Pfsense 2.0.1: Problem with 'Re-authenticate Every minute' + FreeRadius 2.1.12

mutheu

My Setup:

–> FreeRADIUS:  Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct3 2011 at 21:39:42
--> Mysql: Server version: 5.1.51 Source distribution
--> Captive Portal: pfSense 2.0.1 release

My setup works fine - i.e, user gets authenticated, and uses internet until 'session-timeout' (as supplied by Radius server) is reached, then user is kicked out.

Now, the problem comes if I turn on the "re-authenticate every minute" option. Basically, I would like to "add expenses" to the user when he accesses certain resources on the network or buys items like CDs. (basically implementing this idea: http://computing-tips.net/M0n0wall_Captive_Portal_Logout_URL/#onlinestore). When he has no more 'airtime' he is kicked out!

However, when is option is one, user gets kicked immediately with the message that he is already logged in:

Sending delayed reject for request 2
Sending Access-Reject of id 234 to 10.250.78.200 port 64881
        Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"

What am I missing?

Nachtfalke

simultaneous-use must be off or needs a value equal or higher than 2 when using re-authenticate every minute on CP.
If you want to make sure that there is only one simultaneous connection do this on CP settings page or modify the way/attributes CP sends the accounting packets to freeradius.

cylent

i use a product that i pay for called raidus manager 4 from dmasoftlab.com … it uses freeradius2 however they modified it in some weird ways. not that far from the original i believe. anyway they say in their install guide

Because pfSense uses reauthentication method to check the validity of the logged on account,
at least sim-use = 2 has to be set for every pfSense user in Radius Manager ACP / Edit user dialog.
Sim-use = 1 will result immediately disconnection of the user when the first reauthentication packet
is sent to the RADIUS server (RADIUS server thinks the user is already online and doesn’t give a
permission for a new concurrent connection which causes pfSense to close the active session of the
current user).

so ya. it would have to be set to 2.

Nachtfalke

The problem is not the re-authentication at all.
freeradius2 checks simultaneous-use using accounting packets. An accounting-on/start packet tells freeradius2 to put the user in the "/var/log/radurmp" file. An accounting-stop/off packet tells freeradius that the user logged off and freeradius deletes the user from "/var/log/radutmp"

To check who is already logged in just type "radwho" on the shell.

Read the following redmine entry, try to apply the patch and see if it helps you:
http://redmine.pfsense.org/issues/2164

@mutheu
I saw you posted on freeradius mailing lists. The developer and maintainer Alan DeKok wrote that the problem is the attributs from the NAS and probably that the re-authentication time of one minute is to short and should be at least 10min.

I am far away from beeing an freeradius expert but I think the NAS/CP needs some fixes/improvements. But that's not so easy for me so it would help if some more users do some tests.

mutheu

@all

Thank you for your input.

Indeed in my radcheck table, I have "Simultaneous-Use := 1", so I will try to set to 2 and see how it goes.

@Nachtfalke
I did post in freeradius list as I didn't know whether I should troubleshoot from the Radius point of view or the NAS.  Pfsense is excellent and will definitely setup a test bed. I am currently overwhelmed by interesting features it carries.

As I was thinking what to do, I noticed some user accounts were showing negative values (account balance). Then on checking the radacct table in mysql, I realized that mysql was being given duplicate entries (now is this by the NAS or freeradius?). In this example, the user "KALEMBA" is actively using internet.

316 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA  	10.250.78.200 	18 	Ethernet 	2012-03-23 11:47:18 	NULL	              0 	RADIUS 			0 	               0 	10.250.78.200 	d0:df:9a:86:08:a5 		        Login-User 		192.168.192.137 	0 	0 	
314 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:46:18 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
312 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:45:18 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
298 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:38:16 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
310 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:44:18 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
300 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:39:17 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
308 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:43:17 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
304 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:41:17 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
306 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:42:17 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	
302 	23c77fca1abb4446 	292ae1ead667f343 	KALEMBA 	10.250.78.200 	18 	Ethernet 	2012-03-23 11:40:17 	2012-03-23 11:47:18 	1754 	RADIUS 			31665377 	323554601 	10.250.78.200 	d0:df:9a:86:08:a5 	NAS-Request 	Login-User 		192.168.192.137 	0 	0 	

I'm currently prunning the duplicates by crond.

Nachtfalke

It's probably because of the NAS. The NAS must send always the same Acct-Session-ID and so on. If something of this changes then for freeradius this is a new user.
Go to freeradius -> settings and disable "Acct_unique". Perhaps this will help you. I added this as a "workaround".

mutheu

Thank you for your quick response.

But I use external Freeradius server. Will this have any effect?

Nachtfalke

@mutheu:

Thank you for your quick response.

But I use external Freeradius server. Will this have any effect?

Aahh, I am sorry. I talked from the pfsense freeradius2 package. But this confirms that it is a NAS problem and not a freeradius2 problem because the effect is the same with CP and freeradius2 package from pfsense :-)

edit:
../raddb/sites-available/default

go to "preacct" section and comment out "acct_unique". Then try again.