Testing freeradius2 with MAC Auth and accounting
-
Right now all wired
I'm using the PF lan IP for a nas
My goal is to set this up on a small wisp . AP too CPE or through the CPE too another router. I set it up a few years ago for the folks on the dirt roads all around the area where only parts of the main highway have cable service.So clients with xbox's and more than 1 PC don't have to login.
Some of these clients also have IP cameras outside and or zoneminder systems that I can add too the allow list so traffic is not counted. -
Been trying to get this going with my switch for a while now without much success. The minute I turn 802.1x on, pc's can't authenticate.
Any chance you can put down what you've entered into what field (minus the real ip's of course)? -
create users with the mac address as the name and all with the same shared secret use : in the mac's not - see the attachment for cp settings.
The primary radius server is the lan IP shared secret is a different one. Use same secret when you add the nas (lan IP in Freeradius ) So CP can access FR2Also in FR2 Interfaces set up LAN IP again twice with 2 different ports , it's explained when you click edit or add .
-
Hello everybody,
freeradius2 is not working at all with pfsense 2.1 at the moment. It probably installs and it probably will start but not all files do have the correct path they should have.
There is a code in freeradius.inc which checks if the package is running on pfsense 2.0.x or pfsense 2.1
// Check to find out on which system the package is running if (exec("uname -r | cut -c 1-3") == '8.3') { if (exec("uname -m") == "i386") { define('RADDB', '/usr/pbi/freeradius-i386/etc/raddb'); define('USRLOCAL', '/usr/pbi/freeradius-i386'); } else { define('RADDB', '/usr/pbi/freeradius-amd64/etc/raddb'); define('USRLOCAL', '/usr/pbi/freeradius-amd64'); } } else { define('RADDB', '/usr/local/etc/raddb'); define('USRLOCAL', '/usr/local'); } // End of system checkBut for some reason - I am no coding expert - this constant does not get resolved:
define('USRLOCAL', '/usr/local');That's why there some wrong paths in "radiusd.conf" and probably other files and commands.
If someone can check/fix that we can check why accounting files are empty. -
The install I did this morning is working sort of! Mac auth is working fine . But the accounting is not at all.
-
@Nachtfalke - try it this way:
if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.1") { define('RADDB', '/usr/pbi/freeradius-' . php_uname("m") . '/etc/raddb'); define('USRLOCAL', '/usr/pbi/freeradius-' . php_uname("m")); } else { define('RADDB', '/usr/local/etc/raddb'); define('USRLOCAL', '/usr/local'); } -
@Nachtfalke - try it this way:
if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.1") { define('RADDB', '/usr/pbi/freeradius-' . php_uname("m") . '/etc/raddb'); define('USRLOCAL', '/usr/pbi/freeradius-' . php_uname("m")); } else { define('RADDB', '/usr/local/etc/raddb'); define('USRLOCAL', '/usr/local'); }Hi jimp,
I tried this it is working but not everywhere..
I found out something in the following function:function freeradius_modulesdatacounter_resync() { global $config; $conf = ''; $conf .= <<<eod<br>exec datacounterdaily { wait = yes program = "/bin/sh " . RADDB . "/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } exec datacounterweekly { wait = yes program = "/bin/sh " . RADDB . "/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } exec datacountermonthly { wait = yes program = "/bin/sh " . RADDB . "/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } exec datacounterforever { wait = yes program = "/bin/sh " . RADDB . "/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } EOD; $filename = RADDB . '/modules/datacounter_acct'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); conf_mount_ro(); }</eod<br>In the part between the following code the constant RADDB will not be resolved.
$conf .= <<<eod<br>.... EOD;</eod<br>But in the same function this part is working as it should:
$filename = RADDB . '/modules/datacounter_acct'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); conf_mount_ro();There are some other functions which have the same behaviour:
freeradius_settings_resync() in line 199
freeradius_modulesmotp_resync() in line 3949
freeradius_modulesdatacounter_resync() in lines 3968, 3972, 3976, 3980Not sure if the defined constants can be accessed within every function or if it is another problem.
I tried this all on pfsense 2.0.1 i386 and amd64. Will try on pfsense 2.1 later but it will be probably the same.
-
As I mentioned in another thread, you cannot use constants inside of "here doc" strings. That's why in the Quagga package I copied the constant to a normal variable at the start of the function that writes out the config.
-
I wish I understood what you two were talking about LOL
I would help if I could.
All I can do is test any updates.
Thanks for the hard work. !! -
I wish I understood what you two were talking about LOL
I wish I would understand what jimp is talking about, too ;-)) hehe just kidding. I don't know much about php and coding but I now know what he told me :-)
I would help if I could.
All I can do is test any updates.
Thanks for the hard work. !!Give the server some minutes to sync - then try a deinstall and new-install of the package.
-
un 25 05:38:44 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2 of 1024 MB! The user was accepted!!! Jun 25 05:39:45 radiusd[5085]: rlm_radutmp: Logout for NAS pfsense port 2, but no Login record Jun 25 05:39:45 radiusd[5085]: rlm_radutmp: Logout for NAS pfsense port 2, but no Login record Jun 25 05:39:46 radiusd[5085]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 2 cli 00:1e:ec:ad:45:29) Jun 25 05:39:46 radiusd[5085]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 2 cli 00:1e:ec:ad:45:29) Jun 25 05:39:46 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 10 of 1024 MB! The user was accepted!!!Looks like it's counting
I hit the weather page and a couple links from the same site. -
Ok, then counting will work - but if its counting correctly - that is dependent on what CP is sending. Probably it doesn't do it the right way :-(
In
/var/log/radacct/datacounter/daily/you will find the "used" and "Max-octets" files to every user.
You can do a:tail -F used-octetson this file and see how it is increasing when CP sends acct-input-octets and acct-output-octets to RADIUS.
Probably best way to open to SSH connections - on one start radiusd -X to see all radius output and on the other how the file is increasing.There are some open tickets on redmine about the CP accounting bugs.
-
It for sure does not count correctly!!
a 200 MB download counted up over 1170MB in the octets used file.This is a serious bug !
-
It for sure does not count correctly!!
a 200 MB download counted up over 1170MB in the octets used file.This is a serious bug !
This is probably because CP does not reset the counter to zero after each update.
You will recognize that the counter will increase much faster when the download least longer.So counting will probably be like that:
1 - 10MB
2 - 10MB + ( 10MB + new value1)
3 - 10MB + (10MB + new value1) + (10MB + new value1 + new value2)
and so on. -
resetting the used octets file each time I tested too 0
and waiting for the Log to show user x has used 0 from xxx allowed
Downloading from thinkbroadband.com5MB download counted 23MB
10MB download counted 49MB
20MB download counted 118MB
50MB download counted 286MB
100MB download counted 570MBSo yes it does seem to count faster the longer traffic is continuously counted. But only too a point.
Since radius needs to to have re auth every minute set I would think maybe CP needs to send accounting data every minute and reset?5 x 4.6 = 23
10 x 4.9 =49
20 x 5.9 =118
50 x 5.72 = 286
100 x 5.7 = 570Testing a 1.1 Gb file now off my own server.
this 1.1 gb DL ran at about 460 to 461 KB/sec Jun 25 10:30:54 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 0 of 10044 MB! The user was accepted!!! Jun 25 10:31:56 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 10:31:56 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 10:31:56 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:31:56 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:31:56 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 0 of 10044 MB! The user was accepted!!! Jun 25 10:47:24 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2419 of 10044 MB! The user was accepted!!! Jun 25 10:48:26 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:48:26 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:48:26 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2581 of 10044 MB! The user was accepted!!! Jun 25 10:49:28 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:49:28 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:49:28 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2743 of 10044 MB! The user was accepted!!! Jun 25 10:50:30 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:50:30 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:50:30 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2905 of 10044 MB! The user was accepted!!! This is roughly the 500MB mark Jun 25 11:11:06 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:11:06 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:11:06 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6144 of 10044 MB! The user was accepted!!! Jun 25 11:12:08 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:12:08 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:12:08 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:12:08 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:12:08 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6306 of 10044 MB! The user was accepted!!! Jun 25 11:13:10 radiusd[16481]: rlm_radutmp: Logout for NAS pfsense port 52, but no Login record Jun 25 11:13:10 radiusd[16481]: rlm_radutmp: Logout for NAS pfsense port 52, but no Login record Jun 25 11:13:10 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:13:10 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:13:10 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6468 of 10044 MB! The user was accepted!!! Jun 25 11:14:11 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:14:11 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:14:11 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:14:11 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:14:11 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6474 of 10044 MB! The user was accepted!!! I trimmed a lot of lines out of the middle. -
resetting the used octets file each time I tested too 0
and waiting for the Log to show user x has used 0 from xxx allowed
Downloading from thinkbroadband.com5MB download counted 23MB
10MB download counted 49MB
20MB download counted 118MB
50MB download counted 286MB
100MB download counted 570MBSo yes it does seem to count faster the longer traffic is continuously counted. But only too a point.
Since radius needs to to have re auth every minute set I would think maybe CP needs to send accounting data every minute and reset?5 x 4.6 = 23
10 x 4.9 =49
20 x 5.9 =118
50 x 5.72 = 286
100 x 5.7 = 570Testing a 1.1 Gb file now off my own server.
Re-authenticate every minute is - in the opinion of the freeradius developer on the mailing list - too fast. Re-connection should be at least 10mins or more but the reconnection is not the problem. Reconnection is only for checking if the user can access again or not.
But you are absolutly right:
Default behaviour of a "correct" working NAS ist that there is only an accounting stop packet when a user disconnects (shutdown PC or something else). If the user reconnects (turning PC on) the accounting starts again and of course by zero.But CP offers stop/start accounting which sends accounting stop packets every minutue (could be every 5minutes or any other value) but it does not reset the value.
So as you said: Reset the valu to zero would "fix" the problem.
http://redmine.pfsense.org/issues/2164Ermals postet a fix here - perhaps you can try this if it is working.
-
I'll need someone to hold my hand while applying that patch . I ave not a clue where to begin.
Maybe it could be added in the next update?? -
I am not sure - but jimp built a package "system patches" or something like that.
Perhaps you can download the .diff file and import it into this "package". I had problems doing that by hand because of some "warnings" - I posted on this redmine ticket. -
Ok I applied the patch and it seemed to count even faster?
very strange so I took it off again -
did you use "Interim-update" or "stop/start" ?
The patch is - as far as I know - for stop/start
