User connections miscount with captive portal + freeradius

Argilla

Hello everybody,
First off, english is not my native language so I apologize for any mistakes.

I am running pfsense 2.5.0 on my server and I am using a captive portal.
Authentication is done by a separate server running freeradius + daloradius. This server uses yet another server as a SQL database for users.

Portal configuration :

This setup works fairly well, but users seem to be connected multiple times (I've seen up to 20 connections on a single IP adress).

As I would like to limit the number of connections a single user can make, this is quite troublesome.

I have already tried to change the "Send accounting updates" setting to "Stop/Start (freeRADIUS)", but it did not help.

Finally, I do not have this problem when using freeRADIUS to authenticate users on my wi-fi access points, so I am fairly sure the problem is coming from pfsense.

Do you have any idea what could be causing my problem?

Best
Argilla

free4

@argilla Well,
you allowed multiple connections from the same user. so it's normal users can connect multiple time?

try changing the setting named "concurrent user logins". it is currently set to "multiple", change it to "first login" or to "last login"

Gertjan

@argilla

How do the portal user login ?
=> to log in, user have to be collected. To do this, users are redirected to the portal's web server, so a login page shows up. These credntials are posted against the portal server, who sends it to the Radius server for checking.
When the user is authorized, a firewall rule make the users device (IP and MAC) totally transparent.
This means it's not 'easy' for a user to get back to the login page of the portal at this moment.
Question : does the portal user actually logged in multiple times ?

Years ago, I detected in the "radacct" Freeradius table entries that seem be be abandone, there as a start time, but no interval updates neither a stop time.
A newer entry for the same logged in user existed.
This might be what you are seeing now.

I created this :

<?php
try {

	$link = new PDO('mysql:host=radius.local.net;port=3307;dbname=radius', 'radius', 'verysecretpassword');
 
	// Check connection
	if($link === false)
	{
		die("ERROR: Could not connect.");
	}
 
	// Attempt delete query execution
	$sql = "DELETE FROM `radacct` WHERE  `acctstoptime` IS NULL and `acctstarttime` < (NOW() - INTERVAL 610 MINUTE)";
	$stmt = $link->prepare($sql);
	$stmt->execute();

	unset($stmt);
   }
   catch (PDOException $e)
   {
     	print "Error!: " . $e->getMessage() . "<br/>";
        die();
   }
?>

When there are entries with an empty STOP time "acctstoptime" and a acctstarttime that more then 610 minutes in the past, that entry gets deleted.
Now, these 'stray' entries get removed.
I has no more issues.
Actually, don't recall what the issue really was.
(I should stop this cron task, see what happens)

pfSense shows the correct number f logged in users ?

edit :
Can you 'debug' the radius process , like the FreeRadius3 package of pfSense ?

You have to stop the radius process, and then launch it by hand :

radius -X