Freeradius simultaneous-use assistance

getafix

Hi

I have been battling with simultaneous-use for weeks and cannot get it working.

What I have setup/configured so far.

1. pFsense with Freeradius (no captive portal) standard setup
2. Unifi UAP/LR AP configured with authentication on port 1812 and accounting on port 1813
3. A user created with simultaneous-use = 1

I can authenticate to Freeradius succesfully with the username, but I am also able to connect at the same time with the same username on another deivce.
I have tried Apple and Android

Is there something that I am missing because it "seems so simple"

TIA

getafix

Anyone?

Gertjan

@getafix said in Freeradius simultaneous-use assistance:

"seems so simple"

Everything is simple as soon as you know 'how it works'.
I just know enough to say that I know close to nothing.

I'm using the FreeRadius package to authenticate and account my captive portal users.

A user created with simultaneous-use = 1

Where did you enter this info ?

Did you look up what the syntax is ??
Yours looks wrong to me.

I have

for a user, in the Users tab of the FreeRadius settings.

When you start to work with FreeRadius, you should work like this :

Stop de FreeRadius process in the GUI :

Enter console, or better, SSH, option 8, and use now this command :

radiusd -X

You'll see a lot of lines.
Important : use a ssh client and set it up these log lines are buffered and stored in a file. You'll be needing them.

The logging will pause when yiou reach this point :

......
Listening on acct address * port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls
Listening on auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap
Ready to process requests

Now, FreeRadius is waiting for 'things to do' like identification' or 'accounting' events.

Periodacilt, you see a +/- 30 lines sequence of lines passing by, this is the handling of an event.

Your mission : you have to 'globally' understand what it does, and why it doing so.
Without this knowledge, it's like flying a plane, without the license.

To get back to the question :

See the image above. That's what need to be entered for a user. But I'm not really testing the "Simultaneous-Use" right now, I can't assure that it even works. I know the syntax is right.
Again "=" is not the same as ":=" as the first is an comparison and the other an assignment (probably, can't remember).

Btw : there is a plan B : forget about the GUI pfSense settings.
Go to the underlying "scratch pad files" that FreeRadius uses : the SQL database.

Most of the tables are empty, and could be used like this (example) :

This is where I inform Freeradius that user 'b' has a password that is 'b'.

Keep in mind that the implementation of Freeradius in pfSense is only partial , at best.
Setting up a Radius server/process is complex, as it has a lot of options.
How to set up radius is less known or documented on the Internet, as only the 'real' admins know how to do so. These guys do not communicate their expertise, as it is way to difficult for the common mortals. There is a steep learning curve, which can't be short cut with 'a click'.
But : our Internet connection, our mobile phones, they all use radius to grant access to resources. Which means that half the planet is using Radius right now.