Testing freeradius2 with MAC Auth and accounting
-
un 25 05:38:44 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2 of 1024 MB! The user was accepted!!! Jun 25 05:39:45 radiusd[5085]: rlm_radutmp: Logout for NAS pfsense port 2, but no Login record Jun 25 05:39:45 radiusd[5085]: rlm_radutmp: Logout for NAS pfsense port 2, but no Login record Jun 25 05:39:46 radiusd[5085]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 2 cli 00:1e:ec:ad:45:29) Jun 25 05:39:46 radiusd[5085]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 2 cli 00:1e:ec:ad:45:29) Jun 25 05:39:46 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 10 of 1024 MB! The user was accepted!!!Looks like it's counting
I hit the weather page and a couple links from the same site. -
Ok, then counting will work - but if its counting correctly - that is dependent on what CP is sending. Probably it doesn't do it the right way :-(
In
/var/log/radacct/datacounter/daily/you will find the "used" and "Max-octets" files to every user.
You can do a:tail -F used-octetson this file and see how it is increasing when CP sends acct-input-octets and acct-output-octets to RADIUS.
Probably best way to open to SSH connections - on one start radiusd -X to see all radius output and on the other how the file is increasing.There are some open tickets on redmine about the CP accounting bugs.
-
It for sure does not count correctly!!
a 200 MB download counted up over 1170MB in the octets used file.This is a serious bug !
-
It for sure does not count correctly!!
a 200 MB download counted up over 1170MB in the octets used file.This is a serious bug !
This is probably because CP does not reset the counter to zero after each update.
You will recognize that the counter will increase much faster when the download least longer.So counting will probably be like that:
1 - 10MB
2 - 10MB + ( 10MB + new value1)
3 - 10MB + (10MB + new value1) + (10MB + new value1 + new value2)
and so on. -
resetting the used octets file each time I tested too 0
and waiting for the Log to show user x has used 0 from xxx allowed
Downloading from thinkbroadband.com5MB download counted 23MB
10MB download counted 49MB
20MB download counted 118MB
50MB download counted 286MB
100MB download counted 570MBSo yes it does seem to count faster the longer traffic is continuously counted. But only too a point.
Since radius needs to to have re auth every minute set I would think maybe CP needs to send accounting data every minute and reset?5 x 4.6 = 23
10 x 4.9 =49
20 x 5.9 =118
50 x 5.72 = 286
100 x 5.7 = 570Testing a 1.1 Gb file now off my own server.
this 1.1 gb DL ran at about 460 to 461 KB/sec Jun 25 10:30:54 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 0 of 10044 MB! The user was accepted!!! Jun 25 10:31:56 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 10:31:56 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 10:31:56 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:31:56 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:31:56 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 0 of 10044 MB! The user was accepted!!! Jun 25 10:47:24 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2419 of 10044 MB! The user was accepted!!! Jun 25 10:48:26 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:48:26 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:48:26 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2581 of 10044 MB! The user was accepted!!! Jun 25 10:49:28 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:49:28 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:49:28 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2743 of 10044 MB! The user was accepted!!! Jun 25 10:50:30 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:50:30 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 10:50:30 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 2905 of 10044 MB! The user was accepted!!! This is roughly the 500MB mark Jun 25 11:11:06 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:11:06 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:11:06 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6144 of 10044 MB! The user was accepted!!! Jun 25 11:12:08 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:12:08 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:12:08 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:12:08 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:12:08 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6306 of 10044 MB! The user was accepted!!! Jun 25 11:13:10 radiusd[16481]: rlm_radutmp: Logout for NAS pfsense port 52, but no Login record Jun 25 11:13:10 radiusd[16481]: rlm_radutmp: Logout for NAS pfsense port 52, but no Login record Jun 25 11:13:10 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:13:10 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:13:10 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6468 of 10044 MB! The user was accepted!!! Jun 25 11:14:11 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:14:11 radiusd[16481]: rlm_radutmp: Login entry for NAS pfsense port 52 wrong order Jun 25 11:14:11 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:14:11 radiusd[16481]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 52 cli 00:1e:ec:ad:45:29) Jun 25 11:14:11 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 6474 of 10044 MB! The user was accepted!!! I trimmed a lot of lines out of the middle. -
resetting the used octets file each time I tested too 0
and waiting for the Log to show user x has used 0 from xxx allowed
Downloading from thinkbroadband.com5MB download counted 23MB
10MB download counted 49MB
20MB download counted 118MB
50MB download counted 286MB
100MB download counted 570MBSo yes it does seem to count faster the longer traffic is continuously counted. But only too a point.
Since radius needs to to have re auth every minute set I would think maybe CP needs to send accounting data every minute and reset?5 x 4.6 = 23
10 x 4.9 =49
20 x 5.9 =118
50 x 5.72 = 286
100 x 5.7 = 570Testing a 1.1 Gb file now off my own server.
Re-authenticate every minute is - in the opinion of the freeradius developer on the mailing list - too fast. Re-connection should be at least 10mins or more but the reconnection is not the problem. Reconnection is only for checking if the user can access again or not.
But you are absolutly right:
Default behaviour of a "correct" working NAS ist that there is only an accounting stop packet when a user disconnects (shutdown PC or something else). If the user reconnects (turning PC on) the accounting starts again and of course by zero.But CP offers stop/start accounting which sends accounting stop packets every minutue (could be every 5minutes or any other value) but it does not reset the value.
So as you said: Reset the valu to zero would "fix" the problem.
http://redmine.pfsense.org/issues/2164Ermals postet a fix here - perhaps you can try this if it is working.
-
I'll need someone to hold my hand while applying that patch . I ave not a clue where to begin.
Maybe it could be added in the next update?? -
I am not sure - but jimp built a package "system patches" or something like that.
Perhaps you can download the .diff file and import it into this "package". I had problems doing that by hand because of some "warnings" - I posted on this redmine ticket. -
Ok I applied the patch and it seemed to count even faster?
very strange so I took it off again -
did you use "Interim-update" or "stop/start" ?
The patch is - as far as I know - for stop/start -
stop /start
I don't think removing it worked correctly as it still seems to count even faster -
Re-authenticate every minute is - in the opinion of the freeradius developer on the mailing list - too fast. Re-connection should be at least 10mins or more but the reconnection is not the problem. Reconnection is only for checking if the user can access again or not.
But you are absolutly right:
Default behaviour of a "correct" working NAS ist that there is only an accounting stop packet when a user disconnects (shutdown PC or something else). If the user reconnects (turning PC on) the accounting starts again and of course by zero.But CP offers stop/start accounting which sends accounting stop packets every minutue (could be every 5minutes or any other value) but it does not reset the value.
So as you said: Reset the valu to zero would "fix" the problem.
http://redmine.pfsense.org/issues/2164Ermals postet a fix here - perhaps you can try this if it is working.
I would like to see re auth changed to 5 or 10 minutes or have the option for either or!!
Also there seem to be a lot of extra log entry's
Jun 26 09:58:01 radiusd[31540]: Login OK: [00:1b:38:b0:e1:51] (from client pfsense port 2 cli 00:1b:38:b0:e1:51) Jun 26 09:58:01 radiusd[31540]: Login OK: [00:1b:38:b0:e1:51] (from client pfsense port 2 cli 00:1b:38:b0:e1:51) Jun 26 09:58:01 root: FreeRADIUS: Used amount of daily traffic by 00:1b:38:b0:e1:51 is 114 of 2048 MB! The user was accepted!!! Jun 26 09:58:02 radiusd[31540]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 6 cli 00:1e:ec:ad:45:29) Jun 26 09:58:02 radiusd[31540]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 6 cli 00:1e:ec:ad:45:29) Jun 26 09:58:02 root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 118 of 10044 MB! The user was accepted!!!Another option is would it be possible to too add a [NO login required] status page that lists the used octets files , displayed in MB per user ID ? So users can check their consumption.
If I could write code here is how I would do it.
A script that is run when a browser connects through the portal looking for the address (routerIP/usage.php)
The script would grab the user ID (in my case it's the mac address. ) then tail the syslog for that ID from the log line```
root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 118 of 10044 MB! The user was accepted!!!I thought about a random pop up but when using mac auth a router is usually the head with cell phones /xboxs/ playstations and so on behind it. I'll post a bounty or donate towards this. But first the accounting bug that has carried on since pf2.0 needs to be fixed. -
If you can - the best way would be to do accounting on a sql database. then just do a query on a user for his amount of traffic. this query will be secured by the user's username/password.
Or you copy the accounting logiles to another server every hour and then you read thios from the files. the number in the files is "Bytes" - if you divide it two times with 1024 you will get the MB.This would avoid that you need to give someone access to your pfsense in any way.