Simultaneous-Use CP??
-
I'm trying to follow the tips on this page http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Plain_MAC_Auth_besides_802.1X
First off I'm searching for "Simultaneous-Use must be set to a value from at least 2" leave empty in free radius.
I can't find it in CP. Using PF2.0.1
I have tried this Mac auth both ways and neither work.
If I set the value "Pass-through credits allowed per MAC addres" too 2 I can get through a router with 2 laptops connected to a router wan too pf lan. but the Cp status showsIP address MAC address Username Session start 192.168.1.100 00:23:69:fb:79:33 unauthenticated 04/16/2012 12:10:24
With the above blank I do not get authenticated
And I have too set a speed in CP "Per-user bandwidth restriction"
When the page above says to leave it blank or a 0. -
Hi,
I think you mixed up different things. I hope I could make it clear :-)
1.) Simultaneous-Use
To check for simultaneous connections there are two possibilities when using freeradius and CP. You can enable "Disable concurrent logings" on CP page. Then the CP itself checks for simultaneous connections.The other possibility is to use "Simultaneous-Use" on freeradius. This ONLY works if you have accounting enabled. If you set it to "1" then only one connection per time is allowed. If you leave it empty, unlimited connections are allowed.
BUT if you use the "re-autheticate every minute" on CP then you have to leave the "Simultaneous-use" check empty or set it to 2 or higher. This is because of the way CP sends the re-authentication oackets/attributes.
2.) MAC based authentication and CP:
Captive Portal isn't using a real "Plain Mac-Auth". CP is doing 802.1X auth BUT is uses the MAC address as username and the "shared-secret" you entered on CP. So every authentication has the same shared secret but the username changes because it is the MAC address.
So in freeradius you have to enter the MAC address in "Users" as username and the shared secret as password.In freeradius -> settings there is a setting "Enable Plain MAC-Auth". You do NOT need this when using with CP and it will NOT work with CP.
3.) Bandwidth restrictions:
If you set a value on CP then all users which authenticate through the CP will have this bandwidth limit. If you like to set individual bandwidth limits then set any value or "0" on CP because this value will be opverwritten by freeradius. So you have to set the limit on freeradius under "Users" tab.PS: Bandwidth limit is not 100% sure to work - test it. If it doesn't work it is a problem of CP.
-
Hey Thanks for taking time to explain that.
After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
Now she's ticking away and working.
The user speed limit seems to work. Set it to 256K up down and a speed test verified that.
Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?I also need to know how it regulates speed as compared to the traffic shaper.
I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.
Does CP do the same?
Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
Thanks
Allan -
Hey Thanks for taking time to explain that.
After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
Now she's ticking away and working.If you use * as interface IP then radius is listening on all interfaces. Probably the easiest one for testing.
The user speed limit seems to work. Set it to 256K up down and a speed test verified that.
Do you mean the limit set on CP only or do you mean the override freeradius does ?
Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?
This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)I also need to know how it regulates speed as compared to the traffic shaper.
I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.
Does CP do the same?
Don't know anything about that.
Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
Thanks
AllanAll users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.
-
Do you mean the limit set on CP only or do you mean the override freeradius does ?
The freeradius limiter for the user mac seems to work great.
This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)I'm testing the daily limit set in freeradius2 right now I set 1000MB and will download some files from an HFS server through the WAN.
All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.
Thanks I tried that and it does work SUPER
-
Auth log when the user has a set usage limit in radius
Apr 16 19:44:27 logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:45:17 logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:47:25 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:48:07 logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:49:03 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Using interim update in CP because from reading start stop has a bug. Seems as though this one does too.
-
Auth log when the user has a set usage limit in radius
Apr 16 19:44:27 logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:45:17 logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 20:47:25 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:48:07 logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100 Apr 16 21:49:03 logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
Using interim update in CP because from reading start stop has a bug. Seems as though this one does too.
The "bug" I mentioned above is that it counts traffic wrong but in general it is working. What your log means - I don't know. It is related to CP or in other word it is a CP log and not a freeradius log.
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reachedCan the user get access or does it timeout when accounting and usage limit is enabled ?
-
Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_unique
Yes it has been disabled the whole time.
Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
Hard time out was at 60 , I took it out and added 120 too idle timeout.
Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached
Yes this is checked also.
I set it back too start stop updates.
Deleted the user and created a new one. With limit in the account set too 500 MB then downloaded a 700 mb file. The user is still connected.Found this issue http://redmine.pfsense.org/issues/2164 Not sure how too apply a patch.
-
Are you running pfsense on embedded or nanobsd ?
Check if these folders and files exist:
/var/log/radacct/datacounter/ /var/log/radacct/timecounter/ /usr/local/etc/raddb/scripts/datacounter_acct.sh
If not, reinstall freeradius2 package please.
The redmine ticket you found is for time-based accounting. I opened that ticket in the past ;)
Datacounter is working - with the known bug that CP sends 6 times more MB as used in reality. -
Yes all the files exist .
I have opened the daily data file and in bytes it had the number that matched the MB limit I set for the user 505 MB When in fact I downloaded close too 2.5 GB off my server. And it's not a server I set in the allowed IP field. I thought that might stop the counter from working. -
You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:radiusd -X
You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.
-
You could stop radiusd process from GUI.
connect with SSH to your pfsense and run radius in debug mode. type:radiusd -X
You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.
Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers No such file or dircetory
same for used octets
-
Could it be some permissions problem? The files seem to be there .
EDIT
From the debug ssh window
the max and used octets-00X23X69XfbX79X33
That file as you can see from the screen shot does not exist.max-octets-00-23-69-fb-79-33
max-octets-00:23:69:fb:79:33
Edit again !!
I went ahead and tried editing the files replacing the - with X's and voila
I see this in the log fileApr 17 10:13:38 admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!
So I put " 1048576000 " into the modified file and was able to log back in just fine .
-
I updated freeradius2 package to replace the " : " with " X ".
Try if this helps. Perhaps try and test with a username and password like "John" and "mypass" if this in general works for you. -
I want to run this with mac auth like I've been testing.
What would cause my system to put : for the file name and freeraduis to look for the X .
Creating the files with an X didn't work , perhaps the new files don't have correct permissions ? -
radiusd -X
Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {…}
cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
Exec-Program output:
Exec-Program: returned: 0
++[exec] returns ok
Sending Access-Accept of id 198 to 192.168.1.1 port 36700
WISPr-Bandwidth-Max-Up := 262144
WISPr-Bandwidth-Max-Down := 8192000
Session-Timeout = 53872310
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +19
Ready to process requests.I killed radius removed the files from the daily folder , deleted the user account , then re made a new account. This is what I still have for a problem. It's looking for a ocetets file with X's and it makes an octets file with :'s
-
For me it is working but I have to set the correct MAC format according to the username entry in freeradius -> "Users".
So if I chose "ietf" on CP then my username must look like "ietf": 11-22-33-44-55-66
If i chose "default" on CP then my username must look like "default": 11:22:33:44:55:66But I found another "bug" - if I delete the files in:
/var/log/radacct/datacounter/daily
by hand then the script will not recreate these files withe the according values. To recreate the files I need to go to "users" tab, edit a user (not change anything) and press save so that "users" file will be created new and so there will be new "datacounter limit files if not exist".
I will try to find a solution for that.
-
Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 448571.1. is PF lan IP The router is on DHCP at 1.100
So I reinstalled PF from the disk. and get the same problem.
-
Well I tried the latest version and it didn't seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
Re installed freeraduis2 and set it up again.Now I can't get a user to log with a mac and shared secret.
This is from the log
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 448571.1. is PF lan IP The router is on DHCP at 1.100
So I reinstalled PF from the disk. and get the same problem.
This means you did not enter the pfsense LAN IP as a "NAS" in freeradius and/or wrong shared secret. That's a communication problem between NAS/CP and freeradius.
-
Thanks I was having a brief stupid moment.
And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
I set 18432MB in radius witch should give me 3 GB.
I read in the guide that cron could be used to reset the daily folder every night.
Is that needed?I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
BTW
Thanks very much for all the help!!