Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal Reauthenticate User 2.7.2

    Scheduled Pinned Locked Moved
    Captive Portal
    1
    2
    273
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rodsco
      last edited by

      We have a Captive Portal set up for students that uses Windows Radius for authentication. Depending on the year the student is in their access is switched off at a defined time. Scripts run on windows at defined times that switch off their access in AD, and this in turn uses the Reauthenticate Users option in the CP to disconnect them.

      This has worked this way for many years and up until December, when we upgraded from 2.6.0 to 2.7.2, has worked flawlessly.

      We have recently discovered that whenever the first set of users are switched off this is effectively disconnecting all users, even although CP still shows the remaining users as still connected.

      We kick of around 60 users at 20:30, and by 9:30 all users are reporting that they have lost access so it's not an instant drop off.

      Our short-term fix is to restart the CP service after every kick-off point, but this has the downside that all users still allowed to connect have to log back in.

      Is anyone doing anything like this? and/or experienced this issue?

      R 1 Reply Last reply Reply Quote 0
      • R
        rodsco @rodsco
        last edited by

        Digging a bit deeper and watching what is actually going on, it turns out the issue might not be what is being reported by our users.

        A reboot seems to have settled things down, but while watching what happens during a time when users should be getting disconnected shows an odd behaviour....

        At 21:45, a bunch of students had access switched off through AD Radius. What is happening is that only one user out of the bunch gets disconnected approximately every 10 seconds, even although the changes to their account in AD were all made at the same time.

        The logs for Authentication...Captive Portal Auth near the time when the last of the users being disconnected looks like this.....

        Feb 6 21:59:28 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user137, da:dd:f4:f7:db:XX, 172.10.7.77
        Feb 6 21:59:18 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user143, 5e:57:bf:01:bd:XX, 172.10.7.137
        Feb 6 21:59:09 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user125, ee:fe:dc:b5:f0:XX, 172.10.0.62
        Feb 6 21:59:00 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user920, fa:46:4e:f5:8b:XX, 172.10.7.3
        Feb 6 21:58:51 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user027, ba:9a:fa:6f:d2:XX, 172.10.6.134
        Feb 6 21:58:42 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user126, f2:0f:33:86:86:XX, 172.10.0.145
        Feb 6 21:58:33 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user158, d2:fc:85🆎d4:XX, 172.10.8.93
        Feb 6 21:58:24 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user941, 0a:e4:5f:fa:d8:XX, 172.10.6.12
        Feb 6 21:58:15 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user048, 52:e6:00:7d:97:XX, 172.10.0.135
        Feb 6 21:58:05 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user231, ea:04:0d:80:09:XX, 172.10.1.98
        Feb 6 21:57:56 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user193, aa:4e:7e:c1:4b:XX, 172.10.7.15
        Feb 6 21:57:47 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user159, 2e:8f:c0:63:f6:XX, 172.10.7.113
        Feb 6 21:57:38 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user079, 2e:f8:4f:7b:4c:XX, 172.10.0.16
        Feb 6 21:57:29 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user797, da:d8:50:ad:73:XX, 172.10.6.178
        Feb 6 21:57:20 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user153, fa:49:df:d4:23:XX, 172.10.0.220
        Feb 6 21:57:11 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user841, f6:e5:29:59:94:XX, 172.10.7.71
        Feb 6 21:57:02 logportalauth 45147 Zone: captiveportal - DISCONNECT - REAUTHENTICATION FAILED: user101, 9e:85:cf:5f:fb:XX, 172.10.7.107

        As you can see there is approx. 9-10 seconds delay between each DISCONNECT.

        Then, only after all of the users who should have been disconnected at 9:45 are actually disconnected, does the CP report the correct number of users still connected.

        Does anyone know if this is by design? Or am i missing a setting somewhere?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post