Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.0-RC3 - CP, Radius MAC Auth with WISPr-Bandwidth-Max problem

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    2 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tomj
      last edited by

      pfSense 2.0-RC3 - CP, Radius MAC Auth with WISPr-Bandwidth-Max problem

      The problem:  pfSense does not re-learn new radius settings "WISPr-Bandwidth-Max-Up" and "WISPr-Bandwidth-Max-Down" for already connected MAC addresses on the LAN network.  Changes made in radius "WISPr-Bandwidth-Max" have no effect and MAC clients on the LAN and those MAC clients continue to run at the original radius "WISPr-Bandwidth-Max" when the MAC client on the LAN connected.

      My network is the following:

      • several i386 pfSence 2.0-RC3 (July through current August releases)
      • 30 to 150 MAC clients
      • Captive Portal, No NAT (Live IPs on WAN and LAN), Per-user bandwidth restriction
      • Radius MAC authentication, Re-Auth connected users every minute

      A sample of my "freeradius" Radius users file:

      00-13-10-e3-ff-a1 Cleartext-Password:= "pfsenseietf"
              WISPr-Bandwidth-Max-Up = 717999,
              WISPr-Bandwidth-Max-Down = 666000

      To duplicate the issue:
      Let a MAC client connect on the LAN and auth through radius.  The client will correctly upload and download at the "WISPr-Bandwidth-Max" in radius.
      Now change the "WISPr-Bandwidth-Max" in radius for the MAC client.  The client will continue to upload and download at the original radius "WISPr-Bandwidth-Max" settings - even though they have changed.
      NOTE: If you turn off captive portal then turn it back on the MAC client gets the new bandwidth settings - but I end up disconnecting established connections for hundreds of other MAC clients (VPN, FTP …).  All MAC clients must re-establish their connections to the remote server they were connected to.
      NOTE: If I use CP Hard-Timeout, the MAC client does get the new bandwidth settings but I end up disconnecting  established MAC LAN clients every 5 minutes -and- every 5 minutes all MAC clients must re-establish their connections to the remote server they were connected to.

      The CP setting for "Reauthenticate connected users every minute" appears to only check if the MAC address is still in radius and does not re-check (re-learn) any changes in "WISPr-Bandwidth-Max-Up".

      Is this a bug or a needed feature?

      Is there a work-around to hup and learn & use the new "WISPr-Bandwidth-Max" in radius?
      In a production environment hundreds of CP MAC clients, it is not practical to manually bounce off/on the CP to get a radius change to a MAC client because I will end up disconnecting hundreds of established VPNs, FTP sessions and who knows what else a customer may be using to talk to remote located servers.

      The only option I can think of is to auto-reboot or auto turn off then back on the CP every night.

      Any ideas?

      Tom Jones
      A wireless ISP (WISP) up in North Idaho

      1 Reply Last reply Reply Quote 0
      • E Offline
        eri--
        last edited by

        Not it is not considered today in code for this.
        You can do this during the prune-ing of the users where the re-authentication take place and check if there is any change and modify values.
        Should not be hard.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.