Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple login limits for captive portal voucher system

    Captive Portal
    3
    18
    483
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @Dmc
      last edited by

      @Dmc said in Multiple login limits for captive portal voucher system:

      Could you please share your SQL settings with me? whenever I enable SQL and input the default settings then authentication starts to fail on the captive portal.

      Default SQL settings :

      551cfb36-bdb9-4380-bd9d-22dbd26c79dc-image.png

      with a notable difference :
      pfSense isn't a SQL server.
      So the address can't be 'localhost' or 127.0.0.1. I've chosen 192.168.1.33, as that is my NAS, on which I installed SQL support. On this SQL server you have to create a database with the name "Database Table Configuration".
      You don't have to do this manually. There is an SQL script that does this for you : see here : /usr/local/etc/raddb/mods-config/sql/main/mysql
      Be aware : when you read these files, you should know what to do. If you don't .... you don't what what SQL is/does etc.

      Even with SQL activated, the FreeRadius pfSense package doesn't make use of all the features. A lot of stuff is hard coded. For example the login user names and passwords is still file based (on pfSense). This can be changed, but that means you have to change the pfSensee FreeRadius package files, who generates the needed config files, one of them is /usr/local/etc/raddb/sites-enabled/default
      radius is .... great to setup if you really have nothing else to do. radius is huge. It's one of world's most known software (we all use it without knowing it) and it's also one of worlds less known software. Not something you do in a lost afternoon.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      D 1 Reply Last reply Reply Quote 0
      • D
        Dmc @Gertjan
        last edited by Dmc

        @Gertjan

        hmm, im confused. are you suggesting that I do not need to setup SQL for the FreeRadius accounting policies/device restrictions to work?

        or do I need to setup SQL for it to work.

        I've it the peak of my understanding of all this networking knowledge, I'm a CPA by trait trying to make sense of all this. I am convinced it has something to do with how I setup my RAD to which is why it is not accepting the device restrictions.

        This is all so frustrating, I spent so much time customizing all the other elements of PfSense that I left the most important factor out.

        thanks Gertjan

        D 1 Reply Last reply Reply Quote 0
        • D
          Dmc @Dmc
          last edited by Dmc

          @Gertjan
          P.s you're spot on about the resources available for RADIUS. i was pulling my hairout in frustration over the limited guides and discussions available on RADIUS, especially when it ought to be readily available since it has so many applications. My initial thought was perhaps the community did not want it's tradesecrets out or just not supportive. and then I came across PFSense for which I've been more than grateful for each discussion post and exponentially expanding my knowledge.

          I plan to share my logout and login pages with the countdown timer and disconnect since its such a highly requested topic on here - will probably dm you on the proper etiquette to do so.

          1 Reply Last reply Reply Quote 0
          • D
            Dmc @Dmc
            last edited by Dmc

            @Gertjan

            Okay, i gave myself a crash course on how to access ssh and its commands.

            P.S. thanks for pointing towards the raddb directory and the subfolders - it gave me alot more insight on how RadiusServer is operating and all the talks about flat-file and hardcoded.

            So based on all the diagnosis i could run, ive concluded that the radutmp file is communicating properly and is logging all information.

            SQL does not appear to be required at this stage either. The issue lays within FreeRadius not enforcing the Simultaneous variable based on the radutmp which itself i believe is collecting information from users file in Look in all the file you can find in /usr/local/etc/raddb/ or in some sort of manner

            i ran radiusd -X in the ssh but i keep getting the same error

            Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
            /usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128

            Initially i was getting this error on port 18127 - i reinstalled the freeradius package and then it shifted to 18128 .... any thoughts? :/

            i also attempted to changed the NAS, authentication and interface ports to 10.10.10.1 (my Lan) which also did not give me any luck - thats where i actually troubleshooted the issue - despite changing the IP to 10.10.10.1 the IP/port for both the innertunnel files remained the same 127.0.0.1.

            I since changed it back to 127.0.0.1 from 10.10.10.1 but no luck

            ive read on other forums that i should stop and restart the radius. ive done that multiple times, i even used kill, i also attempted to give it a random port , even with that it consistently says the port is binded.

            i think this is why its not enforcing the smultaneous connection requests - maybe

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Dmc
              last edited by

              @Dmc said in Multiple login limits for captive portal voucher system:

              Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
              /usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128

              Initially i was getting this error on port 18127 - i reinstalled the freeradius package and then it shifted to 18128 .... any thoughts? :/

              You've tried using plain default settings ?
              Like :
              f1a3dfb2-acfa-4977-809f-03ae4fd0ba29-image.png

              And the client (pfSense user manager) side :

              485d46d4-1c5a-4278-b862-2ff5a9bda0a4-image.png

              Btw : be ware that 10.10.10.1 is also use default by pfBlockerng - so be careful with that one.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              D 1 Reply Last reply Reply Quote 0
              • D
                Dmc @Gertjan
                last edited by

                @Gertjan Interfaces.PNG NAS.PNG Auth Server.PNG

                heres my settings - i believe they're identical.

                So, i also attempted to delete the raddb files after uninstalling the package and reinstalling. the error moved to port 1812.... i reinstalled again and it moved to 18127 instead of 18128 port. i feel like im going in circles. is this even relevant?

                Failed binding to auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls: Address already in use
                /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls[3]: Error binding to port for 127.0.0.1 port 18127

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @Dmc
                  last edited by

                  @Dmc said in Multiple login limits for captive portal voucher system:

                  Failed binding to auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls: Address already in use

                  By who ? Ask pfSense ?!

                  [24.11-RELEASE][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'radiusd'
root     radiusd    33785 8   tcp4   192.168.1.1:14796     192.168.1.33:3307
root     radiusd    33785 11  tcp4   192.168.1.1:57128     192.168.1.33:3307
root     radiusd    33785 20  udp4   127.0.0.1:18128       *:*
root     radiusd    33785 21  udp4   *:1812                *:*
root     radiusd    33785 22  udp4   *:1816                *:*
root     radiusd    33785 23  udp4   *:1813                *:*
root     radiusd    33785 24  udp4   127.0.0.1:18127       *:*

                  Even if this port '18127' isn't set nowhere in the GUI - FreeRadius settings, it is used (hard coded) for the TLS 'inner' tunnel :

                  grep -R '18127' /usr/local/*

                  so if you use these also in your GUI settings then I can understand the error.

                  Also, your one and only different settings :

                  I have :
                  fea64292-db7a-414c-8e83-e777ae9699ce-image.png

                  as 192.168.2.1 as the "Client IP" - an interface I used for my captive portal, the one using (indirectly) FreeRadius.
                  You have "127.0.0.1" there ... what happens when you use a LAN interface ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    Dmc @Gertjan
                    last edited by

                    @Gertjan

                    So i did try using the LAN address in the past which did not appear to have made any impact. I also updated the NAS and Auth IP to 192.16.2.1 - same results. it appears to say 18128 is already bound.

                    Based on your recommendation on exploring the Radius files - i had also found it hardcorded in the peap files - thanks for pointing me in that direction.

                    when i run the stat command - i get the following:

                    Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128
[2.7.2-RELEASE][admin@comencenet.comence.io]/root: sockstat -4 | grep 'radiusd'
root     radiusd    43508 14  udp4   127.0.0.1:18128       *:*
root     radiusd    43508 15  udp4   127.0.0.1:18127       *:*
root     radiusd    43508 16  udp4   *:1812                *:*
root     radiusd    43508 17  udp4   *:1813                *:*
root     radiusd    43508 18  udp4   *:1816                *:*

                    This is where im getting puzzled, i do not have anything bound to 18128 or 18127 anywhere in the GUI. I also ran the code to find any instances of 18128 within the firewall and it was only found once each in their respective peap files.

                    Now, im starting to wonder if i have two instances installed/running which is resulting in the conflict

                    Also, another thought - for my captive portal - should i have it First Login, Disabled or multiple? - Previously I had set as multiple and obviously the users were being permitted. So i thought next to set it to first and disabled.
                    Something interesting happened - i was not redirected to my "authentication failed" page - instead it was just a blank page. But internet access was not granted by the captive portal.

                    I had set the simultaneous connection as 1 on my radius, which granted a successful login despite being set to 1 connection. So, i suppose my Radius is the one that continues to fail ?

                    Also, assuming if it worked properly, should userlogin be set to multiple or first ?
                    a94ad6ff-00dd-4d37-9357-6409ec0eb0cf-image.png

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      Dmc @Dmc
                      last edited by

                      Based on your comment

                      I am suspecting that file-based accounting is not successful for FreeRadius on PfSense. I must use SQL?

                      https://forum.netgate.com/post/905308

                      1 Reply Last reply Reply Quote 0
                      • D
                        Dmc
                        last edited by

                        Alright, well i learned how to install SQL package directly on PfSense than installing it externally.

                        God bless this post:
                        https://forum.netgate.com/topic/96893/howto-captive-portal-freeradius-local-mysql-user-friendly-single-step/124

                        It walked me through how to enable it on the back-end and also provided the basic configurations and detailed steps

                        I have setup SQL and authentication appears to work, as well as all the attributes. However, im stil lgetting the 18128 error code when running the diagnostic on radiusd -X

                        AND, the accounting dosnt appear to be enforced...
                        sigh..

                        1 Reply Last reply Reply Quote 0
                        • D
                          Dmc
                          last edited by

                          @Gertjan

                          sockstat | grep 18128
netstat -an | grep 18128

                          When running these two, i always get the PID. its only one instance. I then proceed to kill the connection

                          kill -9 9765 (for example)

                          Afterwhich it appears that the radius starts running correctly as the diagnostic shows it listening every so seconds and updates the accounting.

                          However, if i restart or make changes to any antributes of the user then the error on port 18128 resurfaces

                          i also tried to change the port manually but then the error switches to whatever port number i use.

                          :(

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.