Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.

    Captive Portal
    2
    8
    554
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anand_phulwani last edited by

      Hi,
      I want to configure captive portal and freeradius in such a way that a user can use his freeradius credentials simultaneously on 2 or 3 devices as configured for the particular user.

      I have configured Captive Portal using these settings:

      1. Disable Concurrent user logins = Unchecked
      2. Authentication method = RADIUS Authentication
      3. RADIUS protocol= PAP
      4. Primary RADIUS server = 192.168.200.1 ( LAN IP of pfSense )
      5. Password = password123
      6. Send RADIUS accounting packets to the primary RADIUS server = Checked
      7. Accounting updates = Stop/Start (FreeRADIUS)
      8. Reauthenticate connected users every minute = Unchecked
      9. RADIUS NAS IP Attribute = LAN - 192.168.200.1

      And have configured FreeRadius with these

      1. Interfaces
        * 1812 auth ipaddr
        * 1813 acct ipaddr
      2. NAS / Clients
        2a. Client IP Address = 192.168.200.1
        2b. Client Shortname = captive_portal
        2c. Client Shared Secret = password123
      3. When creating a user
        3a. Username = user
        3b. Password = password
        3c. Number of Simultaneous Connections = 2

      I have tried
      DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
      as well, but it does not work.

      Any suggestions are welcome.

      Gertjan 1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan @anand_phulwani last edited by Gertjan

        @anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

        I have tried
        DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
        as well, but it does not work.

        This :

        8058b0f7-6d15-45a3-af4d-dc023b10a280-image.png

        is what I'm using for a FreeRadius User setup, and it works.
        I didn't test it recently, I'll put that on a to-do-list and report back here.

        edit :

        I set "Simultaneous-Use := 3" to "Simultaneous-Use := 2".

        It worked.

        I was able to login with the same access codes a second time.

        I saw here two logins with identical user names for a short time :

        e4bf5bc1-758c-4924-a3dd-8192aaa505f8-image.png

        But this :

        e51dbc11-7090-4b56-8325-b428357afb5f-image.png

        or this :

        668a22e8-825c-4ec1-8dcb-d1a542e7a91c-image.png

        will check "Simultaneous-Use := 2" after a less then 1 minute delay and throw out the first logged in user. The last login stays.

        Btw : "Simultaneous-Use := 2" means : only 1 allowed.

        A 1 Reply Last reply Reply Quote 0
        • A
          anand_phulwani @Gertjan last edited by anand_phulwani

          @Gertjan First of all i would like to thank you a lot, i have been reading your posts often and your posts have helped me a lot solving problems when it comes to configuring pfSense, and i thank you for replying as well.

          To begin i had already tried and i don't know why it's not working. So i think i have two ways to sort it out

          • Uploading images for my configuration for you to just go-through if there is a problem.
          • If you could just give me dump of all FreeRADIUS3 Configuration Files , captive portal configuration file, config.xml dumps, so that i can cross verify with my configuration.



          Upload of the configurations are as under:

          • 01 - Authentication Servers
            01_Authentication Servers.png




          • 02 - Captive Portal
            02_Captive Portal- office_zone- Configuration.png




          • 03 - FreeRadius - NAS / Clients
            03_FreeRADIUS-NAS-Clients.png




          • 04 - FreeRADIUS - Interfaces
            04_FreeRADIUS- Interfaces.png




          • 05 - FreeRADIUS - Users
            05_FreeRADIUS- Users.png




          • 06 - Status Dashboard
            06_Status- Dashboard.png




          As you can see in the dashboard i waited for 5 mins but the connection didn't got disconnected.
          Any suggestion is welcome.

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            85be65c6-6651-406d-9b72-452147f0fac9-image.png

            This should be "Interim".

            If you want to see what's happing in a somewhat readble way, stop the radiusd process here :

            3a1f12b3-cea5-41d8-bbad-18c023b9aea9-image.png

            Go to console or SSH, option 8 and type

            radiusd -X
            
            A 1 Reply Last reply Reply Quote 0
            • A
              anand_phulwani @Gertjan last edited by

              @Gertjan Thanks for your reply.

              I had tried Interim earlier as well, i formatted my virtual machine and did all the configurations once more, and use interim this time again, but alas the result was still same, i could still login 3 devices, using the config as below

              DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
              

              Thereafter i tried using

              radiusd -X >> test.log
              

              and recorded everything into this file, i have uploaded a copy of it at https://pastebin.com/ntTaS6Ah

              I have a feeling that my line in the configuration is not being interpreted by the executable in some way.
              I had read in the docs at this page that when terminating the connection, i would receive a line in the logs like

              radiusd[3206]: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)
              

              but it isn't present.

              Gertjan 1 Reply Last reply Reply Quote 0
              • Gertjan
                Gertjan @anand_phulwani last edited by

                @anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

                i have uploaded a copy of it at https://pastebin.com/ntTaS6Ah

                Oops.
                I think I know how FreeRadius works when it applies "Simultaneous-Use".
                I can see it loading : two sql (!) queries when it start ups.
                I'm using the mysql module. And a MySQL (MariaDB) server on my LAN.

                I don't know if and how FreeRadius has implemented "Simultaneous-Use" when it uses it's own file based "booking-keeping" system.

                @anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

                radiusd[3206]: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)

                but it isn't presen

                That normal.
                FreeRadius2 is ancient. and was used long, long time ago. The doc on that page can be scrapped entirely.
                pfSense uses Freeradius3.

                A 1 Reply Last reply Reply Quote 0
                • A
                  anand_phulwani @Gertjan last edited by

                  @Gertjan

                  Installed mysql server on the firewall itself, and followed the same settings, still it doesn't work. I have however created a patch for captiveportal.inc to do the job in file based system. But i would still want to learn if there is a in-built actual proper way to do it with mysql as well.

                  1 Reply Last reply Reply Quote 0
                  • Gertjan
                    Gertjan last edited by

                    When "sql" is used, the test.log should confirm this :

                    @anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

                    radiusd -X >> test.log

                    You'll be seeing lines being loaded at startup like :

                    
                    including configuration file /usr/local/etc/raddb/mods-enabled/sql
                    including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
                    including configuration file /usr/local/etc/raddb/mods-enabled/sqlcounter
                    including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
                    including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
                    including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
                    including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
                    ..........
                    ..........
                    simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
                     	simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
                    

                    which are used for connection counting.

                    These

                    (0) files: users: Matched entry DEFAULT at line 1
                    (0) files: users: Matched entry DEFAULT at line 387
                    (0) files: users: Matched entry x at line 390
                    

                    Line 1 :

                    DEFAULT WISPr-Redirection-URL := "https://www.google.com/" 
                     Fall-Through = Yes
                    

                    and line 387 :

                    DEFAULT Simultaneous-Use := 2 
                     Fall-Through = Yes
                    

                    Line 390 : my user :

                    "x" Cleartext-Password := "x"
                    

                    When the user logins in, using this option in the portal settings :

                    5a1fc198-7d94-487d-85e5-883f4442403f-image.png

                    the number of connected users is counted :

                    (10) sql1: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'x' AND acctstoptime IS NULL
                    

                    and it's the result of this query that is used against "Simultaneous-Use".

                    ( I guess )

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy