Simultaneous-Use CP??

Alan87i

@Nachtfalke:

You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:

radiusd -X

You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.

Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers  No such file or dircetory

same for used octets

Alan87i

Could it be some permissions problem? The files seem to be there .

EDIT
From the debug ssh window
the max and used octets-00X23X69XfbX79X33
That file as you can see from the screen shot does not exist.

max-octets-00-23-69-fb-79-33

max-octets-00:23:69:fb:79:33

Edit again !!
I went ahead and tried editing the files replacing the - with X's and voila
I see this in the log file

Apr 17 10:13:38 	admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!

So I put " 1048576000 " into the modified file and was able to log back in just fine .

Nachtfalke

I updated freeradius2 package to replace the "  :  " with "  X  ".
Try if this helps. Perhaps try and test with a username and password like "John" and "mypass" if this in general works for you.

Alan87i

I want to run this with mac auth like I've been testing.

What would cause my system to put : for the file name and freeraduis to look for the X .
Creating the files with an X didn't work , perhaps the new files don't have correct permissions ?

Alan87i

radiusd -X

Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)

Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+- entering group post-auth {…}
cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
Exec-Program output:
Exec-Program: returned: 0
++[exec] returns ok
Sending Access-Accept of id 198 to 192.168.1.1 port 36700
        WISPr-Bandwidth-Max-Up := 262144
        WISPr-Bandwidth-Max-Down := 8192000
        Session-Timeout = 53872310
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +19
Ready to process requests.

I killed radius removed the files from the daily folder , deleted the user account , then re made a new account. This is what I still have for a problem. It's looking for a ocetets file with X's and it makes an octets file with :'s

Nachtfalke

For me it is working but I have to set the correct MAC format according to the username entry in freeradius -> "Users".

So if I chose "ietf" on CP then my username must look like "ietf": 11-22-33-44-55-66
If i chose "default" on CP then my username must look like "default": 11:22:33:44:55:66

But I found another "bug" - if I delete the files in:

/var/log/radacct/datacounter/daily

by hand then the script will not recreate these files withe the according values. To recreate the files I need to go to "users" tab, edit a user (not change anything) and press save so that "users" file will be created new and so there will be new "datacounter limit files if not exist".

I will try to find a solution for that.

Alan87i

Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.

Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857

1.1. is PF lan IP The router is on DHCP at 1.100

So I reinstalled PF from the disk. and get the same problem.

Nachtfalke

@Alan87i:

Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.

Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857

1.1. is PF lan IP The router is on DHCP at 1.100

So I reinstalled PF from the disk. and get the same problem.

This means you did not enter the pfsense LAN IP as a "NAS" in freeradius and/or wrong shared secret. That's a communication problem between NAS/CP and freeradius.

Alan87i

Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?

I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!

Nachtfalke

@Alan87i:

Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?

I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!

Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes "used" and "max" octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.

If you chose "daily", "monthly" or whatever in the GUI places the files in the specific ../datacounter/daily or ../datacounter/monthly folder.

To make it a little more clear:
Setting up daily, monthly and so on in the GUI just places the files in different folders.
You have to setup a cron job manually to delete these folders daily, monthly or whatever
After the files were deleted by cron you need to re-run the "squid.xml" file (Users tab). There is a check if a user has set a limit but no files exist in the folder they will be created new ones. If they exist, nothing will be done. (For this behaviour I need to write an additional script or someone provides it for us).

PS: To reset a users counter just edit the user, empty the value for limit, save, edit the user again and setup a new limit. This deletes the old files and creates new ones with new limit.

Thanks for testing :-)

Alan87i

Ok With CP set too Mac format type default and radius user xx:f4:ff format I still get the octets 00X33X what have you file not found.
With CP set too ietf and user 00-99-ff format it counts .
But
The figure of the counting bug using start stop or interm seems to count much faster than 6 times the real rate.

I set the user mac too 18432 MB total daily = 18gb divide by 6 gives 3 GB
The octets file shows this as 19327352832 bytes witch is correct
I test download a 1.4 GB file
I get roughly 732MB about 1/2 of it and I get kicked
Used octets reads 21725770732 bytes witch is roughly 20.2 GB

Nachtfalke

I did some more tests and you are right.  :(

The traffic counter is not working as it should. At the moment I am unsure if the CP sends the accounting information according to the RFC and my script is not correct or if it is vice versa.  :(

Alan87i

I deleted the two scripts and reinstalled changed format too default ran radiusd -X

Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
Exec-Program output:
Exec-Program: returned: 0
++[exec] returns ok
Sending Access-Accept of id 86 to 192.168.1.1 port 1436
        WISPr-Bandwidth-Max-Up := 262144
        WISPr-Bandwidth-Max-Down := 15360000
        Session-Timeout = 53777840
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 86 with timestamp +48
Ready to process requests.

Alan87i

@Nachtfalke:

I did some more tests and you are right.  :(

The traffic counter is not working as it should. At the moment I am unsure if the CP sends the accounting information according to the RFC and my script is not correct or if it is vice versa.  :(

Yea I just did another test and got the same result. set radius user for 20 Gb and could not pass 1 GB before it cut the user off.
I'm happy to test any updates or ideas . I would really like to implement this on 2 networks.

Nachtfalke

Hi again,

I took some time to remember what my scripts are doing and I would like to let you know and understand:

To count the traffic we use octets. One octet is one byte. The CP sends Input and Output Octets.

If you set volume limit for a user this limit will be calculated as octets/bytes and written to the file "max-octets-username".
The script runs everytime an interim or stop/start accounting packet arrives. Both packets include information about the input and output octets. the script summates the both values and summates this with the value written in the "used-octets-username" file. After this the script checks if used-octets is greater than max-octets and rejects the connection or still allows it.

The changes below will not summate the values sent from CP with the values in the file but still writes the new values to the file.
But the problem with this is that if a user disconnects and reconnets 2hours later the CP starts to count the octets from zero.

You try to edit the script. Go to:

/usr/local/etc/raddb/scripts/datacounter_acct.sh

Change line 22 from this:

USEDOCTETS=$(($ACCTINPUTOCTETS+$ACCTOUTPUTOCTETS+`cat "/var/log/radacct/datacounter/$TIMERANGE/used-octets-$USERNAME"`))

to

USEDOCTETS=$(($ACCTINPUTOCTETS+$ACCTOUTPUTOCTETS))

This could perhaps help when using stop/start accounting.

For the problem with the username and the" : " try to edit line 4 to this on datacounter_acct.sh

USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z.:_-]/X/g' `

and datacounter_auth.sh on line 4 to this

USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._:-]/X/g' `

Alan87i

Ok that seems to fix the : mac address bug for octets file not found.

I noticed one other thing for the back burner,

I'm testing this with a PC WAN too a switch on MY lan 100 Mbps
I have tried several max speeds , but to make things faster I set it for now too 45000 Kbits .
I'm downloading from a PC running an HFS file server. (It will not allow a full 100 MB download ever on the lan )
I cleared the usage total and saved to clean the used octets file and started a download, (forgot too reset the usage limit. ( never changed the speed up/down. )
I noticed it was running up over 1M per second where normally with the limit for usage set it runs at 700/706 KB.

Updated the scripts and testing another download  will report back later.
Thanks

Alan87i

Ok those updates seem to work !
I have start/stop set in CP
Mac is with :: in radius and default in cp.
I downloaded a 1.1 gb file and the used octets show 1184268463  = 1.1 GB

Alan87i

Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes "used" and "max" octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.

If you chose "daily", "monthly" or whatever in the GUI places the files in the specific ../datacounter/daily or ../datacounter/monthly folder.

I'm no script writer but could you  make a script that would simply delete the used octets file contents every 30 days /24 hours or 7 days ?
That way they would not have to be recreated.
Even better would be the option too back the octet files up too another folder with the date as the folder name. That way some one could manually add them up or use another program to read and chart the usage.
Random thoughts .

Nachtfalke

I will think about that but I am no script writer, too.  ;)
But I thought about a script that rotates the files or something like this.

PS: The changes you made on the script has a side effect:
If you set a limit of 1GB and the user disconnects after 950MB and reconnects then the user has again 1GB traffic.

Alan87i

@Nachtfalke:

I will think about that but I am no script writer, too.  ;)
But I thought about a script that rotates the files or something like this.

PS: The changes you made on the script has a side effect:
If you set a limit of 1GB and the user disconnects after 950MB and reconnects then the user has again 1GB traffic.

Ya that will become a problem. I haven't tested it for the reconnect yet.
Most of the users will be routers or a CPE wireless radio. 1 or 2 will be a PC.
Except for the PC's shutting off at night the routers/radios should stay connected unless the power goes out.
I have also noticed since changing those 3 lines that the syslog no longer reports the client (user) reconnecting every minute although this is still checked in CP.

Ok I just set the user limit too below what has already been used.

See the syslog below. Seems disconnecting from radius restarting has had no ill effect. I'm not able too connect. Only the 2 sites I enabled pass through are working.

Apr 19 08:44:56 	check_reload_status: Syncing firewall
Apr 19 08:44:59 	radiusd[2890]: Loaded virtual server <default>
Apr 19 08:44:59 	radiusd[2964]: Ready to process requests.
Apr 19 08:45:01 	radiusd[2964]: rlm_radutmp: Logout for NAS admin port 8, but no Login record
Apr 19 08:45:01 	radiusd[2964]: rlm_radutmp: Logout for NAS admin port 8, but no Login record
Apr 19 08:45:02 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Apr 19 08:45:02 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Apr 19 08:45:02 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!
Apr 19 08:45:56 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Apr 19 08:45:56 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Apr 19 08:45:56 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!
Apr 19 08:46:01 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 10 cli 00:23:69:fb:79:33)
Apr 19 08:46:01 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 10 cli 00:23:69:fb:79:33)
Apr 19 08:46:02 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!
Apr 19 08:46:07 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 12 cli 00:23:69:fb:79:33)
Apr 19 08:46:07 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 12 cli 00:23:69:fb:79:33)
Apr 19 08:46:07 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!</default>