Need help on Max Daily Session Attribute



  • Hi Guys,

    I have a freeradius service running on my pfsense box with MySQL as a Database back end. Username and Password as an authentication method. I've been trying to limit users on a daily basis using Max-Daily-Session attribute.
    on my;

    radcheck table i have the ff
    username attribute op value
    user1 Cleartext-Password := password1
    user1 Max-Daily-Session := 600

    radreply table
    user1 Session-Timeout := 600

    On pfsense Captive portal settings I have enabled accounting, also enabled "Use RADIUS Session-Timeout attributes" and enable accounting updates "interim".

    User1 gets to successfully authenticate and use the internet, gets disconnected after 10mins due to session timeout attribute BUT still gets to re-authenticate immediately. If seems that radius is disregarding the Max-Daily-Session attribute.

    Any Ideas what am I missing here?

    Thanks in advanced!


  • Rebel Alliance

    Yup, pfSense does not support Max-Daily-Session yet.

    As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/database of expired users, so checking how many time an expired user spent could be quite difficult)

    Maybe you could look for denying the login on FreeRadius side?



  • @free4

    Hi, Thanks for your reply. Regarding on your comment "Maybe you could look for denying the login on FreeRadius side?" any hint on how to accomplish this?

    Thanks



  • @free4 said in Need help on Max Daily Session Attribute:

    Yup, pfSense does not support Max-Daily-Session yet.

    As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/databass of expired users, so checking time how many time an expired user spent could be quite difficult)

    Check https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/sqlcounter
    This "sqlcounter" module is present in /mods-enabled/ but not instantiate(d) (?)

    See also https://wiki.freeradius.org/modules/Rlm_sqlcounter

    I really presume everything is already there.

    See also the files in /usr/local/share/examples/freeradius/raddb/mods-config/sql/counter/mysql



  • I guess I have it working.

    Any of these :https://wiki.freeradius.org/modules/Rlm_sqlcounter#scenarios_daily-limit
    Use the GUI, like

    0_1546238943490_f464b2a8-f22b-4e9f-82a1-21fa8093825a-image.png

    This will work also : add the Max-Daily-Session 20 minutes or 2400 seconds to my user using the SQL method :

    INSERT into radcheck VALUES (NULL,'x','Max-Daily-Session',':=','2400');
    

    The real issue, the support (module) to make it work isn't included by default.
    To test, stop Freeradius in the GUI using Status => Services
    Edited /usr/local/etc/raddb/sites-enabled/default, and added "dailycounter" in the authorize section, as the manual indicated.
    I started Freeradius manually with

    radiusd -X
    

    Now, I can login.
    The output produced by "radiusd -X" is massive, so I filtered :

    radiusd -X | grep 'counter'
    

    After 20 minutes I was thrown out, and wasn't able to login. The pfSense portal log indicated that I was disconnected.
    The message on my device was :

    Your maximum daily usage time has been reached.
    

    The radius logs :

    153) dailycounter: ERROR: Rejecting user, &control:Max-Daily-Session value (2400) is less than counter value (2446)
    

    I haven't tested any other time limits.

    To make the solution sticky (persists after restart or reboot, not upgrade), you should edit the file that generate the freeradius config files.

    edit : Here https://github.com/pfsense/FreeBSD-ports/blob/c7573f5cc64254c17250adaf555d3e7cf64010e8/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc#L1989 add

    	dailycounter
    

    so it looks like :

    	{$varsqlconf2failover} sql {
    		sql1
    		{$varsqlconf2authorize}
    	}
    	dailycounter
    
    EOD;
    

    redit :
    Be carefull.
    Found indications like

    /* counter and sqlcounter are incompatible */
    

    in the manual.

    What I make of it : you should be "SQL" based, and not 'file' based to use the sqlcounter module (humm, seems rather logic ;)) .
    Dailycounter is a function of tme module sqlcounter, as is monthlycounter, noresetcounter, expire_on_login

    edit again :
    I reached a point where I can limit an individual user on :
    Bandwidth,
    Quantity (daily or monthly or total),
    Time (daily, monthly, total).
    pfSense has come very far !

    edit again :

    Let's make them all work :

    {$varsqlconf2failover} sql {
    		sql1
    		{$varsqlconf2authorize}
    	}
    	
    	dailycounter
    	monthlycounter
    	noresetcounter
    	expire_on_login
    
      EOD;
    	} else {
    

    (18) monthlycounter: WARNING: Couldn't find check attribute, control:Max-Monthly-Session, doing nothing...
    (18) [monthlycounter] = noop
    (18) noresetcounter: WARNING: Couldn't find check attribute, control:Max-All-Session, doing nothing...
    (18) [noresetcounter] = noop
    (18) expire_on_login: WARNING: Couldn't find check attribute, control:Expire-After, doing nothing...

    If haven't tested these Max-Monthly-Session / Max-All-Session / Expire-After



  • @Gertjan

    You are awesome. Tried your guide and it work flawlessly.

    Cheers!!


Log in to reply