Simultaneous-Use CP??
-
Hey Thanks for taking time to explain that.
After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
Now she's ticking away and working.If you use * as interface IP then radius is listening on all interfaces. Probably the easiest one for testing.
The user speed limit seems to work. Set it to 256K up down and a speed test verified that.
Do you mean the limit set on CP only or do you mean the override freeradius does ?
Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?
This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)I also need to know how it regulates speed as compared to the traffic shaper.
I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.
Does CP do the same?
Don't know anything about that.
Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
Thanks
AllanAll users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.
-
Do you mean the limit set on CP only or do you mean the override freeradius does ?
The freeradius limiter for the user mac seems to work great.
This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)I'm testing the daily limit set in freeradius2 right now I set 1000MB and will download some files from an HFS server through the WAN.
All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.
Thanks I tried that and it does work SUPER
-
Auth log when the user has a set usage limit in radius
Apr 16 19:44:27 logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:45:17 logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:47:25 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:48:07 logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:49:03 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Using interim update in CP because from reading start stop has a bug. Seems as though this one does too.
-
Auth log when the user has a set usage limit in radius
Apr 16 19:44:27 logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:45:17 logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:47:25 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:48:07 logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:49:03 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Using interim update in CP because from reading start stop has a bug. Seems as though this one does too.
The "bug" I mentioned above is that it counts traffic wrong but in general it is working. What your log means - I don't know. It is related to CP or in other word it is a CP log and not a freeradius log.
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reachedCan the user get access or does it timeout when accounting and usage limit is enabled ?
-
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Yes it has been disabled the whole time.
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Hard time out was at 60 , I took it out and added 120 too idle timeout.
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached
Yes this is checked also.
I set it back too start stop updates.
Deleted the user and created a new one. With limit in the account set too 500 MB then downloaded a 700 mb file. The user is still connected.Found this issue http://redmine.pfsense.org/issues/2164 Not sure how too apply a patch.
-
Are you running pfsense on embedded or nanobsd ?
Check if these folders and files exist:
/var/log/radacct/datacounter/ /var/log/radacct/timecounter/ /usr/local/etc/raddb/scripts/datacounter_acct.sh
If not, reinstall freeradius2 package please.
The redmine ticket you found is for time-based accounting. I opened that ticket in the past ;)
Datacounter is working - with the known bug that CP sends 6 times more MB as used in reality. -
Yes all the files exist .
I have opened the daily data file and in bytes it had the number that matched the MB limit I set for the user 505 MB When in fact I downloaded close too 2.5 GB off my server. And it's not a server I set in the allowed IP field. I thought that might stop the counter from working. -
You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:radiusd -X
You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.
-
You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:radiusd -X
You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.
Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers No such file or dircetory
same for used octets
-
Could it be some permissions problem? The files seem to be there .
EDIT
From the debug ssh window
the max and used octets-00X23X69XfbX79X33
That file as you can see from the screen shot does not exist.max-octets-00-23-69-fb-79-33
max-octets-00:23:69:fb:79:33
Edit again !!
I went ahead and tried editing the files replacing the - with X's and voila
I see this in the log fileApr 17 10:13:38 admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!
So I put " 1048576000 " into the modified file and was able to log back in just fine .
-
I updated freeradius2 package to replace the " : " with " X ".
Try if this helps. Perhaps try and test with a username and password like "John" and "mypass" if this in general works for you. -
I want to run this with mac auth like I've been testing.
What would cause my system to put : for the file name and freeraduis to look for the X .
Creating the files with an X didn't work , perhaps the new files don't have correct permissions ? -
radiusd -X
Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {…}
cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
Exec-Program output:
Exec-Program: returned: 0
++[exec] returns ok
Sending Access-Accept of id 198 to 192.168.1.1 port 36700
WISPr-Bandwidth-Max-Up := 262144
WISPr-Bandwidth-Max-Down := 8192000
Session-Timeout = 53872310
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +19
Ready to process requests.I killed radius removed the files from the daily folder , deleted the user account , then re made a new account. This is what I still have for a problem. It's looking for a ocetets file with X's and it makes an octets file with :'s
-
For me it is working but I have to set the correct MAC format according to the username entry in freeradius -> "Users".
So if I chose "ietf" on CP then my username must look like "ietf": 11-22-33-44-55-66
If i chose "default" on CP then my username must look like "default": 11:22:33:44:55:66But I found another "bug" - if I delete the files in:
/var/log/radacct/datacounter/daily
by hand then the script will not recreate these files withe the according values. To recreate the files I need to go to "users" tab, edit a user (not change anything) and press save so that "users" file will be created new and so there will be new "datacounter limit files if not exist".
I will try to find a solution for that.
-
Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 448571.1. is PF lan IP The router is on DHCP at 1.100
So I reinstalled PF from the disk. and get the same problem.
-
Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 448571.1. is PF lan IP The router is on DHCP at 1.100
So I reinstalled PF from the disk. and get the same problem.
This means you did not enter the pfsense LAN IP as a "NAS" in freeradius and/or wrong shared secret. That's a communication problem between NAS/CP and freeradius.
-
Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!! -
Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes "used" and "max" octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.
If you chose "daily", "monthly" or whatever in the GUI places the files in the specific ../datacounter/daily or ../datacounter/monthly folder.
To make it a little more clear:
Setting up daily, monthly and so on in the GUI just places the files in different folders.
You have to setup a cron job manually to delete these folders daily, monthly or whatever
After the files were deleted by cron you need to re-run the "squid.xml" file (Users tab). There is a check if a user has set a limit but no files exist in the folder they will be created new ones. If they exist, nothing will be done. (For this behaviour I need to write an additional script or someone provides it for us).PS: To reset a users counter just edit the user, empty the value for limit, save, edit the user again and setup a new limit. This deletes the old files and creates new ones with new limit.
Thanks for testing :-)
-
Ok With CP set too Mac format type default and radius user xx:f4:ff format I still get the octets 00X33X what have you file not found.
With CP set too ietf and user 00-99-ff format it counts .
But
The figure of the counting bug using start stop or interm seems to count much faster than 6 times the real rate.I set the user mac too 18432 MB total daily = 18gb divide by 6 gives 3 GB
The octets file shows this as 19327352832 bytes witch is correct
I test download a 1.4 GB file
I get roughly 732MB about 1/2 of it and I get kicked
Used octets reads 21725770732 bytes witch is roughly 20.2 GB -
I did some more tests and you are right. :(
The traffic counter is not working as it should. At the moment I am unsure if the CP sends the accounting information according to the RFC and my script is not correct or if it is vice versa. :(