Users remain active after voucher expiration

Derelict

I wonder if the pruning process doesn't run if no timeouts are set.

jimp

The pruning process may have also been killed off. This has been fixed on 2.2, but for 2.1.x, try this patch with the System Patches package:

http://files.pfsense.org/jimp/patches/cron_hup.patch

Apply the patch then re-save the portal and see if it works after that.

Covax

Sorry for the late reply, just giving a quick update. So basically we updated our Pfsense to 2.2-RELEASE  (amd64) and gave him a reboot.
It appears the problem has solved itselve. The active users and vouchers now disappear after expiring and the user is unable to log on.
Cheers for the quick replies guys!

So if anyone is experiencing the same problem this might be the solution.  :)

psangelotti

Hello.

I'm having the same problem … the user remains active even though I inactivate the voucher manually in "Expire Vouchers" functionality

• pfSense 2.2.4-RELEASE(amd64)
• "Idle timeout" in blank (disabled)
• "Hard timeout" in blank (disabled)

Can someone help me?
Thank you so much!

Gertjan

@psangelotti:

Hello.

I'm having the same problem … the user remains active even though I inactivate the voucher manually in "Expire Vouchers" functionality

• pfSense 2.2.4-RELEASE(amd64)
• "Idle timeout" in blank (disabled)
• "Hard timeout" in blank (disabled)

Can someone help me?
Thank you so much!

This was solved way back.

IF (a user is logged in - has an active session)
THEN disconnect user.

Redmine Expiring a voucher doesn't disconnect a user who is using that voucher

psangelotti

Hello!

Thanks for the reply.  :D
The problem is this disconnect is not being automatic … The MAC address is recorded in Services / Captive Portal / MAC and even after the time expires and disconnection never happens. ???

What can I be doing wrong ? ???

Thank you in advance.

Derelict

Is the MAC address record tagged with the voucher as the username?

There's a checkbox for that in the portal config.

Gertjan

This is normal:
@psangelotti:

… the user remains active even though I inactivate the voucher manually in "Expire Vouchers" functionality

• pfSense 2.2.4-RELEASE(amd64)

because you instructed the Captive Portal to behave like that:
@psangelotti:

The problem is this disconnect is not being automatic … The MAC address is recorded in Services / Captive Portal / MAC and even after the time expires and disconnection never happens. ???

So: even when the voucher sessions gets destroyed (related firewall rule are thus removed) by you, the "MAC-whitelist" entry stays up, the client is still connected.

Check for yourself : Read this https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting - check up your own captive firewall portal rules, and see for yourself. MAC 'pass' rules are at the beginning of the rules, so as soon as it's added, destroying the "voucher session" (and also voucher-time-out" won't break the connection.

When you check the option (on the settings page of the captive portal) that MAC's should be added to the list when the user connects (initially using a voucher) destroying the voucher - or even letting it time out will NOT break the connection.

This:
@psangelotti:

• "Idle timeout" in blank (disabled)
• "Hard timeout" in blank (disabled)

of course, as the pfSEnse doc states - and as quoted above, should never be set like that (both shouldn't be zero).

Derelict

I use it all the time.  It works great. 2.1.5.

I have:

Enable Pass-through MAC automatic additions

and

Enable Pass-through MAC automatic addition with username

Checked.

Pretty sure the key is the "with username" checkbox.  The voucher code is stored as the username so there is something for the pruner to key on when it expires.  All the MAC passthrough entries are automatically removed.

I have idle timeout and hard timeout both set at 2000 minutes for some reason. This has no effect on vouchers that are good for longer than 2000 minutes. If I give someone a 7-day voucher, they are not molested again for the full 7 days.

Oct 24 19:08:23 gw logportalauth[67485]: EXPIRED 3kdxuhm6 LOGIN - TERMINATING SESSION: 3kdxuhm6, 60:f8:1d:c2:ff:6e, 172.21.229.163
Oct 24 19:08:24 gw logportalauth[67485]: EXPIRED 3kdxuhm6 LOGIN - TERMINATING SESSION: 3kdxuhm6, a4:5e:60:ef:ff:03, 172.21.226.112

Gertjan

@Derelict:

…. It works great. 2.1.5.

Same thing for 2.2.4.
I just generated some vouchers, activates auto-add-mac support etc and started authenticating using vouchers.
Everything works as advertised.

I saw lines like:
Oct 28 08:39:43 logportalauth[38194]: Zone: cpzone1 - Voucher login good for 120 min.: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40
….
Oct 28 10:39:44 logportalauth[33421]: Zone: cpzone1 - EXPIRED SNWfCebPBQS LOGIN - TERMINATING SESSION: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40

The device "0c:77:1a:xx:13:35" was disconnected and removed from the MAC white list.