Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.
-
Hi,
I want to configure captive portal and freeradius in such a way that a user can use his freeradius credentials simultaneously on 2 or 3 devices as configured for the particular user.I have configured Captive Portal using these settings:
- Disable Concurrent user logins = Unchecked
- Authentication method = RADIUS Authentication
- RADIUS protocol= PAP
- Primary RADIUS server = 192.168.200.1 ( LAN IP of pfSense )
- Password = password123
- Send RADIUS accounting packets to the primary RADIUS server = Checked
- Accounting updates = Stop/Start (FreeRADIUS)
- Reauthenticate connected users every minute = Unchecked
- RADIUS NAS IP Attribute = LAN - 192.168.200.1
And have configured FreeRadius with these
- Interfaces
* 1812 auth ipaddr
* 1813 acct ipaddr - NAS / Clients
2a. Client IP Address = 192.168.200.1
2b. Client Shortname = captive_portal
2c. Client Shared Secret = password123 - When creating a user
3a. Username = user
3b. Password = password
3c. Number of Simultaneous Connections = 2
I have tried
DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
as well, but it does not work.Any suggestions are welcome.
-
@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:
I have tried
DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
as well, but it does not work.This :
is what I'm using for a FreeRadius User setup, and it works.
I didn't test it recently, I'll put that on a to-do-list and report back here.edit :
I set "Simultaneous-Use := 3" to "Simultaneous-Use := 2".
It worked.
I was able to login with the same access codes a second time.
I saw here two logins with identical user names for a short time :
But this :
or this :
will check "Simultaneous-Use := 2" after a less then 1 minute delay and throw out the first logged in user. The last login stays.
Btw : "Simultaneous-Use := 2" means : only 1 allowed.
-
@Gertjan First of all i would like to thank you a lot, i have been reading your posts often and your posts have helped me a lot solving problems when it comes to configuring pfSense, and i thank you for replying as well.
To begin i had already tried and i don't know why it's not working. So i think i have two ways to sort it out
- Uploading images for my configuration for you to just go-through if there is a problem.
- If you could just give me dump of all FreeRADIUS3 Configuration Files , captive portal configuration file, config.xml dumps, so that i can cross verify with my configuration.
Upload of the configurations are as under:
- 01 - Authentication Servers
- 02 - Captive Portal
- 03 - FreeRadius - NAS / Clients
- 04 - FreeRADIUS - Interfaces
- 05 - FreeRADIUS - Users
- 06 - Status Dashboard
As you can see in the dashboard i waited for 5 mins but the connection didn't got disconnected.
Any suggestion is welcome. -
This should be "Interim".
If you want to see what's happing in a somewhat readble way, stop the radiusd process here :
Go to console or SSH, option 8 and type
radiusd -X -
@Gertjan Thanks for your reply.
I had tried Interim earlier as well, i formatted my virtual machine and did all the configurations once more, and use interim this time again, but alas the result was still same, i could still login 3 devices, using the config as below
DEFAULT Simultaneous-Use := 2 | Fall-Through = YesThereafter i tried using
radiusd -X >> test.logand recorded everything into this file, i have uploaded a copy of it at https://pastebin.com/ntTaS6Ah
I have a feeling that my line in the configuration is not being interpreted by the executable in some way.
I had read in the docs at this page that when terminating the connection, i would receive a line in the logs likeradiusd[3206]: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)but it isn't present.
-
@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:
i have uploaded a copy of it at https://pastebin.com/ntTaS6Ah
Oops.
I think I know how FreeRadius works when it applies "Simultaneous-Use".
I can see it loading : two sql (!) queries when it start ups.
I'm using the mysql module. And a MySQL (MariaDB) server on my LAN.I don't know if and how FreeRadius has implemented "Simultaneous-Use" when it uses it's own file based "booking-keeping" system.
@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:
radiusd[3206]: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)
but it isn't presen
That normal.
FreeRadius2 is ancient. and was used long, long time ago. The doc on that page can be scrapped entirely.
pfSense uses Freeradius3. -
Installed mysql server on the firewall itself, and followed the same settings, still it doesn't work. I have however created a patch for captiveportal.inc to do the job in file based system. But i would still want to learn if there is a in-built actual proper way to do it with mysql as well.
-
When "sql" is used, the test.log should confirm this :
@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:
radiusd -X >> test.log
You'll be seeing lines being loaded at startup like :
including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sqlcounter including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf .......... .......... simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"which are used for connection counting.
These
(0) files: users: Matched entry DEFAULT at line 1 (0) files: users: Matched entry DEFAULT at line 387 (0) files: users: Matched entry x at line 390Line 1 :
DEFAULT WISPr-Redirection-URL := "https://www.google.com/" Fall-Through = Yesand line 387 :
DEFAULT Simultaneous-Use := 2 Fall-Through = YesLine 390 : my user :
"x" Cleartext-Password := "x"When the user logins in, using this option in the portal settings :
the number of connected users is counted :
(10) sql1: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'x' AND acctstoptime IS NULLand it's the result of this query that is used against "Simultaneous-Use".
( I guess )
