Simultaneous-Use CP??
-
Do you mean the limit set on CP only or do you mean the override freeradius does ?
The freeradius limiter for the user mac seems to work great.
This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)I'm testing the daily limit set in freeradius2 right now I set 1000MB and will download some files from an HFS server through the WAN.
All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.
Thanks I tried that and it does work SUPER
-
Auth log when the user has a set usage limit in radius
Apr 16 19:44:27 logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:45:17 logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:47:25 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:48:07 logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:49:03 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100Using interim update in CP because from reading start stop has a bug. Seems as though this one does too.
-
Auth log when the user has a set usage limit in radius
Apr 16 19:44:27 logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:45:17 logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:47:25 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:48:07 logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:49:03 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100Using interim update in CP because from reading start stop has a bug. Seems as though this one does too.
The "bug" I mentioned above is that it counts traffic wrong but in general it is working. What your log means - I don't know. It is related to CP or in other word it is a CP log and not a freeradius log.
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reachedCan the user get access or does it timeout when accounting and usage limit is enabled ?
-
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Yes it has been disabled the whole time.
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Hard time out was at 60 , I took it out and added 120 too idle timeout.
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached
Yes this is checked also.
I set it back too start stop updates.
Deleted the user and created a new one. With limit in the account set too 500 MB then downloaded a 700 mb file. The user is still connected.Found this issue http://redmine.pfsense.org/issues/2164 Not sure how too apply a patch.
-
Are you running pfsense on embedded or nanobsd ?
Check if these folders and files exist:
/var/log/radacct/datacounter/ /var/log/radacct/timecounter/ /usr/local/etc/raddb/scripts/datacounter_acct.shIf not, reinstall freeradius2 package please.
The redmine ticket you found is for time-based accounting. I opened that ticket in the past ;)
Datacounter is working - with the known bug that CP sends 6 times more MB as used in reality. -
Yes all the files exist .
I have opened the daily data file and in bytes it had the number that matched the MB limit I set for the user 505 MB When in fact I downloaded close too 2.5 GB off my server. And it's not a server I set in the allowed IP field. I thought that might stop the counter from working. -
You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:radiusd -XYou can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.
-
You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:radiusd -XYou can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.
Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers No such file or dircetory
same for used octets
-
Could it be some permissions problem? The files seem to be there .
EDIT
From the debug ssh window
the max and used octets-00X23X69XfbX79X33
That file as you can see from the screen shot does not exist.max-octets-00-23-69-fb-79-33
max-octets-00:23:69:fb:79:33
Edit again !!
I went ahead and tried editing the files replacing the - with X's and voila
I see this in the log fileApr 17 10:13:38 admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!So I put " 1048576000 " into the modified file and was able to log back in just fine .
-
I updated freeradius2 package to replace the " : " with " X ".
Try if this helps. Perhaps try and test with a username and password like "John" and "mypass" if this in general works for you. -
I want to run this with mac auth like I've been testing.
What would cause my system to put : for the file name and freeraduis to look for the X .
Creating the files with an X didn't work , perhaps the new files don't have correct permissions ? -
radiusd -XLogin OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {…}
cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
Exec-Program output:
Exec-Program: returned: 0
++[exec] returns ok
Sending Access-Accept of id 198 to 192.168.1.1 port 36700
WISPr-Bandwidth-Max-Up := 262144
WISPr-Bandwidth-Max-Down := 8192000
Session-Timeout = 53872310
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +19
Ready to process requests.I killed radius removed the files from the daily folder , deleted the user account , then re made a new account. This is what I still have for a problem. It's looking for a ocetets file with X's and it makes an octets file with :'s
-
For me it is working but I have to set the correct MAC format according to the username entry in freeradius -> "Users".
So if I chose "ietf" on CP then my username must look like "ietf": 11-22-33-44-55-66
If i chose "default" on CP then my username must look like "default": 11:22:33:44:55:66But I found another "bug" - if I delete the files in:
/var/log/radacct/datacounter/dailyby hand then the script will not recreate these files withe the according values. To recreate the files I need to go to "users" tab, edit a user (not change anything) and press save so that "users" file will be created new and so there will be new "datacounter limit files if not exist".
I will try to find a solution for that.
-
Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 448571.1. is PF lan IP The router is on DHCP at 1.100
So I reinstalled PF from the disk. and get the same problem.
-
Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 448571.1. is PF lan IP The router is on DHCP at 1.100
So I reinstalled PF from the disk. and get the same problem.
This means you did not enter the pfsense LAN IP as a "NAS" in freeradius and/or wrong shared secret. That's a communication problem between NAS/CP and freeradius.
-
Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!! -
Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes "used" and "max" octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.
If you chose "daily", "monthly" or whatever in the GUI places the files in the specific ../datacounter/daily or ../datacounter/monthly folder.
To make it a little more clear:
Setting up daily, monthly and so on in the GUI just places the files in different folders.
You have to setup a cron job manually to delete these folders daily, monthly or whatever
After the files were deleted by cron you need to re-run the "squid.xml" file (Users tab). There is a check if a user has set a limit but no files exist in the folder they will be created new ones. If they exist, nothing will be done. (For this behaviour I need to write an additional script or someone provides it for us).PS: To reset a users counter just edit the user, empty the value for limit, save, edit the user again and setup a new limit. This deletes the old files and creates new ones with new limit.
Thanks for testing :-)
-
Ok With CP set too Mac format type default and radius user xx:f4:ff format I still get the octets 00X33X what have you file not found.
With CP set too ietf and user 00-99-ff format it counts .
But
The figure of the counting bug using start stop or interm seems to count much faster than 6 times the real rate.I set the user mac too 18432 MB total daily = 18gb divide by 6 gives 3 GB
The octets file shows this as 19327352832 bytes witch is correct
I test download a 1.4 GB file
I get roughly 732MB about 1/2 of it and I get kicked
Used octets reads 21725770732 bytes witch is roughly 20.2 GB -
I did some more tests and you are right. :(
The traffic counter is not working as it should. At the moment I am unsure if the CP sends the accounting information according to the RFC and my script is not correct or if it is vice versa. :(
-
I deleted the two scripts and reinstalled changed format too default ran radiusd -X
Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory Exec-Program output: Exec-Program: returned: 0 ++[exec] returns ok Sending Access-Accept of id 86 to 192.168.1.1 port 1436 WISPr-Bandwidth-Max-Up := 262144 WISPr-Bandwidth-Max-Down := 15360000 Session-Timeout = 53777840 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 86 with timestamp +48 Ready to process requests.