue could be related to the current workload on the twilio servers. However, it failed in the exact same way as it always does so far for me. As a bonus, we even have a valid stale nonce response that is correctly handled by firefox.
However, if we take a different view of the same capture, we can see that the traffic stops being relayed for a solid 30 seconds before firefox considers the connection as being dropped and sends the Refresh request with a lifetime of zero. As in previous captures, the server responds with an Allocation Mismatch error, indicating it doesn't know which allocation firefox is talking about.
The last eight packets being sent are of the same size, so my guess is that they are retransmissions. After 30 seconds of retransmissions, it is likely that SCTP considers the transport as being dropped.
With regards to the refresh request with a lifetime of zero, I did a test where I close the connection early on, from the browser. In this case, the server recognizes the allocation and returns a success response:
The allocation mismatch is the easiest symptom to observe, but in my testing with my native application, I have seen similar errors with Refresh requests for non-zero lifetimes, and with CreatePermission requests (438 "Wrong nonce" error). However, since the browser closes the connection after 30 seconds of data not being relayed, it is hard to observe these errors with the current webrtc demo. If we could change that timeout to 10 minutes, we would see those errors as well.
Excellent problem description!
Without the server log this is hard to determine what goes wrong. I tried with the appear.in TURN servers which run an up-to-date version of coturn and show the same behaviour as the Twilio servers. Xirsys seems to be running a custom version of coturn (Coturn-0.5 'Xirsys Turn Services' from the software field but coturn never had such a version).
In both captures, firefox detects that traffic stops being relayed (at the data channel level) and attempts a graceful disconnection by sending a Refresh request packet with a lifetime of zero.
Not quite. A refresh request with a lifetime of 0 is used to discard an allocation. At that point it does not matter what the server returns as the connection is beyond repair anyway.
This is caused by peerjs closing the peerconnection if the iceconnectionstate changes to disconnected, here in your bundled library version.
This is overly aggressive (and does not even fix things) and we've had a discussion about what the specification should do wrt to trying to fix things with an ice restart here which also links to a great explanation of the disconnected state.
The disconnected state probably happens because a few packets get lost. But this is something that can happen when there is minor congestion. I'd recommend removing the pc.close() in the disconnected case.
If you are looking for other TURN providers, Tokbox provides the same service. For datachannels the latency of a properly run distributed TURN network does not matter as much as for VoIP so you might run your own servers in a single location instead.

iOS create a background service to send IP updates to server

I am relatively new to iOS development.
I have a requirement wherein it is important for us to notify our server about a client's current IP address. The reason behind this is because our solution needs to know the current IP address of the registered device.
Now ideally we would want to create a service that can run in background (indefinitely), poll the ip Address of the device every 10 seconds, and if it sees that the ip has changed, then call a web service notifying the server about the same. I have the folowing questions based on my limited knowledge:
Apple gives us limited choices for apps that are allowed for running
background threads (VoIP, background download, music playing,
location updates etc.). Unfortunately my use case is not an exact
fit for any of these. Can I still go ahead and somehow accomplish
this?
I have read that iOScan close any background thread if it needs
resources. Although my process is not resource intensive, should I
be worried?
The background mode will only start once my app has been MANUALLY
started. What I mean to say is that suppose I am able to run this in
background, but for this to happen the user has to once start the
app manually after restarting the device. Is there a way to start a
service/thread on restart? Is there a workaround?
You cannot trust IOS to handle this in the BG for you the way you describe it, because there is no good way to have a task run in the BG indefinitely, you might get away with using location services and trigger your IP uploads when a device moves but that will not resolve the situation when the device is stationary and changes IP although that might be a corner case but will surely happen as the device moves from tower to tower on 3/4G networks or between different WIFI networks.

Wake from dsleep on input

The device I'm creating reads a liquid flow meter and logs data to a WebAPI. Ideally it would be able to sleep in a low power state until there was activity on the sensor but I'm not sure how to work that out. Docs say the chip will wake on a falling edge on the RST pin, but I can't have it reset every time input occurs. Is there another way to wake it externally, without pulling reset low? Or I guess I need a relay or SSR that directs sensor input away from RST when the chip wakes (assuming that would happen fast enough to engage the relay before it got reset again?)

Resources