Need help on Max Daily Session Attribute

AYSMAN

Hi Guys,

I have a freeradius service running on my pfsense box with MySQL as a Database back end. Username and Password as an authentication method. I've been trying to limit users on a daily basis using Max-Daily-Session attribute.
on my;

radcheck table i have the ff
username attribute op value
user1 Cleartext-Password := password1
user1 Max-Daily-Session := 600

radreply table
user1 Session-Timeout := 600

On pfsense Captive portal settings I have enabled accounting, also enabled "Use RADIUS Session-Timeout attributes" and enable accounting updates "interim".

User1 gets to successfully authenticate and use the internet, gets disconnected after 10mins due to session timeout attribute BUT still gets to re-authenticate immediately. If seems that radius is disregarding the Max-Daily-Session attribute.

Any Ideas what am I missing here?

Thanks in advanced!

free4

Yup, pfSense does not support Max-Daily-Session yet.

As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/database of expired users, so checking how many time an expired user spent could be quite difficult)

Maybe you could look for denying the login on FreeRadius side?

AYSMAN

@free4

Hi, Thanks for your reply. Regarding on your comment "Maybe you could look for denying the login on FreeRadius side?" any hint on how to accomplish this?

Thanks

Gertjan

@free4 said in Need help on Max Daily Session Attribute:

Yup, pfSense does not support Max-Daily-Session yet.

As far as i know, implementing it would be also quite difficult (because pfSense currently does not keep a list/databass of expired users, so checking time how many time an expired user spent could be quite difficult)

Check https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/sqlcounter
This "sqlcounter" module is present in /mods-enabled/ but not instantiate(d) (?)

See also https://wiki.freeradius.org/modules/Rlm_sqlcounter

I really presume everything is already there.

See also the files in /usr/local/share/examples/freeradius/raddb/mods-config/sql/counter/mysql

Gertjan

I guess I have it working.

Any of these :https://wiki.freeradius.org/modules/Rlm_sqlcounter#scenarios_daily-limit
Use the GUI, like

0_1546238943490_f464b2a8-f22b-4e9f-82a1-21fa8093825a-image.png

This will work also : add the Max-Daily-Session 20 minutes or 2400 seconds to my user using the SQL method :

INSERT into radcheck VALUES (NULL,'x','Max-Daily-Session',':=','2400');

The real issue, the support (module) to make it work isn't included by default.
To test, stop Freeradius in the GUI using Status => Services
Edited /usr/local/etc/raddb/sites-enabled/default, and added "dailycounter" in the authorize section, as the manual indicated.
I started Freeradius manually with

radiusd -X

Now, I can login.
The output produced by "radiusd -X" is massive, so I filtered :

radiusd -X | grep 'counter'

After 20 minutes I was thrown out, and wasn't able to login. The pfSense portal log indicated that I was disconnected.
The message on my device was :

Your maximum daily usage time has been reached.

The radius logs :

153) dailycounter: ERROR: Rejecting user, &control:Max-Daily-Session value (2400) is less than counter value (2446)

I haven't tested any other time limits.

To make the solution sticky (persists after restart or reboot, not upgrade), you should edit the file that generate the freeradius config files.

edit : Here https://github.com/pfsense/FreeBSD-ports/blob/c7573f5cc64254c17250adaf555d3e7cf64010e8/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc#L1989 add

	dailycounter

so it looks like :

	{$varsqlconf2failover} sql {
		sql1
		{$varsqlconf2authorize}
	}
	dailycounter

EOD;

redit :
Be carefull.
Found indications like

/* counter and sqlcounter are incompatible */

in the manual.

What I make of it : you should be "SQL" based, and not 'file' based to use the sqlcounter module (humm, seems rather logic ;)) .
Dailycounter is a function of tme module sqlcounter, as is monthlycounter, noresetcounter, expire_on_login

edit again :
I reached a point where I can limit an individual user on :
Bandwidth,
Quantity (daily or monthly or total),
Time (daily, monthly, total).
pfSense has come very far !

edit again :

Let's make them all work :

{$varsqlconf2failover} sql {
		sql1
		{$varsqlconf2authorize}
	}
	
	dailycounter
	monthlycounter
	noresetcounter
	expire_on_login

  EOD;
	} else {

(18) monthlycounter: WARNING: Couldn't find check attribute, control:Max-Monthly-Session, doing nothing...
(18) [monthlycounter] = noop
(18) noresetcounter: WARNING: Couldn't find check attribute, control:Max-All-Session, doing nothing...
(18) [noresetcounter] = noop
(18) expire_on_login: WARNING: Couldn't find check attribute, control:Expire-After, doing nothing...

If haven't tested these Max-Monthly-Session / Max-All-Session / Expire-After

AYSMAN

@Gertjan

You are awesome. Tried your guide and it work flawlessly.

Cheers!!

viktor_g

FreeRADIUS SQL backend counter feature: https://redmine.pfsense.org/issues/10871