Limit Simultaneous Connections using freeRADIUS3 and captive portal

gadgetguy

Hello,

I'm quite new to pfSense so please be easy on me….

What I want to do is use freeRADIUS to limit the number of simultaneous connections per user.

I was able to achieve this while using a test machine before but now on my actual pfSense box I can't get it to work.

Even though I have simultaneous connection set to 2 or 3, the client is still able to add as many devices as they want.

I'm running:

2.3.4-RELEASE (amd64)
built on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p19

NanoBSD

Can someone tell me what I'm doing wrong?

Thank you,

Gadjetguy

PS: what is the difference between freeRADIUS2 and freeRADIUS3 package?

jimp

If you are using certain Captive Portal RADIUS modes, such as "Reauthenticate", then you can't effectively use simultaneous user limits.

Also, you do have to have accounting enabled for Simultaneous use to kick in.

So you'll have to provide more detail about the exact Captive Portal and RADIUS config to get any meaningful feedback.

@gadgetguy:

PS: what is the difference between freeRADIUS2 and freeRADIUS3 package?

FreeRADIUS 2.x is dead and will be removed in the near future. It's EOL upstream and has security problems, use FreeRADIUS 3.x which is current and supported.
The 2.x package is still there for the moment until we can effectively find a way to force the transition in an automated manner. The configurations are compatible, if you have 2.x installed, uninstall it and install 3.x and you'll be fine.

gadgetguy

Thank you for replying jimp,

I'll start by explaining my goal for the Captive portal.

1. I want to allow certain users onto my LAN network automatically by registering their MAC addresses in Captive portal. This works without a problem so far.

2. For some users, I want to give them a user ID and password and limit their number of concurrent connections, let's say some clients 2 devices and some 3.

For now, I don't want to limit bandwidth or daily usage, just concurrent connections.

I downloaded and installed freeRADIUS3 and set it up.

Here's my settings configuration:

Services>FreeRADIUS> interfaces

192.168.20.254 as LAN interface/Port 1812/authentication
192.168.20.254 as LAN interface/Port 1813/accounting
192.168.20.254 as LAN interface/Port 1816/status

For NAS/Clients, I entered my LAN IP for the client IP and a shared secret.

I then created a new entry in captive portal and enabled it.

Interfaces: LAN

Authentication method: RADIUS Authentication
RADIUS protocol: PAP
Primary RADIUS server: 192.168.20.254 / Port 1812 / shared secret

I enabled "Send RADIUS accounting packets to the primary RADIUS server"
Accounting port: 1813
Accounting updates: no updates

RADIUS NAS IP attribute: LAN-192.168.20.254

Should I attach my radius.conf file?

Thank you very much… I really appreciate your time and I hope you'll be able to help me figure out what I'm doing wrong....

jimp

In the captive portal settings, change Accounting Updates to "Start/Stop (FreeRADIUS)"

gadgetguy

Ok, I'll try that. Thank you!

gadgetguy

@jimp:

In the captive portal settings, change Accounting Updates to "Start/Stop (FreeRADIUS)"

I tried this and I still can connect unlimited devices per user name. Any more suggestions?

Thank you for helping with my problem….

gadgetguy

I have squid running on my pfSense box but is there any chance that it is interfering?

gadgetguy

One more thing, when installing FreeRADIUS3 it says an EAP certificate is needed. I haven't configured any certificates. Is that necessary?

Thanks again…

jimp

@gadgetguy:

I have squid running on my pfSense box but is there any chance that it is interfering?

If they still get prompted for a portal login, then maybe not, but it's squid so it usually does find ways of interfering.

@gadgetguy:

One more thing, when installing FreeRADIUS3 it says an EAP certificate is needed. I haven't configured any certificates. Is that necessary?

Where is it saying that? The FreeRADIUS 3.x package automatically makes EAP certs if you don't configure any, it doesn't print an error like that. The old 2.x package will print an error like that, though. If you aren't using EAP it's not much to worry about but you could make a CA and Server cert, set them on the EAP tab, and that would stop any errors.

gadgetguy

Where is it saying that? The FreeRADIUS 3.x package automatically makes EAP certs if you don't configure any, it doesn't print an error like that. The old 2.x package will print an error like that, though. If you aren't using EAP it's not much to worry about but you could make a CA and Server cert, set them on the EAP tab, and that would stop any errors

When installing the FreeRADIUS package, at the end when it says 'Success' when the package finishes installing is where I saw that message. It wasn't an error message.

I got my test machine running again and did a clean install of pfSense and tried Captive Portal with FreeRADIUS and didn't install or setup anything else but it still doesn't limit simultaneous connections so I'm guessing that it isn't Squid causing the problems.

I know I'm asking a lot, but would it be possible for you to post the instructions for configuring FreeRADIUS and Captive Portal to limit a user to 3 concurrent connections? I've been trying for a week now spending every afternoon trying to find what the problem is and doing a lot of researching and reading on the internet but haven't been successful.

I appreciate your advice and want to thank you for helping me out this far.

gadgetguy

Is there anybody out there that is successfully using Captive Portal with FreeRADIUS3 and able to successfully allow a user to use a limited amount of devices concurrently?

Thank you in advance!

jmguerrero

try to edit the Number of Simultaneous Connections of the acct in freeRadius

gadgetguy

@jmguerrero:

try to edit the Number of Simultaneous Connections of the acct in freeRadius

I have this set to 2 or 3 depending on each user. Any other suggestions?

Edo-IT

Hello I'm new on this forum.
I have been reading some captive portal threads and I have the same issue with limiting the users by freeRadius 3.
Any suggestion?

Thx

AYSMAN

Hi Guys,

has anyone found a solution to this problem yet?

mke

I can't make it and would love to find out how to do user limitation. I was working great in ver 2

Dmc

Hi @AYSMAN

Did you happen to find the solution to this by anychance??

I am stumped as well after spending weeks on this... i know my accounting is working fine since its all logged but FreeRadius will not stop the connection after the limit is reached.

Ive setup identical to the OP except my IP is on 127.0.0.1 and listening ports *

Also added the Simultaneous-Connection := 1 to the user profile which didn't appear to do anything.