FreeRadius



  • Hello,

    I just wanted to confirm whether the FreeRadius on pfsense only works in conjunction with the captive portal. I came to this conclusion after having done some reference on the https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS where it makes reference to "Amount of time". As I tested the radius server alone with a TPLINK wifi that was doing the connection, the authentication of the user was perfect, however the Amount of time the user stayed logged in was not correct. I put in 60seconds for reloggin. but after that the user still stayed logged in to the internet. There was no logout log back in page.

    Will Freeradius authenticate servers and also kick them out of their internet usage without using captive portal?



  • Hi,

    this is the module that counts the time:

    
    function freeradius_modulescounter_resync() {
    	global $config;
    	$conf = '';
    	$conf .= <<<eod<br># -*- text -*-
    #
    #  $Id$
    #  counter module:
    #  This module takes an attribute (count-attribute).
    #  It also takes a key, and creates a counter for each unique
    #  key.  The count is incremented when accounting packets are
    #  received by the server.  The value of the increment depends
    #  on the attribute type.
    #  If the attribute is Acct-Session-Time or of an integer type we add
    #  the value of the attribute. If it is anything else we increase the
    #  counter by one.
    #
    #  The 'reset' parameter defines when the counters are all reset to
    #  zero.  It can be hourly, daily, weekly, monthly or never.
    #
    #  hourly: Reset on 00:00 of every hour
    #  daily: Reset on 00:00:00 every day
    #  weekly: Reset on 00:00:00 on sunday
    #  monthly: Reset on 00:00:00 of the first day of each month
    #
    #  It can also be user defined. It should be of the form:
    #  num[hdwm] where:
    #  h: hours, d: days, w: weeks, m: months
    #  If the letter is ommited days will be assumed. In example:
    #  reset = 10h (reset every 10 hours)
    #  reset = 12  (reset every 12 days)
    #
    #
    #  The check-name attribute defines an attribute which will be
    #  registered by the counter module and can be used to set the
    #  maximum allowed value for the counter after which the user
    #  is rejected.
    #  Something like:
    #
    #  DEFAULT Max-Daily-Session := 36000
    #          Fall-Through = 1
    #
    #  You should add the counter module in the instantiate
    #  section so that it registers check-name before the files
    #  module reads the users file.
    #
    #  If check-name is set and the user is to be rejected then we
    #  send back a Reply-Message and we log a Failure-Message in
    #  the radius.log
    #
    #  If the count attribute is Acct-Session-Time then on each
    #  login we send back the remaining online time as a
    #  Session-Timeout attribute ELSE and if the reply-name is
    #  set, we send back that attribute.  The reply-name attribute
    #  MUST be of an integer type.
    #
    #  The counter-name can also be used instead of using the check-name
    #  like below:
    #
    #  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
    #      Reply-Message = "You've used up more than one hour today"
    #
    #  The allowed-servicetype attribute can be used to only take
    #  into account specific sessions. For example if a user first
    #  logs in through a login menu and then selects ppp there will
    #  be two sessions. One for Login-User and one for Framed-User
    #  service type. We only need to take into account the second one.
    #
    #  The module should be added in the instantiate, authorize and
    #  accounting sections.  Make sure that in the authorize
    #  section it comes after any module which sets the
    #  'check-name' attribute.
    #
    counter daily {
    	filename = /var/log/radacct/timecounter/db.daily
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = daily
    	counter-name = Daily-Session-Time
    	check-name = Max-Daily-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    counter weekly {
    	filename = /var/log/radacct/timecounter/db.weekly
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = weekly
    	counter-name = Weekly-Session-Time
    	check-name = Max-Weekly-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    counter monthly {
    	filename = /var/log/radacct/timecounter/db.monthly
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = monthly
    	counter-name = Monthly-Session-Time
    	check-name = Max-Monthly-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    counter forever {
    	filename = /var/log/radacct/timecounter/db.forever
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = never
    	counter-name = Forever-Session-Time
    	check-name = Max-Forever-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    EOD;
    	$filename = FREERADIUS_ETC . '/raddb/modules/counter';
    	conf_mount_rw();
    	file_put_contents($filename, $conf);
    	chmod($filename, 0640);
    	conf_mount_ro();
    }</eod<br> 
    

    If it should count the first thing is that you must have "Accounting" anabled o freeRADIUS and that you must have an access-point which can do accounting.
    Then it is important that the access-point sends the time a client is connected to the access-point with the correct VSA (Vendor specific attribute). In this case th attribute is "Acct-Session-Time". If the access-point sends something else it is not working.

    If we assume that the access-point is sending "Acct-Session-Time" then freeradius can count these values until it reaches the limit you set. If the limit is reached freeradius sends back a Reply-Attribute called "Session-Timeout". The access-point must be capable of interpreting things attribute which will tell the AP to disconnect the client.

    Often vendors offer some "dictionary" of their products which can be imported into (free)radius to make it work.

    So to answer your question short:
    freeradius was tested with captive portal and it is some kind of working with captive portal. I say explicitly "some kind of working" because it is counting and kicking the user but the counting does not seem to be accurate in every situation and every installation. There are several discussions here in the forum but it does not seem to be clear if the freeradius counter implementation is "wrong" or the way captive portal sends the values.

    Good luck!



  • @Nachtfalke:

    Hi,

    this is the module that counts the time:

    
    function freeradius_modulescounter_resync() {
    	global $config;
    	$conf = '';
    	$conf .= <<<eod<br># -*- text -*-
    #
    #  $Id$
    #  counter module:
    #  This module takes an attribute (count-attribute).
    #  It also takes a key, and creates a counter for each unique
    #  key.  The count is incremented when accounting packets are
    #  received by the server.  The value of the increment depends
    #  on the attribute type.
    #  If the attribute is Acct-Session-Time or of an integer type we add
    #  the value of the attribute. If it is anything else we increase the
    #  counter by one.
    #
    #  The 'reset' parameter defines when the counters are all reset to
    #  zero.  It can be hourly, daily, weekly, monthly or never.
    #
    #  hourly: Reset on 00:00 of every hour
    #  daily: Reset on 00:00:00 every day
    #  weekly: Reset on 00:00:00 on sunday
    #  monthly: Reset on 00:00:00 of the first day of each month
    #
    #  It can also be user defined. It should be of the form:
    #  num[hdwm] where:
    #  h: hours, d: days, w: weeks, m: months
    #  If the letter is ommited days will be assumed. In example:
    #  reset = 10h (reset every 10 hours)
    #  reset = 12  (reset every 12 days)
    #
    #
    #  The check-name attribute defines an attribute which will be
    #  registered by the counter module and can be used to set the
    #  maximum allowed value for the counter after which the user
    #  is rejected.
    #  Something like:
    #
    #  DEFAULT Max-Daily-Session := 36000
    #          Fall-Through = 1
    #
    #  You should add the counter module in the instantiate
    #  section so that it registers check-name before the files
    #  module reads the users file.
    #
    #  If check-name is set and the user is to be rejected then we
    #  send back a Reply-Message and we log a Failure-Message in
    #  the radius.log
    #
    #  If the count attribute is Acct-Session-Time then on each
    #  login we send back the remaining online time as a
    #  Session-Timeout attribute ELSE and if the reply-name is
    #  set, we send back that attribute.  The reply-name attribute
    #  MUST be of an integer type.
    #
    #  The counter-name can also be used instead of using the check-name
    #  like below:
    #
    #  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
    #      Reply-Message = "You've used up more than one hour today"
    #
    #  The allowed-servicetype attribute can be used to only take
    #  into account specific sessions. For example if a user first
    #  logs in through a login menu and then selects ppp there will
    #  be two sessions. One for Login-User and one for Framed-User
    #  service type. We only need to take into account the second one.
    #
    #  The module should be added in the instantiate, authorize and
    #  accounting sections.  Make sure that in the authorize
    #  section it comes after any module which sets the
    #  'check-name' attribute.
    #
    counter daily {
    	filename = /var/log/radacct/timecounter/db.daily
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = daily
    	counter-name = Daily-Session-Time
    	check-name = Max-Daily-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    counter weekly {
    	filename = /var/log/radacct/timecounter/db.weekly
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = weekly
    	counter-name = Weekly-Session-Time
    	check-name = Max-Weekly-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    counter monthly {
    	filename = /var/log/radacct/timecounter/db.monthly
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = monthly
    	counter-name = Monthly-Session-Time
    	check-name = Max-Monthly-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    counter forever {
    	filename = /var/log/radacct/timecounter/db.forever
    	key = User-Name
    	count-attribute = Acct-Session-Time
    	reset = never
    	counter-name = Forever-Session-Time
    	check-name = Max-Forever-Session
    	reply-name = Session-Timeout
    	cache-size = 5000
    }
    EOD;
    	$filename = FREERADIUS_ETC . '/raddb/modules/counter';
    	conf_mount_rw();
    	file_put_contents($filename, $conf);
    	chmod($filename, 0640);
    	conf_mount_ro();
    }</eod<br> 
    

    If it should count the first thing is that you must have "Accounting" anabled o freeRADIUS and that you must have an access-point which can do accounting.
    Then it is important that the access-point sends the time a client is connected to the access-point with the correct VSA (Vendor specific attribute). In this case th attribute is "Acct-Session-Time". If the access-point sends something else it is not working.

    If we assume that the access-point is sending "Acct-Session-Time" then freeradius can count these values until it reaches the limit you set. If the limit is reached freeradius sends back a Reply-Attribute called "Session-Timeout". The access-point must be capable of interpreting things attribute which will tell the AP to disconnect the client.

    Often vendors offer some "dictionary" of their products which can be imported into (free)radius to make it work.

    So to answer your question short:
    freeradius was tested with captive portal and it is some kind of working with captive portal. I say explicitly "some kind of working" because it is counting and kicking the user but the counting does not seem to be accurate in every situation and every installation. There are several discussions here in the forum but it does not seem to be clear if the freeradius counter implementation is "wrong" or the way captive portal sends the values.

    Good luck!

    Hello, Thanks for your reply. Can I use the FreeRadius on Pfsense independently of the captive portal? Like for example to authenticate users or servers (with captive portal disabled)?



  • Yes of course. Captive Portal is not mandatory. Freeradius2 is running independently.
    You can use it with whatever you want - or not.

    But the couting of time and amount of data was only tested with Captive Portal but this is the "Accounting" part and has nothing to do with "Authentication".



  • When I Do this config :

    Add an interface with the IP address of 127.0.0.1.
        Set the interface type to 'Auth' , use the default port (1812).
        Add a client/NAS with the IP of 127.0.0.1 and the shared secret 'test'.
        Create a test user account on the users tab.
        Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
        Run the command below, replacing <username>, and <password>with the credentials you assigned.

    radtest <username><password>127.0.0.1:1812 0 test

    I get this error message :

    radclient: no response from server for ID 120 socket 3
    Sending Access-Request of id 120 to 127.0.0.1 port 1812
    User-Name = "User"
    User-Password = "abc"
    NAS-IP-Address = 10.11.11.48
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
    Sending Access-Request of id 120 to 127.0.0.1 port 1812
    User-Name = "User"
    User-Password = "abc"
    NAS-IP-Address = 10.11.11.48
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
    Sending Access-Request of id 120 to 127.0.0.1 port 1812
    User-Name = "User"
    User-Password = "abc"
    NAS-IP-Address = 10.11.11.48
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000

    I do not think this is good.</password></username></password></username>



  • Don't know what this IP addres is: 10.11.11.48

    But add this IP 10.11.11.48 to NAS/Client and try again.



  • @Nachtfalke:

    Don't know what this IP addres is: 10.11.11.48

    But add this IP 10.11.11.48 to NAS/Client and try again.

    That IP is my LAN Interface.



  • Hi Guys i Managed to make it work and wrote a guide for this : https://forum.pfsense.org/index.php?topic=113228.msg629777#msg629777


Log in to reply