Need help on Max Daily Session Attribute
-
Hi Guys,
I have a freeradius service running on my pfsense box with MySQL as a Database back end. Username and Password as an authentication method. I've been trying to limit users on a daily basis using Max-Daily-Session attribute.
on my;radcheck table i have the ff
username attribute op value
user1 Cleartext-Password := password1
user1 Max-Daily-Session := 600radreply table
user1 Session-Timeout := 600On pfsense Captive portal settings I have enabled accounting, also enabled "Use RADIUS Session-Timeout attributes" and enable accounting updates "interim".
User1 gets to successfully authenticate and use the internet, gets disconnected after 10mins due to session timeout attribute BUT still gets to re-authenticate immediately. If seems that radius is disregarding the Max-Daily-Session attribute.
Any Ideas what am I missing here?
Thanks in advanced!
-
Yup, pfSense does not support Max-Daily-Session yet.
As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/database of expired users, so checking how many time an expired user spent could be quite difficult)
Maybe you could look for denying the login on FreeRadius side?
-
Hi, Thanks for your reply. Regarding on your comment "Maybe you could look for denying the login on FreeRadius side?" any hint on how to accomplish this?
Thanks
-
@free4 said in Need help on Max Daily Session Attribute:
Yup, pfSense does not support Max-Daily-Session yet.
As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/databass of expired users, so checking time how many time an expired user spent could be quite difficult)
Check https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/sqlcounter
This "sqlcounter" module is present in /mods-enabled/ but not instantiate(d) (?)See also https://wiki.freeradius.org/modules/Rlm_sqlcounter
I really presume everything is already there.
See also the files in /usr/local/share/examples/freeradius/raddb/mods-config/sql/counter/mysql
-
I guess I have it working.
Any of these :https://wiki.freeradius.org/modules/Rlm_sqlcounter#scenarios_daily-limit
Use the GUI, likeThis will work also : add the Max-Daily-Session 20 minutes or 2400 seconds to my user using the SQL method :
INSERT into radcheck VALUES (NULL,'x','Max-Daily-Session',':=','2400');
The real issue, the support (module) to make it work isn't included by default.
To test, stop Freeradius in the GUI using Status => Services
Edited /usr/local/etc/raddb/sites-enabled/default, and added "dailycounter" in the authorize section, as the manual indicated.
I started Freeradius manually withradiusd -X
Now, I can login.
The output produced by "radiusd -X" is massive, so I filtered :radiusd -X | grep 'counter'
After 20 minutes I was thrown out, and wasn't able to login. The pfSense portal log indicated that I was disconnected.
The message on my device was :Your maximum daily usage time has been reached.
The radius logs :
153) dailycounter: ERROR: Rejecting user, &control:Max-Daily-Session value (2400) is less than counter value (2446)
I haven't tested any other time limits.
To make the solution sticky (persists after restart or reboot, not upgrade), you should edit the file that generate the freeradius config files.
dailycounter
so it looks like :
{$varsqlconf2failover} sql { sql1 {$varsqlconf2authorize} } dailycounter EOD;
redit :
Be carefull.
Found indications like/* counter and sqlcounter are incompatible */
in the manual.
What I make of it : you should be "SQL" based, and not 'file' based to use the sqlcounter module (humm, seems rather logic ;)) .
Dailycounter is a function of tme module sqlcounter, as is monthlycounter, noresetcounter, expire_on_loginedit again :
I reached a point where I can limit an individual user on :
Bandwidth,
Quantity (daily or monthly or total),
Time (daily, monthly, total).
pfSense has come very far !edit again :
Let's make them all work :
{$varsqlconf2failover} sql { sql1 {$varsqlconf2authorize} } dailycounter monthlycounter noresetcounter expire_on_login EOD; } else {
(18) monthlycounter: WARNING: Couldn't find check attribute, control:Max-Monthly-Session, doing nothing...
(18) [monthlycounter] = noop
(18) noresetcounter: WARNING: Couldn't find check attribute, control:Max-All-Session, doing nothing...
(18) [noresetcounter] = noop
(18) expire_on_login: WARNING: Couldn't find check attribute, control:Expire-After, doing nothing...If haven't tested these Max-Monthly-Session / Max-All-Session / Expire-After
-
-
FreeRADIUS SQL backend counter feature: https://redmine.pfsense.org/issues/10871