Concurrent 2 device login with same username

zcloud · Sep 22, 2017, 5:17 AM

I am newbie in pfsense. I just want to know does pfsense able to makes 1 username can login into 2 different devices in the same time?
our authentication using AD radius server.

I have searched but i cannot find the way. I know that Maximum concurrent connections setting is available in pfsense. but when I try to set 2 in there, while i test in 3 devices, it still acceptable. I don't think Maximum concurrent connections is the way I use to solve this issue.

Please help.

Gertjan · Sep 22, 2017, 8:53 AM

Exact.

"Maximum concurrent connections" is a setting used by the web server that serves the login page. It could be used to protect it against some "stupid" devices that keep hammering the captive portal web server - like a "Facbook app" that want to visit facebook to sync the account without having any knowledge that a "portal login page" is show as a result. So it keeps trying.

What you are looking for is (more something like) : Concurrent user logins

If enabled only the most recent login per username will be active. Subsequent logins will cause machines previously logged in with the same username to be disconnected.

If the same login is used on another device (== other IP, other MAC, same login) then the first login is discarded.

edit : this limits the usage of a login to ONE device. Limiting to two devices is more a "feature request". I guess with FreeRadius3 etc it could be done. BUT : I never did so myself, and you need to know your way around with MySQL, FreeRadius, etc etc.

gadgetguy · Sep 25, 2017, 7:48 AM

Hi, I'm trying to do the same thing as zcloud.

edit : this limits the usage of a login to ONE device. Limiting to two devices is more a "feature request". I guess with FreeRadius3 etc it could be done. BUT : I never did so myself, and you need to know your way around with MySQL, FreeRadius, etc etc.

Is mySQL necessary to use this "feature request"? Does anybody know how to do this?

Thanks

Gertjan · Sep 25, 2017, 1:37 PM

@gadgetguy:

Is mySQL necessary to use this "feature request"? Does anybody know how to do this?

What you probably need is some piece of software called "FreeRadius". It exists as a package for pfSense. DO NOT use the version 2 (it will be declared dead soon) , use the version 3.
PfSense Portal authentication can use this server package to handle the authentication, and much more.
The funny part : "FreeRadius" needs a place to keep its data. A database engin is needed. "MySQL" is just a choice, many more exists.

The good new : nearly every ISP on earth uses some kind of "FreeRadius" program to handle the login for your internet connection - and some database back end. The concept is not new.
But : If you don't know what "FreeRadius" is - why it is used - how to set it up, how to debug the comm between pfSense and "FreeRadius" - how to debug the comm between "FreeRadius" and the database, please stay away from it. THIS IS NOT a "click and it works" solution.
Keep in mind that it IS possible to run "FreeRadius" and even the database (like MySQL, a HUGE package) on the same device as pfSense. Some threads in this forum discuss that solution.
I advise you to make a setup "@home" and play with it.
Some very good news : just by reading and "trail and error" you will mange to set something up that works. Keep in mind that this will take time (it depends if you can read and understand fast :)).

Note : "FreeRadius 3" is a package - some kind of extension build by and maintained by (often) free lance people. THEY can give support - not the pfSense team. So, if they are not there (here, on the forum) then support "halts" and you are on your own to Google stuff up. Well detailed questions are always welcome, but something like "Does anybody know how to do this" will go unanswered because the reply will be huge … (read https://forum.pfsense.org/index.php?topic=108493.0 to see the tip of the iceberg )

I'm using the Captive portals for years now (nearly 10 years) but never used "FreeRadius 2 or 3" because I just have to grant access, I'm not looking to limit my clients. I never needed to do so. Maybe ones, if I have some spare time, I'll take my clients as "testers" and use FreeRadius to fine grain client access, like "no more then x devices" and no more then "500 Kbit/sec per client)

gadgetguy · Sep 25, 2017, 11:10 PM

Thanks for your quick reply @Gertjan

I have been using FreeRadius to authenticate users for some time now and it's worked great.
I do understand what FreeRadius is and the concept for how it works. I don't understand how to debug the comm between pfSense and FreeRadius. I would like to learn though, do you have any suggestions on what I might read to learn?

I do have a setup "@home" to play on but could use a few pointers to get me going in the right direction… Any help is appreciated.

Gertjan · Sep 26, 2017, 5:46 AM

This :
@gadgetguy:

… I don't understand how to debug the comm between pfSense and FreeRadius....

is a method I use so I understand what two processes exchange. Like a database server MySQL can be put in some sort of debug mode, and log all the communication it receives, I'm pretty sure FreeRadius has the same mode.
If everything works, that all this is not needed. You condemned to checkout your needs and curiosity, and look in the "manual" how to implement it.