Radius seems to disconnect CP users randomly



  • Hi, I have been running pfsense for some years now using an older version for about 300 captive portal users using radius (radiusmanager by DMA softlabs - which I think uses freeradius). I added a new pfsense box bought from pfsense direct and copied (manually went through settings) the captive portal settings to the new box and have the new CP running with a handful of test users. However every few days to a week or more they get disconnected and have to re-log in to the CP. I see in the pfsense CP auth logs the following lines before they log in again:

    Nov 11 23:50:40 logportalauth 84114 Zone: dvlan_22 - RADIUS_DISCONNECT: user_name, 90:Ka:a8:W0:4b:24, 10.2.3.4

    These users are the same as on the other system and don't have this issue, I thought they were having DHCP assigning new IP's or something, so I changed the DHCP to give out addresses for 1 year :P that didn't change anything and their IP wasn't changing anyways.

    On the other CP system there is only RADIUS_DISCONNECT logs for actual reasons like, total_traffic_limit_reached etc. I don't like how there is no reason after the radius disconnect log to indicate why the user was disconnected. I am using 'Interim' radius options on each Captive portal.

    I am using PFsense 2.3.2 on the new (broken) system and some version 3 years old on the other.

    any help would be much appreciated.



  • How have you configured your radius client service? Is there a timeout set on the radius box at all, or does the service get restarted at any time?


  • Netgate

    RADIUS can't disconnect a client. RADIUS servers do not "push" commands, they reply to requests. That is probably either a periodic authentication failure or a previously-received timeout.



  • Hey, thanks for your comments!

    Derelict – thanks, that makes sense about only 'replying to requests'. However if it's a periodic authentication failure, why or how would it fail authentication? these users have been logged in for months - they will be for many more months too. There are no timeouts set on anything in Radius that I can find.

    muswellhillbilly -- The Radius service could get restarted perhaps by another process for some reason, if the service dies I get alerts - it does die every few months which I just restart the Radius service, stopping and starting the service doesn't cause the disconnects to happen either when I do it manually.

    I don't know what you mean by radius client service?

    Nothing like this happens on the other pfsense box which uses the same radius server ..


  • Rebel Alliance Developer Netgate

    One example of how it can fail is when you set concurrent login limits on the accounts in RADIUS. If you do that, and anything tries to reauthenticate the user, it can fail if the RADIUS server thinks they're still online.



  • Thanks, I have this value set at 10 concurrent logins.

    Please note: The other pfsense doesn't get these disconnect's in the logs and doesn't get users being disconnected randomly, the same customers on the same physical network (different VLAN) using the same radius server. These disconnects dont' have a reason, all the other disconnect have a reason in the logs. This must be a clue?

    It seems that users don't get to stay on for more than a week, right now the longest online user is 3 days - there are about 14 test users.

    Cheers,

    Tim