CP with Freeradius and MySQL - fixed number of concurrent logins per user
-
I have a pfSense 2.03 setup using captive portal and freeradius for user authentication.
Freeradius is using a MySQL database on an external server (Hostgator).
This is working fine for a basic setup - user values are stored in the table 'radcheck'.
However I would like to limit the number of concurrent logins per user to 2, presently it appears they are unlimited. I have spent a lot of time searching the forums and documentation, but can't find anything quite specific enough to figure it out.
I have tried checking/unchecking 'disable concurrent logins' in CP and instead defining the number allowed in the database.
So in table 'radgroupcheck' I have defined groupname='user' attribute='Simultaneous-Use' op=':=' value='2'.
Then in table 'radusergroup' I have defined username='joe' groupname='user' priority='1'
And in table 'radcheck' I have username='joe' along with the other required attributes.But it appears I am missing something. If 'disable concurrent logins' in CP is checked, only one login is allowed, as you would expect. If it is unchecked, at least 3 concurrent logins are allowed, so my database entries are either being ignored or are misconfigured.
Hope somebody can point me in the right direction here…
-
a bit more investigation, found some info at http://wiki.freeradius.org/guide/faq which has a checklist for non-functioning simultaneous use. Notably,
run radwho. If it says no one is logged in, Simultaneous-Use won't work.
.
When I run radwho it appears nobody is logged in which is odd, because I am logged in.
The next item on the checklist says
Verify that the NAS is sending accounting packets. Without accounting packets, Simultaneous-Use will NOT work.
In Services –> Captive Portal --> Authentication --> Accounting, I have send RADIUS accounting packets checked. In addition to the lack of radwho response, my MySQL table radacct is empty.
What else might I do to switch on this accounting function?
-
Anyone got a solution for this problem? I cant figure it out.
I need a solution were a username can use 2 MAC's maximum. So one user can register his phone and laptop on the same account.
-
Anyone got a solution for this problem? I cant figure it out.
I need a solution were a username can use 2 MAC's maximum. So one user can register his phone and laptop on the same account.
The Solution is easy:
Open /usr/pbi/freeradius-amd64/etc/raddb/sql/mysql/dialup.conf (or i386 if you run this) and search for the following:#simul_count_query = "SELECT COUNT(*) \ #FROM ${acct_table1} \ #WHERE username = '%{SQL-User-Name}' \ #AND acctstoptime IS NULL"Change it to:
simul_count_query = "SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL"As you can see it works fine:
[2.1.5-RELEASE][root@hotspot.test.lan]/root(24): radtest USER PASS 172.16.1.1:1812 0 Start1234 Sending Access-Request of id 199 to 172.16.1.1 port 1812 User-Name = "USER" User-Password = "PASS" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 172.16.1.1 port 1812, id=199, length=68 Reply-Message = "\r\nYou are already logged in - access denied\r\n\n" [2.1.5-RELEASE][root@hotspot.test.lan]/root(25):Please note: You must configure the Accounting Table in Service/FreeRADIUS: SQL
If you do not use your SQL Server for, the feature will not work.P.S.: I configured it on a group base, but it works also per user.
-
Well that was easy. Thanks!
-
@jhochwald said in CP with Freeradius and MySQL - fixed number of concurrent logins per user:
Anyone got a solution for this problem? I cant figure it out.
I need a solution were a username can use 2 MAC's maximum. So one user can register his phone and laptop on the same account.
The Solution is easy:
Open /usr/pbi/freeradius-amd64/etc/raddb/sql/mysql/dialup.conf (or i386 if you run this) and search for the following:#simul_count_query = "SELECT COUNT(*) \ #FROM ${acct_table1} \ #WHERE username = '%{SQL-User-Name}' \ #AND acctstoptime IS NULL"Change it to:
simul_count_query = "SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL"As you can see it works fine:
[2.1.5-RELEASE][root@hotspot.test.lan]/root(24): radtest USER PASS 172.16.1.1:1812 0 Start1234 Sending Access-Request of id 199 to 172.16.1.1 port 1812 User-Name = "USER" User-Password = "PASS" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 172.16.1.1 port 1812, id=199, length=68 Reply-Message = "\r\nYou are already logged in - access denied\r\n\n" [2.1.5-RELEASE][root@hotspot.test.lan]/root(25):Please note: You must configure the Accounting Table in Service/FreeRADIUS: SQL
If you do not use your SQL Server for, the feature will not work.P.S.: I configured it on a group base, but it works also per user.
Hi, i cant find this path /usr/pbi/freeradius-amd64/etc/raddb/sql/mysql/dialup.conf (or i386 if you run this)
i am running pfsense 2.4.4-RELEASE-p3 (amd64)
i am looking to limit the logins per user to 2, without a third login kicking out the first one.
kindly guide me through please.