Simultaneous-Use CP??

Nachtfalke

Hi,

I think you mixed up different things. I hope I could make it clear :-)

1.) Simultaneous-Use
To check for simultaneous connections there are two possibilities when using freeradius and CP. You can enable "Disable concurrent logings" on CP page. Then the CP itself checks for simultaneous connections.

The other possibility is to use "Simultaneous-Use" on freeradius. This ONLY works if you have accounting enabled. If you set it to "1" then only one connection per time is allowed. If you leave it empty, unlimited connections are allowed.

BUT if you use the "re-autheticate every minute" on CP then you have to leave the "Simultaneous-use" check empty or set it to 2 or higher. This is because of the way CP sends the re-authentication oackets/attributes.

2.) MAC based authentication and CP:
Captive Portal isn't using a real "Plain Mac-Auth". CP is doing 802.1X auth BUT is uses the MAC address as username and the "shared-secret" you entered on CP. So every authentication has the same shared secret but the username changes because it is the MAC address.
So in freeradius you have to enter the MAC address in "Users" as username and the shared secret as password.

In freeradius -> settings there is a setting "Enable Plain MAC-Auth". You do NOT need this when using with CP and it will NOT work with CP.

3.) Bandwidth restrictions:
If you set a value on CP then all users which authenticate through the CP will have this bandwidth limit. If you like to set individual bandwidth limits then set any value or "0" on CP because this value will be opverwritten by freeradius. So you have to set the limit on freeradius under "Users" tab.

PS: Bandwidth limit is not 100% sure to work - test it. If it doesn't work it is a problem of CP.

Alan87i

Hey Thanks for taking time to explain that.
After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
Now she's ticking away and working.
The user speed limit seems to work. Set it to 256K up down and a speed test verified that.
Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?

I also need to know how it regulates speed as compared to the traffic shaper.

I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.

Does CP do the same?

Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
Thanks
Allan

Nachtfalke

@Alan87i:

Hey Thanks for taking time to explain that.
After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
Now she's ticking away and working.

If you use  *  as interface IP then radius is listening on all interfaces. Probably the easiest one for testing.

@Alan87i:

The user speed limit seems to work. Set it to 256K up down and a speed test verified that.

Do you mean the limit set on CP only or do you mean the override freeradius does ?

@Alan87i:

Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?

This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)

@Alan87i:

I also need to know how it regulates speed as compared to the traffic shaper.

I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.

Does CP do the same?

Don't know anything about that.

@Alan87i:

Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
Thanks
Allan

All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.

Alan87i

Do you mean the limit set on CP only or do you mean the override freeradius does ?

The freeradius limiter for the user mac seems to work great.

This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)

I'm testing the daily limit set in freeradius2 right now I set 1000MB and will download some files from an HFS server through the WAN.

All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.

Thanks I tried that and it does work SUPER

Alan87i

Auth log when the user has a set usage limit in radius

Apr 16 19:44:27 	logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 20:45:17 	logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 20:47:25 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 21:48:07 	logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 21:49:03 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100

Using interim update  in CP because from reading start stop has a bug. Seems as though this one does too.

Nachtfalke

@Alan87i:

Auth log when the user has a set usage limit in radius

Apr 16 19:44:27 	logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 20:45:17 	logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 20:47:25 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 21:48:07 	logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Apr 16 21:49:03 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100

Using interim update  in CP because from reading start stop has a bug. Seems as though this one does too.

The "bug" I mentioned above is that it counts traffic wrong but in general it is working. What your log means - I don't know. It is related to CP or in other word it is a CP log and not a freeradius log.
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached

Can the user get access or does it timeout when accounting and usage limit is enabled ?

Alan87i

Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique

Yes it has been disabled the whole time.

Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing

Hard time out was at 60 , I took it out and added 120 too idle timeout.

Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached

Yes this is checked also.

I set it back too start stop updates.
Deleted the user and created a new one. With limit in the account set too 500 MB then downloaded a 700 mb file. The user is still connected.

Found this issue http://redmine.pfsense.org/issues/2164  Not sure how too apply a patch.

Nachtfalke

Are you running pfsense on embedded or nanobsd ?

Check if these folders and files exist:

/var/log/radacct/datacounter/
/var/log/radacct/timecounter/
/usr/local/etc/raddb/scripts/datacounter_acct.sh

If not, reinstall freeradius2 package please.

The redmine ticket you found is for time-based accounting. I opened that ticket in the past ;)
Datacounter is working - with the known bug that CP sends 6 times more MB as used in reality.

Alan87i

Yes all the files exist .
I have opened the daily data file and in bytes it had the number that matched the MB limit I set for the user 505 MB When in fact I downloaded close too 2.5 GB off my server. And it's not a server I set in the allowed IP field. I thought that might stop the counter from working.

Nachtfalke

You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:

radiusd -X

You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.

Alan87i

@Nachtfalke:

You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:

radiusd -X

You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.

Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers  No such file or dircetory

same for used octets

Alan87i

Could it be some permissions problem? The files seem to be there .

EDIT
From the debug ssh window
the max and used octets-00X23X69XfbX79X33
That file as you can see from the screen shot does not exist.

max-octets-00-23-69-fb-79-33

max-octets-00:23:69:fb:79:33

Edit again !!
I went ahead and tried editing the files replacing the - with X's and voila
I see this in the log file

Apr 17 10:13:38 	admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!

So I put " 1048576000 " into the modified file and was able to log back in just fine .

Nachtfalke

I updated freeradius2 package to replace the "  :  " with "  X  ".
Try if this helps. Perhaps try and test with a username and password like "John" and "mypass" if this in general works for you.

Alan87i

I want to run this with mac auth like I've been testing.

What would cause my system to put : for the file name and freeraduis to look for the X .
Creating the files with an X didn't work , perhaps the new files don't have correct permissions ?

Alan87i

radiusd -X

Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)

Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+- entering group post-auth {…}
cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
Exec-Program output:
Exec-Program: returned: 0
++[exec] returns ok
Sending Access-Accept of id 198 to 192.168.1.1 port 36700
        WISPr-Bandwidth-Max-Up := 262144
        WISPr-Bandwidth-Max-Down := 8192000
        Session-Timeout = 53872310
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +19
Ready to process requests.

I killed radius removed the files from the daily folder , deleted the user account , then re made a new account. This is what I still have for a problem. It's looking for a ocetets file with X's and it makes an octets file with :'s

Nachtfalke

For me it is working but I have to set the correct MAC format according to the username entry in freeradius -> "Users".

So if I chose "ietf" on CP then my username must look like "ietf": 11-22-33-44-55-66
If i chose "default" on CP then my username must look like "default": 11:22:33:44:55:66

But I found another "bug" - if I delete the files in:

/var/log/radacct/datacounter/daily

by hand then the script will not recreate these files withe the according values. To recreate the files I need to go to "users" tab, edit a user (not change anything) and press save so that "users" file will be created new and so there will be new "datacounter limit files if not exist".

I will try to find a solution for that.

Alan87i

Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.

Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857

1.1. is PF lan IP The router is on DHCP at 1.100

So I reinstalled PF from the disk. and get the same problem.

Nachtfalke

@Alan87i:

Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.

Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857

1.1. is PF lan IP The router is on DHCP at 1.100

So I reinstalled PF from the disk. and get the same problem.

This means you did not enter the pfsense LAN IP as a "NAS" in freeradius and/or wrong shared secret. That's a communication problem between NAS/CP and freeradius.

Alan87i

Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?

I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!

Nachtfalke

@Alan87i:

Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?

I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!

Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes "used" and "max" octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.

If you chose "daily", "monthly" or whatever in the GUI places the files in the specific ../datacounter/daily or ../datacounter/monthly folder.

To make it a little more clear:
Setting up daily, monthly and so on in the GUI just places the files in different folders.
You have to setup a cron job manually to delete these folders daily, monthly or whatever
After the files were deleted by cron you need to re-run the "squid.xml" file (Users tab). There is a check if a user has set a limit but no files exist in the folder they will be created new ones. If they exist, nothing will be done. (For this behaviour I need to write an additional script or someone provides it for us).

PS: To reset a users counter just edit the user, empty the value for limit, save, edit the user again and setup a new limit. This deletes the old files and creates new ones with new limit.

Thanks for testing :-)