Voucher expiry

david6464

Hello,
I created 10 Hour vouchers for clients.

I realized that the person connects with the voucher, the voucher expires 10 hours.

Example :
Login at 8 a.m.
Disconnection at 9:00 a.m. (with the logout button)
Connection at 8 p.m. voucher expired.

Is there a solution for the voucher to be valid for 7 days?

thank you beforehand

FSC830

There is something wrong:
From 8.00 a.m. to 8.00 p.m. it is 12 hours, not 10!?
So voucher should expire 6.00 p.m. (8.00 a.m. to 6.00 p.m. are 10 hours).

If you need a 7 day voucher you need to create a roll with 7 day validity.

Regards

david6464

Hello,
I have customers who stay 1 week in my hotel, I give them a 10H voucher.
Currently as soon as a user connects 10 hours later the voucher expires even if my client clicks on disconnect.

I would like the voucher to be valid for 1 week but that it can only be used 10 hours a week.
Example:
Monday he uses the internet from 10 to 11 a.m.
Tuesday 10 a.m. to 12 p.m.
Wednesday no connection
Thursday 9 a.m. to 12 p.m.
Friday 2:30 p.m. to 3 p.m.
Saturday 12 p.m. to 2 p.m.
Sunday 4 p.m. to 5.30 p.m.

Gertjan

@david6464 said in Voucher expiry:

I have customers who stay 1 week in my hotel, I give them a 10H voucher.
Currently as soon as a user connects 10 hours later the voucher expires even if my client clicks on disconnect.
I would like the voucher to be valid for 1 week but that it can only be used 10 hours a week.

Vouchers : as soon as you use them, the counter starts. NO way to stop it.
So vouchers is not what you want.

The FreeRadius can do what you want :

You probably have to add an "Expiration Date" for each created user. Other wise, the login would be available the very next week (maybe this is not an issue).
The other settings, "one week" and "600 minutes" are always the same.

Set the captive portal Idle time-out to a low value, like 15 minutes or so.

I would probably write some scripts myself that 'creates' a FreeRadius user with the needed settings

The scripts should generate a login user name and password, and an expiry date, and write them to the pfSense / Freeradius config. Use the (see image below) page below.
Also add the 'weekly' and '600 minutes'.

And a time based (ones a day ?) script that runs and purges all users that have an expiry date that is passed.

Or : no script writing, and do things manually : visit the FreeRadius

yourself and create a user.

david6464

Thanks, I'll try that and get back to you.

david6464

Good morning,

I just tried, I can connect with the user fine. on the other hand when the time is exceeded, the user can reconnect.

Looking on the internet the pfsense will not handle the Max-Daily-Session.

Do you have a solution?

Gertjan

@david6464 said in Voucher expiry:

I just tried, I can connect with the user fine. on the other hand when the time is exceeded, the user can reconnect.
Looking on the internet the pfsense will not handle the Max-Daily-Session.

Don't look on the Internet ...Look at the device you use ;)

I've created a a user "001" with a 'password'.

Under FreeRadius, for this '001' user, I set this :

and nothing more.

Then, "because I love real time colored logs that show all the details", I de activated FreeRadius in the GUI :

and I entered the console, my favorite, option 8.

I started 'radiusd' (the name of the process) manually with the 'run from command line option '-X') :

radiusd -X

Some serious login scolls over the screen.
I advise you to have your session written to disk for later analyses.

I used my phone to login onto my captive portal, using the user '001' and password.
I succeeded.

I waited 10 minutes.

After 10 minutes, I saw this in the pfSense portal logs :

and on the command line (console) I saw this :

I took my phone, and yes, no more 'wifi' connection.

I tried to login again with the '001' user :
I saw this :

and on my phone I saw this ;

I was unable to login. And that's ok - my ten minutes where over for today.

I do presume that I will be able to login again when my 'cron tasks' reset the daily counters : the first line, where I reset the daily counter at 12h00' or 'noon' :

Be warned : I don't know why it works for me ;)
I do remember that I was messing around with radius for weeks if not months, just to get the impression that I was starting to understand how it works ...
Radius is hard. FreeRadius is better. Documentation is ...... strange. And this is understanable, as many use web servers, DNS servers and mail servers.
But very few use (so document) radius stuff.

edit 2023-02-17 : I mentioned cron above.
That was wrong.
Daily, or weekly, or monthly session time usage is pure SQL (for me) based.
The counter starts running as soon as the user logs in.

I saw this in the SQL log upon initial login :

SELECT SUM(acctsessiontime - GREATEST((1676588400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '001' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1676588400';
INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '001', 'climat', 'Access-Accept', '2023-02-17 10:52:39.225078' );

This tells me that first, with the "SELECT SUM" etc the total session time is generated for 'today'.
Btw : the unix time stimp = 1676588400 = 2023-02-17 at 0:00 AM = the start of the day ( ? )

Then this test is redone every 60 seconds, because

( snip of my captive portal settings )

When the users '001' total session time exceeds my '600' seconds (daily), I see this :

SELECT SUM(acctsessiontime - GREATEST((1676588400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '001' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1676588400';
INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '001', 'climat', 'Access-Reject', '2023-02-17 11:36:49.858247' );

The Reject is correct because I can check the SELECT SUM blabla SQL request for myself (I'm using phpmyadmin on my NAS), so I can check this SQL sequence myself.
It returned '603' that that's just above '600' : FreeRadius return a Reject and I was disconnected.

david6464

Good morning,
on the level of the logs I have the same thing
after 10 min I get disconnected, however if I put the login and password back it reconnects well.

Can you give me your version of PFSENSE

Can you send me screenshots of your captive portal and freeradius config?

TXH

Gertjan

@david6464 said in Voucher expiry:

Can you send me screenshots of your captive portal and freeradius config?

Of course.
But before we compare apples with oranges, I'll describe my setup.
I have a dedicated 192.168.2.1/24 captive portal network interface.
I'm using the "https" access with known signed certs - I use acme.sh - this isn't related to your question I guess.
I'm using my own login and error page, just to add some logos etc - the internal html is identical ti the build in pages.

The auth server settings page :

FreeRadius :
I have a bunch of users :

Most of them have only there 'name' and password set.
User '001' has a daily limit of 600 seconds.

Keep in mind : I use Radius, but are not really bit counting, are rate limiting, or whatever.
I'm not selling my access, and I don't have to educate kids or so.
My portal has one rule : if it works for you, then that's fine.
If it doesn't, then you (the portal user) has an issue - not me ;)

The MACs page is empty.

Note : the FreeRadius cert was auto generated ? I don't remember any more. The Youtube => Netgate FreeRadius movies will help you.

Note 192.168.1.33 is my Synoloy NAS with the SQL server.

The last 3, LDAP View Config and XMLRPC Sync are not used by me.

Last image : My Mariadb (SQL) database with the tables.

Note : keep in mind : The pfSense FreeRadius package is a partial implementation of what FreeRadius can really do.
A lot is hard coded in the FreeRadius config, as bringing them to the GUI would be ..... mission impossible.
To understand what I mean look here : /usr/local/etc/raddb/ and have a look at
ALL the files and ALL the files in ALL the sub folders.

The main file is /usr/local/etc/raddb/sites-enabled/default , it all starts there.
Most of it is purely hard coded.

FreeRadius is complicated.