Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CP shared-user accounts

    Scheduled Pinned Locked Moved Captive Portal
    12 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      muswellhillbilly
      last edited by

      The first line of my /etc/radd/users file on my RADIUS server has the setting you need:

      DEFAULT Simultaneous-use := 4

      The above setting sets the limit of concurrent logins per account to 4. Just point your pfSense box to the radius server and you should be good. Not sure what your config is, so I'm assuming you may have put the required line in the clients file (possibly) or somesuch.

      1 Reply Last reply Reply Quote 0
      • R
        remonboonstra
        last edited by

        Hi muswellhillbilly,

        And this works without Accounting or MySQL enabled? Thought I've read I really needed MySQL for Accounting and only with Accounting enabled this feature would work.
        I can simply remove MySQL and only use freeRadius2 Package, I would be glad to have it this way! (only a package, no 'hacking' on the shell to install mysql).

        minor other question:

        • is there a quick way to test this feature (concurrent use)? Currently I have to get all my devices (laptops/ipads) to check if this works or not.

        Thank you!

        Remon

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          You can enable accounting in FreeRadius without requiring MySQL. It just depends how you want to manage your accounts. In my own case, I simply use a flat-file list of names/passwords in the /etc/raddb/users file.

          Test the concurrent limit by simply logging in on more than one device (laptop, phone, tablet, etc). If you haven't got that many devices, set the concurrent limit to just 1 temporarily and see if the system rejects any other logins for that account after the initial successful session is active.

          1 Reply Last reply Reply Quote 0
          • R
            remonboonstra
            last edited by

            Hi muswellhillbilly,

            I can confirm it works as you say, I only got one minor strange thing.

            If I set it to 3, I can logon 2 times. When I change it to 4 I can logon 3 times. Always X minus 1.

            Any idea why this might happen?

            Thank you for your assistance so far!

            Regards,

            Remon

            1 Reply Last reply Reply Quote 0
            • M
              muswellhillbilly
              last edited by

              Without seeing your config I can't say why exactly. So if you set the simultaneous-use setting to 1, does it not allow access at all?

              Below is the top part of my own setup's users file. You might want to check this against your own config to see if anything might be missing or wrongly entered:

              DEFAULT Simultaneous-use := 4
                      Fall-Through = 1

              DEFAULT Framed-Protocol == PPP
                      Framed-Protocol = PPP,
                      Framed-Compression = Van-Jacobson-TCP-IP

              DEFAULT Hint == "CSLIP"
                      Framed-Protocol = SLIP,
                      Framed-Compression = Van-Jacobson-TCP-IP

              DEFAULT Hint == "SLIP"
                      Framed-Protocol = SLIP

              1 Reply Last reply Reply Quote 0
              • R
                remonboonstra
                last edited by

                Hi again,

                This is my users file;
                _/usr/local/etc/raddb/users

                "testuser" Cleartext-Password := "testpassword", Simultaneous-Use := "1"

                WISPr-Bandwidth-Max-Up := 204800,
                WISPr-Bandwidth-Max-Down := 2048000

                "testuser2" Cleartext-Password := "testpassword2", Simultaneous-Use := "1"

                WISPr-Bandwidth-Max-Up := 512000,
                WISPr-Bandwidth-Max-Down := 3072000_

                And yes, with above config I can't login?

                My radiusd.config:

                _/usr/local/etc/raddb/radiusd.conf
                prefix = /usr/pbi/freeradius-amd64
                exec_prefix = ${prefix}
                sysconfdir = ${prefix}/etc
                localstatedir = /var
                sbindir = ${exec_prefix}/sbin
                logdir = ${localstatedir}/log
                raddbdir = ${sysconfdir}/raddb
                radacctdir = ${logdir}/radacct
                confdir = ${raddbdir}
                run_dir = ${localstatedir}/run
                libdir =
                pidfile = ${run_dir}/radiusd.pid
                db_dir = ${raddbdir}
                name = radiusd
                #chroot = /path/to/chroot/directory
                #user = freeradius
                #group = freeradius

                ###############################################################################

                Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x

                delete_blocked_requests = no

                usercollide = no

                lower_user = no

                lower_pass = no

                nospace_user = no

                nospace_pass = no

                ###############################################################################

                max_request_time = 30
                cleanup_delay = 5
                max_requests = 1024
                hostname_lookups = no
                allow_core_dumps = no
                regular_expressions = yes
                extended_expressions = yes
                listen {
                type = auth
                ipaddr = *
                port = 1812
                }
                listen {
                type = acct
                ipaddr = *
                port = 1813
                }

                log {
                destination = syslog
                file = ${logdir}/radius.log
                syslog_facility = daemon
                stripped_names = no
                auth = yes
                auth_badpass = no
                auth_goodpass = no
                msg_goodpass = ""
                msg_badpass = ""
                }

                checkrad = ${sbindir}/checkrad
                security {
                max_attributes = 200
                reject_delay = 1
                status_server = no
                }

                disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server

                #proxy_requests = yes
                #$INCLUDE  proxy.conf
                $INCLUDE  clients.conf
                thread pool {
                start_servers = 5
                max_servers = 32
                min_spare_servers = 3
                max_spare_servers = 10
                max_queue_size = 65536
                max_requests_per_server = 0
                }

                modules {
                $INCLUDE ${confdir}/modules/
                $INCLUDE eap.conf

                Dis-/Enable sql.conf INCLUDE

                #$INCLUDE sql.conf

                Dis-/Enable sql/mysql/counter.conf INCLUDE

                #$INCLUDE sql/mysql/counter.conf

                #$INCLUDE sqlippool.conf
                }

                instantiate {

                exec
                expr
                daily
                weekly
                monthly
                forever
                expiration
                logintime

                Dis-/Enable sql instatiate

                #sql
                }
                $INCLUDE policy.conf
                $INCLUDE sites-enabled/_

                Captive Portal:

                • Radius authentication (pap, accounting enabled, start/stop accounting)
                • Bandwidth restriction check (so radius can override them).

                To be honest I don't know what to use on the accounting setting: no accounting, start/stop or interim

                Thanks!

                Remon

                1 Reply Last reply Reply Quote 0
                • M
                  muswellhillbilly
                  last edited by

                  Ok, backup your existing /etc/raddb/users file and create a new one. Try this as the config:

                  DEFAULT Simultaneous-use := 4
                          Fall-Through = 1

                  DEFAULT Framed-Protocol == PPP
                          Framed-Protocol = PPP,
                          Framed-Compression = Van-Jacobson-TCP-IP

                  DEFAULT Hint == "CSLIP"
                          Framed-Protocol = SLIP,
                          Framed-Compression = Van-Jacobson-TCP-IP

                  DEFAULT Hint == "SLIP"
                          Framed-Protocol = SLIP

                  testuser  Cleartext-Password := "testpassword"
                          WISPr-Bandwidth-Max-Up := 204800,
                          WISPr-Bandwidth-Max-Down := 204800

                  testuser2 Cleartext-Password := "testpassword2"
                          WISPr-Bandwidth-Max-Up := 512000,
                          WISPr-Bandwidth-Max-Down := 3072000

                  I think you may have extra double-quotes in your config which might be creating a problem. This ought to preserve your bandwidth restrictions per user while limiting concurrent logins to 4 per account.

                  1 Reply Last reply Reply Quote 0
                  • R
                    remonboonstra
                    last edited by

                    Hi,

                    still need to test this "DEFAULT", in the meantime I (somehow!?) fixed the issue with Simultaneous-Use. So that issue is fixed, I'm happy with that.

                    Will the following work for setting some defaults?

                    DEFAULT Simultaneous-use := 1, WISPr-Bandwidth-Max-Up := 204800, WISPr-Bandwidth-Max-Down := 2048000, Fall-Through = 1

                    testuser  Cleartext-Password := "testpassword"
                    testuser2 Cleartext-Password := "testpassword2"
                    etc…

                    Thank you!

                    Remon

                    1 Reply Last reply Reply Quote 0
                    • M
                      muswellhillbilly
                      last edited by

                      To be honest I've never set those parameters up in that way. Try it and see if it works. For that matter there are plenty of examples by way of Google.

                      1 Reply Last reply Reply Quote 0
                      • R
                        remonboonstra
                        last edited by

                        Will do that, thank you!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.