Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help on Max Daily Session Attribute

    Scheduled Pinned Locked Moved Captive Portal
    7 Posts 4 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AYSMAN
      last edited by

      Hi Guys,

      I have a freeradius service running on my pfsense box with MySQL as a Database back end. Username and Password as an authentication method. I've been trying to limit users on a daily basis using Max-Daily-Session attribute.
      on my;

      radcheck table i have the ff
      username attribute op value
      user1 Cleartext-Password := password1
      user1 Max-Daily-Session := 600

      radreply table
      user1 Session-Timeout := 600

      On pfsense Captive portal settings I have enabled accounting, also enabled "Use RADIUS Session-Timeout attributes" and enable accounting updates "interim".

      User1 gets to successfully authenticate and use the internet, gets disconnected after 10mins due to session timeout attribute BUT still gets to re-authenticate immediately. If seems that radius is disregarding the Max-Daily-Session attribute.

      Any Ideas what am I missing here?

      Thanks in advanced!

      1 Reply Last reply Reply Quote 0
      • F
        free4 Rebel Alliance
        last edited by free4

        Yup, pfSense does not support Max-Daily-Session yet.

        As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/database of expired users, so checking how many time an expired user spent could be quite difficult)

        Maybe you could look for denying the login on FreeRadius side?

        A GertjanG 2 Replies Last reply Reply Quote 0
        • A
          AYSMAN @free4
          last edited by

          @free4

          Hi, Thanks for your reply. Regarding on your comment "Maybe you could look for denying the login on FreeRadius side?" any hint on how to accomplish this?

          Thanks

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @free4
            last edited by Gertjan

            @free4 said in Need help on Max Daily Session Attribute:

            Yup, pfSense does not support Max-Daily-Session yet.

            As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/databass of expired users, so checking time how many time an expired user spent could be quite difficult)

            Check https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/sqlcounter
            This "sqlcounter" module is present in /mods-enabled/ but not instantiate(d) (?)

            See also https://wiki.freeradius.org/modules/Rlm_sqlcounter

            I really presume everything is already there.

            See also the files in /usr/local/share/examples/freeradius/raddb/mods-config/sql/counter/mysql

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by Gertjan

              I guess I have it working.

              Any of these :https://wiki.freeradius.org/modules/Rlm_sqlcounter#scenarios_daily-limit
              Use the GUI, like

              0_1546238943490_f464b2a8-f22b-4e9f-82a1-21fa8093825a-image.png

              This will work also : add the Max-Daily-Session 20 minutes or 2400 seconds to my user using the SQL method :

              INSERT into radcheck VALUES (NULL,'x','Max-Daily-Session',':=','2400');
              

              The real issue, the support (module) to make it work isn't included by default.
              To test, stop Freeradius in the GUI using Status => Services
              Edited /usr/local/etc/raddb/sites-enabled/default, and added "dailycounter" in the authorize section, as the manual indicated.
              I started Freeradius manually with

              radiusd -X
              

              Now, I can login.
              The output produced by "radiusd -X" is massive, so I filtered :

              radiusd -X | grep 'counter'
              

              After 20 minutes I was thrown out, and wasn't able to login. The pfSense portal log indicated that I was disconnected.
              The message on my device was :

              Your maximum daily usage time has been reached.
              

              The radius logs :

              153) dailycounter: ERROR: Rejecting user, &control:Max-Daily-Session value (2400) is less than counter value (2446)
              

              I haven't tested any other time limits.

              To make the solution sticky (persists after restart or reboot, not upgrade), you should edit the file that generate the freeradius config files.

              edit : Here https://github.com/pfsense/FreeBSD-ports/blob/c7573f5cc64254c17250adaf555d3e7cf64010e8/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc#L1989 add

              	dailycounter
              

              so it looks like :

              	{$varsqlconf2failover} sql {
              		sql1
              		{$varsqlconf2authorize}
              	}
              	dailycounter
              
              EOD;
              

              redit :
              Be carefull.
              Found indications like

              /* counter and sqlcounter are incompatible */
              

              in the manual.

              What I make of it : you should be "SQL" based, and not 'file' based to use the sqlcounter module (humm, seems rather logic ;)) .
              Dailycounter is a function of tme module sqlcounter, as is monthlycounter, noresetcounter, expire_on_login

              edit again :
              I reached a point where I can limit an individual user on :
              Bandwidth,
              Quantity (daily or monthly or total),
              Time (daily, monthly, total).
              pfSense has come very far !

              edit again :

              Let's make them all work :

              {$varsqlconf2failover} sql {
              		sql1
              		{$varsqlconf2authorize}
              	}
              	
              	dailycounter
              	monthlycounter
              	noresetcounter
              	expire_on_login
              
                EOD;
              	} else {
              

              (18) monthlycounter: WARNING: Couldn't find check attribute, control:Max-Monthly-Session, doing nothing...
              (18) [monthlycounter] = noop
              (18) noresetcounter: WARNING: Couldn't find check attribute, control:Max-All-Session, doing nothing...
              (18) [noresetcounter] = noop
              (18) expire_on_login: WARNING: Couldn't find check attribute, control:Expire-After, doing nothing...

              If haven't tested these Max-Monthly-Session / Max-All-Session / Expire-After

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 1
              • A
                AYSMAN
                last edited by

                @Gertjan

                You are awesome. Tried your guide and it work flawlessly.

                Cheers!!

                1 Reply Last reply Reply Quote 0
                • viktor_gV
                  viktor_g Netgate
                  last edited by

                  FreeRADIUS SQL backend counter feature: https://redmine.pfsense.org/issues/10871

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.