Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.

anand_phulwani

Hi,
I want to configure captive portal and freeradius in such a way that a user can use his freeradius credentials simultaneously on 2 or 3 devices as configured for the particular user.

I have configured Captive Portal using these settings:

1. Disable Concurrent user logins = Unchecked
2. Authentication method = RADIUS Authentication
3. RADIUS protocol= PAP
4. Primary RADIUS server = 192.168.200.1 ( LAN IP of pfSense )
5. Password = password123
6. Send RADIUS accounting packets to the primary RADIUS server = Checked
7. Accounting updates = Stop/Start (FreeRADIUS)
8. Reauthenticate connected users every minute = Unchecked
9. RADIUS NAS IP Attribute = LAN - 192.168.200.1

And have configured FreeRadius with these

1. Interfaces
   * 1812 auth ipaddr
   * 1813 acct ipaddr
2. NAS / Clients
   2a. Client IP Address = 192.168.200.1
   2b. Client Shortname = captive_portal
   2c. Client Shared Secret = password123
3. When creating a user
   3a. Username = user
   3b. Password = password
   3c. Number of Simultaneous Connections = 2

I have tried
DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
as well, but it does not work.

Any suggestions are welcome.

Gertjan

@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

I have tried
DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes
as well, but it does not work.

This :

is what I'm using for a FreeRadius User setup, and it works.
I didn't test it recently, I'll put that on a to-do-list and report back here.

edit :

I set "Simultaneous-Use := 3" to "Simultaneous-Use := 2".

It worked.

I was able to login with the same access codes a second time.

I saw here two logins with identical user names for a short time :

But this :

or this :

will check "Simultaneous-Use := 2" after a less then 1 minute delay and throw out the first logged in user. The last login stays.

Btw : "Simultaneous-Use := 2" means : only 1 allowed.

anand_phulwani

@Gertjan First of all i would like to thank you a lot, i have been reading your posts often and your posts have helped me a lot solving problems when it comes to configuring pfSense, and i thank you for replying as well.

To begin i had already tried and i don't know why it's not working. So i think i have two ways to sort it out

• Uploading images for my configuration for you to just go-through if there is a problem.
• If you could just give me dump of all FreeRADIUS3 Configuration Files , captive portal configuration file, config.xml dumps, so that i can cross verify with my configuration.

---

---

---

Upload of the configurations are as under:

• 01 - Authentication Servers
  

---

---

---

---

• 02 - Captive Portal
  

---

---

---

---

• 03 - FreeRadius - NAS / Clients
  

---

---

---

---

• 04 - FreeRADIUS - Interfaces
  

---

---

---

---

• 05 - FreeRADIUS - Users
  

---

---

---

---

• 06 - Status Dashboard
  

---

---

---

---

As you can see in the dashboard i waited for 5 mins but the connection didn't got disconnected.
Any suggestion is welcome.

Gertjan

This should be "Interim".

If you want to see what's happing in a somewhat readble way, stop the radiusd process here :

Go to console or SSH, option 8 and type

radiusd -X

anand_phulwani

@Gertjan Thanks for your reply.

I had tried Interim earlier as well, i formatted my virtual machine and did all the configurations once more, and use interim this time again, but alas the result was still same, i could still login 3 devices, using the config as below

DEFAULT Simultaneous-Use := 2 | Fall-Through = Yes

Thereafter i tried using

radiusd -X >> test.log

and recorded everything into this file, i have uploaded a copy of it at https://pastebin.com/ntTaS6Ah

I have a feeling that my line in the configuration is not being interpreted by the executable in some way.
I had read in the docs at this page that when terminating the connection, i would receive a line in the logs like

radiusd[3206]: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)

but it isn't present.

Gertjan

@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

i have uploaded a copy of it at https://pastebin.com/ntTaS6Ah

Oops.
I think I know how FreeRadius works when it applies "Simultaneous-Use".
I can see it loading : two sql (!) queries when it start ups.
I'm using the mysql module. And a MySQL (MariaDB) server on my LAN.

I don't know if and how FreeRadius has implemented "Simultaneous-Use" when it uses it's own file based "booking-keeping" system.

@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

radiusd[3206]: Multiple logins (max 1) : [testuser/testpw] (from client testing port 10)

but it isn't presen

That normal.
FreeRadius2 is ancient. and was used long, long time ago. The doc on that page can be scrapped entirely.
pfSense uses Freeradius3.

anand_phulwani

@Gertjan

Installed mysql server on the firewall itself, and followed the same settings, still it doesn't work. I have however created a patch for captiveportal.inc to do the job in file based system. But i would still want to learn if there is a in-built actual proper way to do it with mysql as well.

Gertjan

When "sql" is used, the test.log should confirm this :

@anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.:

radiusd -X >> test.log

You'll be seeing lines being loaded at startup like :

including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/sqlcounter
including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
..........
..........
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
 	simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"

which are used for connection counting.

These

(0) files: users: Matched entry DEFAULT at line 1
(0) files: users: Matched entry DEFAULT at line 387
(0) files: users: Matched entry x at line 390

Line 1 :

DEFAULT WISPr-Redirection-URL := "https://www.google.com/" 
 Fall-Through = Yes

and line 387 :

DEFAULT Simultaneous-Use := 2 
 Fall-Through = Yes

Line 390 : my user :

"x" Cleartext-Password := "x"

When the user logins in, using this option in the portal settings :

the number of connected users is counted :

(10) sql1: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'x' AND acctstoptime IS NULL

and it's the result of this query that is used against "Simultaneous-Use".

( I guess )