Captive Portal Bandwidth-Max-Up Down Radius
-
Hello everyone, can't set my captive portal to limit bandwidth by specific user, i have Active Directory server and have installed NPS service on it. Authorization by NPS with works fine but i cant limit bandwidth by users or groups in active directory, can anybody help?
I have found that https://github.com/pfsense/pfsense/blob/master/src/usr/share/doc/radius/dictionary.pfsense but i dont know how to add this to NPS and where we write bandwidth limits per users -
@dochy said in Captive Portal Bandwidth-Max-Up Down Radius:
Active Directory
You've used Authenticating from Active Directory using RADIUS/NPS as a guide line ?
I presume that these attributes https://github.com/pfsense/pfsense/blob/master/src/usr/share/doc/radius/dictionary.pfsense have to be added to the Active directory and set to the correct values.
Checking can be done with Troubleshooting NPS.
-
G Gertjan referenced this topic on
-
@Gertjan According to this guide am i correct configured? Here i write 2048 as a speed limit
Also as i undestand this 2048 speed limit for the whole pfsense captive portal users, how can i limit rate for specific user e.x. user A 2 mbits user B 10 mbits and so on?
-
@dochy
I've never used "Active Directory" myself. -
@Gertjan ok have you used captive portal RADIUS pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down attributes with any authentication system? it will be pretty if i can use this attributes with freeradius through active directory or directly with active directory. In my organization we have many users in Active Directory service and i should control bandwith of each user by groups or something like that.
-
@dochy said in Captive Portal Bandwidth-Max-Up Down Radius:
have you used captive portal RADIUS pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down attributes with any authentication system?
Yes.
This captive portal setting is not used :
I've a test user, login 'x' and password 'x' set up in FreeRadius.
No bandwidth limiting.
When I use this 'x' account, I get what is available. Right now, the real limit is around 45 Mbytes / sec up and down. That limit is imposed by my very old access points.
Now, I add a up and down limit for this user 'x' :
and test again.
Sure enough, I disconnected the actual 'x' connection first, and re connected using user login 'x'.
Result :
I consider this a "it works".
Other captive portal users are not impacted.@dochy said in Captive Portal Bandwidth-Max-Up Down Radius:
have many users in Active Directory service and i should control bandwith of each user by groups or something like that.
This is what I would do if I needed to figure this out :
pfSense has a build in authentication system, the default build in User manager.
This one is fine for very basic "login + password" checking.FreeRadius offers more, as you already can see in the in te captive portal settings page :
So, an initial identification is done, and further more, every minutes 'accounting' is done.
This accounting is : the user id, and also, MAC address, consumed traffic and much more. All this info is send to FreeRadius, who compares in its own 'tables' (files and/or database) the allowed (max) values.
FreeRadius sends back with a 'granted' or 'refused' answer.This handling, I want to see this in the code or scripts.
FreeRadius is already a complex animal, but I said ones myself : it can't be that hard, as nearly every ISP, phone company and whatever other access that is metered on earth is using Radius already.
So, it can be done. But this aspect is very little discussed on the Internet.
You want to know how to build a web server ? That's easy, as the day you can read (5 years ?) you can find the info on the net - a zillion times.
A mail server ? Same thing - a bit more complex, as everybody can send mail, but actually very few know what really happens, what is needed.
A domain name server (aka : DNS server) : It's actually very easy, as it is ancient technology from the seventies last century, and didn't really evolve since. Take note that DNS is the biggest subject where people think they know what it is, and are fully wrong.
Radius or an authentication server : ? That's a secret. Just look at the config file (sorry : the entire config folder with xxx files in it) of a Radius server. A mess.
Of course, FreeRadius is open source. Still, you need to understand what you read .... what is needed to be done.
I understand that using the source code as a manual isn't really possible for everybody. But for me it's the only sure way to find out how things are done. It can't fail, lie, can't be wrong, is easy to find.
( and better : if you think it's wrong : don't complain, change it ^^ )Anyway : I can't tell you what pfSense actually exchanges with the type LDAP server - if pfSense sends the "pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down attributes" to the LDAP, then you could see that on the LDAP side : just check (as always !) the log.
Does it interact on it ? => Does it send a 'granted' or 'refused' back to pfSense ones the "pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down values go over the set limit ?I use FreeRadius for one simple (stupid) reason : I wanted to know what the 'Radius' thing was.
My needs, a captive portal so I can handle Free Wifi access for a hotel, works just fine if I was using the build in pfSense user manager.
I don't need to 'bandwidth' user or portal clients, as my 5 hotel APs are actually already limiting each user. The main WAN pipe is a 1 Gbits/sec up and down, so there is enough for everybody.
There are at the most 20 hotel clients connected at any time, as it isn't strictly needed any more these days, I've also 4G / 5G coverage.Sorry for telling you much, and probably nothing.