CP shared-user accounts
-
Hello,
I've got pfSense up and running, using captive portal. All seems to work fine (running 5 days, 50 users).
Currently I've enabled 'Disable concurrent logins', but I really would like to allow (certain) users to share their account with a limit.
And that without Radius, I think Radius is too much for this little additional feature.Mikrotik calls it shared-users on their User Profile. – easy setting, need this in pfSense
freeRadius calls it Simultaneous-Use -- hard, requires freeRadius, MySQL etc.. to be setup (also adds risks).Let me know if it's possible and if not, please tell me if there is an manual on configuring radius, mysql and the Simultaneous-Use setting correctly (radius and mysql are running already, but can't get Simultaneous-Use to work).
Thank you for any help!
Remon
-
You'll need RADIUS to do that. No need for MySQL though. Not sure offhand of a guide, but if you Google "freeradius site:pfsense.org" you'll find a good deal of things.
-
The first line of my /etc/radd/users file on my RADIUS server has the setting you need:
DEFAULT Simultaneous-use := 4
The above setting sets the limit of concurrent logins per account to 4. Just point your pfSense box to the radius server and you should be good. Not sure what your config is, so I'm assuming you may have put the required line in the clients file (possibly) or somesuch.
-
Hi muswellhillbilly,
And this works without Accounting or MySQL enabled? Thought I've read I really needed MySQL for Accounting and only with Accounting enabled this feature would work.
I can simply remove MySQL and only use freeRadius2 Package, I would be glad to have it this way! (only a package, no 'hacking' on the shell to install mysql).minor other question:
- is there a quick way to test this feature (concurrent use)? Currently I have to get all my devices (laptops/ipads) to check if this works or not.
Thank you!
Remon
-
You can enable accounting in FreeRadius without requiring MySQL. It just depends how you want to manage your accounts. In my own case, I simply use a flat-file list of names/passwords in the /etc/raddb/users file.
Test the concurrent limit by simply logging in on more than one device (laptop, phone, tablet, etc). If you haven't got that many devices, set the concurrent limit to just 1 temporarily and see if the system rejects any other logins for that account after the initial successful session is active.
-
Hi muswellhillbilly,
I can confirm it works as you say, I only got one minor strange thing.
If I set it to 3, I can logon 2 times. When I change it to 4 I can logon 3 times. Always X minus 1.
Any idea why this might happen?
Thank you for your assistance so far!
Regards,
Remon
-
Without seeing your config I can't say why exactly. So if you set the simultaneous-use setting to 1, does it not allow access at all?
Below is the top part of my own setup's users file. You might want to check this against your own config to see if anything might be missing or wrongly entered:
DEFAULT Simultaneous-use := 4
Fall-Through = 1DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "SLIP"
Framed-Protocol = SLIP -
Hi again,
This is my users file;
_/usr/local/etc/raddb/users"testuser" Cleartext-Password := "testpassword", Simultaneous-Use := "1"
WISPr-Bandwidth-Max-Up := 204800,
WISPr-Bandwidth-Max-Down := 2048000"testuser2" Cleartext-Password := "testpassword2", Simultaneous-Use := "1"
WISPr-Bandwidth-Max-Up := 512000,
WISPr-Bandwidth-Max-Down := 3072000_And yes, with above config I can't login?
My radiusd.config:
_/usr/local/etc/raddb/radiusd.conf
prefix = /usr/pbi/freeradius-amd64
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
libdir =
pidfile = ${run_dir}/radiusd.pid
db_dir = ${raddbdir}
name = radiusd
#chroot = /path/to/chroot/directory
#user = freeradius
#group = freeradius###############################################################################
Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x
delete_blocked_requests = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
###############################################################################
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}log {
destination = syslog
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_goodpass = ""
msg_badpass = ""
}checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server
#proxy_requests = yes
#$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
}modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.confDis-/Enable sql.conf INCLUDE
#$INCLUDE sql.conf
Dis-/Enable sql/mysql/counter.conf INCLUDE
#$INCLUDE sql/mysql/counter.conf
#$INCLUDE sqlippool.conf
}instantiate {
exec
expr
daily
weekly
monthly
forever
expiration
logintimeDis-/Enable sql instatiate
#sql
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/_Captive Portal:
- Radius authentication (pap, accounting enabled, start/stop accounting)
- Bandwidth restriction check (so radius can override them).
To be honest I don't know what to use on the accounting setting: no accounting, start/stop or interim
Thanks!
Remon
-
Ok, backup your existing /etc/raddb/users file and create a new one. Try this as the config:
DEFAULT Simultaneous-use := 4
Fall-Through = 1DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "SLIP"
Framed-Protocol = SLIPtestuser Cleartext-Password := "testpassword"
WISPr-Bandwidth-Max-Up := 204800,
WISPr-Bandwidth-Max-Down := 204800testuser2 Cleartext-Password := "testpassword2"
WISPr-Bandwidth-Max-Up := 512000,
WISPr-Bandwidth-Max-Down := 3072000I think you may have extra double-quotes in your config which might be creating a problem. This ought to preserve your bandwidth restrictions per user while limiting concurrent logins to 4 per account.
-
Hi,
still need to test this "DEFAULT", in the meantime I (somehow!?) fixed the issue with Simultaneous-Use. So that issue is fixed, I'm happy with that.
Will the following work for setting some defaults?
DEFAULT Simultaneous-use := 1, WISPr-Bandwidth-Max-Up := 204800, WISPr-Bandwidth-Max-Down := 2048000, Fall-Through = 1
testuser Cleartext-Password := "testpassword"
testuser2 Cleartext-Password := "testpassword2"
etc…Thank you!
Remon
-
To be honest I've never set those parameters up in that way. Try it and see if it works. For that matter there are plenty of examples by way of Google.
-
Will do that, thank you!