Multiple login limits for captive portal voucher system

ajmaltms

Hi is there in option in voucher system with captive portal functionality that allows the same voucher to be used for different MAC addresses a limited number of times can be done,
For an example , a voucher code can be used like 2 or 3 time for different Mac address after that it's not possible

Gertjan

@ajmaltms

Fast answer for the common mortals :
Noop.
You've 3 or 4 choices, like the first (and only) user, the last logged in user (and the previous gets ditched) - every user that is using the code, and ... some other option.

AFAIK, Freeradius could handle such a situation.

Dmc

@Gertjan said in Multiple login limits for captive portal voucher system:

very user that is using the co

ahaha, I was thinking of posting a similar thread in hopes you'd reply on it. glad the question was answered.

Very new to PfSense, RADIUS and networking in general but trying my best to learn quickly.

So based on what I've read on thread and youtube tutorials. using the "default"/basic configurations has only three options 1)first 2)last 3)multiple so either way its unlimited users or a single user.

In order to achieve a custom limitation "n" machines connected per user (i.e. 2 - laptop + phone), I would need to setup the FreeRadius from the Free Packages tab, configure it with the certificates AND THEN create a user within the RADIUS Authentication which as the "Number of Simultaneous Connections" option - am I on the right path sir?

Hmm, appears its been discussed here aswell:
https://forum.netgate.com/topic/188491/limit-users-in-the-number-of-login-to-the-captiveportal/3

Gertjan

@dmchavoc

I have a captive portal user defined in FreeRadius called "cuisine":

subsequent entries on that page are all default.
But, at the bottom, I have for this user :

I'm not sure right now if this really works, I haven't tested if for long time.
To test, I need 4 devices.
Connect every device to the portal using the login cuisine and its password.
When connecting device 5, FreeRadius it should 'refuse'.

Dmc

@Gertjan Thank you, I will give it a try. I've been spending time customizing the src to include a countdown and an option to update the password within the captive portal..... hopefully it'll update the radius user password rather than "regular user"

QuickQuestion - would I need to type in this configuration each time a add a user in the RAD? :/

Gertjan

@dmchavoc said in Multiple login limits for captive portal voucher system:

option to update the password within the captive portal..... hopefully it'll update the radius user password rather than "regular user"

Noop.
The pfSense System > User Manager > Users
and
Services > FreeRADIUS > Users
are different lists, and have to be maintained separately.

You can check the "flat file" that is used to indicate the allowed FreeRadius users :
See for yourself Services > FreeRADIUS > View Configuration and click on the Users button.

Or look here : /usr/local/etc/raddb/mods-config/files/ and check out the 4 files you find there.
Look in all the file you can find in /usr/local/etc/raddb/ and all sub folders.
( Now you start to understand what FreeRadius is ..... don't worry, I see you running I did the same thing )

@dmchavoc said in Multiple login limits for captive portal voucher system:

QuickQuestion - would I need to type in this configuration each time a add a user in the RAD? :/

Maybe not. Can't remember.
If you declare :

for the very first user in the file, and you omit the "Fall-Trough=Yes", and that "Simultaneous-Use" for the rest of the file, unless set to another value.
You test, and you tell me ^^, (and answer yourself while doing so)

Dmc

@Gertjan

Hello Hello,

Sorry for the late resposne, i went down a deep rabbit hole of setting up the custom captive portal with its authentications and a logout page that shows a countdown ad a successful disconnection - thanks to all your contributions.

Now i am back to the main goal, limiting devices per user. I tried to use the code you shared but i do not appear to have any luck. It appears to be an enforcement issue for accounting. Based on your other discussions - im getting the sense that maybe it has something to do with the SQL (which i have not setup)

Could you please share your SQL settings with me? whenever I enable SQL and input the default settings then authentication starts to fail on the captive portal.

So im pretty lost, i feel like im missing something essential in settingup the Radius itself :/

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

Could you please share your SQL settings with me? whenever I enable SQL and input the default settings then authentication starts to fail on the captive portal.

Default SQL settings :

with a notable difference :
pfSense isn't a SQL server.
So the address can't be 'localhost' or 127.0.0.1. I've chosen 192.168.1.33, as that is my NAS, on which I installed SQL support. On this SQL server you have to create a database with the name "Database Table Configuration".
You don't have to do this manually. There is an SQL script that does this for you : see here : /usr/local/etc/raddb/mods-config/sql/main/mysql
Be aware : when you read these files, you should know what to do. If you don't .... you don't what what SQL is/does etc.

Even with SQL activated, the FreeRadius pfSense package doesn't make use of all the features. A lot of stuff is hard coded. For example the login user names and passwords is still file based (on pfSense). This can be changed, but that means you have to change the pfSensee FreeRadius package files, who generates the needed config files, one of them is /usr/local/etc/raddb/sites-enabled/default
radius is .... great to setup if you really have nothing else to do. radius is huge. It's one of world's most known software (we all use it without knowing it) and it's also one of worlds less known software. Not something you do in a lost afternoon.

Dmc

@Gertjan

hmm, im confused. are you suggesting that I do not need to setup SQL for the FreeRadius accounting policies/device restrictions to work?

or do I need to setup SQL for it to work.

I've it the peak of my understanding of all this networking knowledge, I'm a CPA by trait trying to make sense of all this. I am convinced it has something to do with how I setup my RAD to which is why it is not accepting the device restrictions.

This is all so frustrating, I spent so much time customizing all the other elements of PfSense that I left the most important factor out.

thanks Gertjan

Dmc

@Gertjan
P.s you're spot on about the resources available for RADIUS. i was pulling my hairout in frustration over the limited guides and discussions available on RADIUS, especially when it ought to be readily available since it has so many applications. My initial thought was perhaps the community did not want it's tradesecrets out or just not supportive. and then I came across PFSense for which I've been more than grateful for each discussion post and exponentially expanding my knowledge.

I plan to share my logout and login pages with the countdown timer and disconnect since its such a highly requested topic on here - will probably dm you on the proper etiquette to do so.

Dmc

@Gertjan

Okay, i gave myself a crash course on how to access ssh and its commands.

P.S. thanks for pointing towards the raddb directory and the subfolders - it gave me alot more insight on how RadiusServer is operating and all the talks about flat-file and hardcoded.

So based on all the diagnosis i could run, ive concluded that the radutmp file is communicating properly and is logging all information.

SQL does not appear to be required at this stage either. The issue lays within FreeRadius not enforcing the Simultaneous variable based on the radutmp which itself i believe is collecting information from users file in Look in all the file you can find in /usr/local/etc/raddb/ or in some sort of manner

i ran radiusd -X in the ssh but i keep getting the same error

Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128

Initially i was getting this error on port 18127 - i reinstalled the freeradius package and then it shifted to 18128 .... any thoughts? :/

i also attempted to changed the NAS, authentication and interface ports to 10.10.10.1 (my Lan) which also did not give me any luck - thats where i actually troubleshooted the issue - despite changing the IP to 10.10.10.1 the IP/port for both the innertunnel files remained the same 127.0.0.1.

I since changed it back to 127.0.0.1 from 10.10.10.1 but no luck

ive read on other forums that i should stop and restart the radius. ive done that multiple times, i even used kill, i also attempted to give it a random port , even with that it consistently says the port is binded.

i think this is why its not enforcing the smultaneous connection requests - maybe

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128

Initially i was getting this error on port 18127 - i reinstalled the freeradius package and then it shifted to 18128 .... any thoughts? :/

You've tried using plain default settings ?
Like :

And the client (pfSense user manager) side :

Btw : be ware that 10.10.10.1 is also use default by pfBlockerng - so be careful with that one.

Dmc

@Gertjan

heres my settings - i believe they're identical.

So, i also attempted to delete the raddb files after uninstalling the package and reinstalling. the error moved to port 1812.... i reinstalled again and it moved to 18127 instead of 18128 port. i feel like im going in circles. is this even relevant?

Failed binding to auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls[3]: Error binding to port for 127.0.0.1 port 18127

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

Failed binding to auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls: Address already in use

By who ? Ask pfSense ?!

[24.11-RELEASE][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'radiusd'
root     radiusd    33785 8   tcp4   192.168.1.1:14796     192.168.1.33:3307
root     radiusd    33785 11  tcp4   192.168.1.1:57128     192.168.1.33:3307
root     radiusd    33785 20  udp4   127.0.0.1:18128       *:*
root     radiusd    33785 21  udp4   *:1812                *:*
root     radiusd    33785 22  udp4   *:1816                *:*
root     radiusd    33785 23  udp4   *:1813                *:*
root     radiusd    33785 24  udp4   127.0.0.1:18127       *:*

Even if this port '18127' isn't set nowhere in the GUI - FreeRadius settings, it is used (hard coded) for the TLS 'inner' tunnel :

grep -R '18127' /usr/local/*

so if you use these also in your GUI settings then I can understand the error.

Also, your one and only different settings :

I have :

as 192.168.2.1 as the "Client IP" - an interface I used for my captive portal, the one using (indirectly) FreeRadius.
You have "127.0.0.1" there ... what happens when you use a LAN interface ?

Dmc

@Gertjan

So i did try using the LAN address in the past which did not appear to have made any impact. I also updated the NAS and Auth IP to 192.16.2.1 - same results. it appears to say 18128 is already bound.

Based on your recommendation on exploring the Radius files - i had also found it hardcorded in the peap files - thanks for pointing me in that direction.

when i run the stat command - i get the following:

Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128
[2.7.2-RELEASE][admin@comencenet.comence.io]/root: sockstat -4 | grep 'radiusd'
root     radiusd    43508 14  udp4   127.0.0.1:18128       *:*
root     radiusd    43508 15  udp4   127.0.0.1:18127       *:*
root     radiusd    43508 16  udp4   *:1812                *:*
root     radiusd    43508 17  udp4   *:1813                *:*
root     radiusd    43508 18  udp4   *:1816                *:*

This is where im getting puzzled, i do not have anything bound to 18128 or 18127 anywhere in the GUI. I also ran the code to find any instances of 18128 within the firewall and it was only found once each in their respective peap files.

Now, im starting to wonder if i have two instances installed/running which is resulting in the conflict

Also, another thought - for my captive portal - should i have it First Login, Disabled or multiple? - Previously I had set as multiple and obviously the users were being permitted. So i thought next to set it to first and disabled.
Something interesting happened - i was not redirected to my "authentication failed" page - instead it was just a blank page. But internet access was not granted by the captive portal.

I had set the simultaneous connection as 1 on my radius, which granted a successful login despite being set to 1 connection. So, i suppose my Radius is the one that continues to fail ?

Also, assuming if it worked properly, should userlogin be set to multiple or first ?

Dmc

Based on your comment

I am suspecting that file-based accounting is not successful for FreeRadius on PfSense. I must use SQL?

https://forum.netgate.com/post/905308

Dmc

Alright, well i learned how to install SQL package directly on PfSense than installing it externally.

God bless this post:
https://forum.netgate.com/topic/96893/howto-captive-portal-freeradius-local-mysql-user-friendly-single-step/124

It walked me through how to enable it on the back-end and also provided the basic configurations and detailed steps

I have setup SQL and authentication appears to work, as well as all the attributes. However, im stil lgetting the 18128 error code when running the diagnostic on radiusd -X

AND, the accounting dosnt appear to be enforced...
sigh..

Dmc

@Gertjan

sockstat | grep 18128
netstat -an | grep 18128

When running these two, i always get the PID. its only one instance. I then proceed to kill the connection

kill -9 9765 (for example)

Afterwhich it appears that the radius starts running correctly as the diagnostic shows it listening every so seconds and updates the accounting.

However, if i restart or make changes to any antributes of the user then the error on port 18128 resurfaces

i also tried to change the port manually but then the error switches to whatever port number i use.

:(

Dmc

Hmm,

So based on reading other threadposts.

It appears the proper etiquette to run radius -X command would be to first stop the freeradius with the command service radiusd onestop and ONLY then initiate the diagnostic.

Else the error i was receiving is expected. I GUESS im back to square one, why isnt radius enforcing my stopaccounting.

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

why isnt radius enforcing my stopaccounting.

You use this :

right ?

The interim option makes the pfSense side of the portal interrogating FreeRadius regularly.
After all, (Free)Radius is a server process = by itself, it dos nothing, until a client asks the server to do something.
The client is the pfSense software.
In the interim mode, and initial START access request is made, and when FreeRadius says "Ok, it's a pass" the user is logged in - access is granted.
Interim requests that follow (every 60 seconds I guess) the logged in user rights are re checked, and criteria can be : bytes used or time elapsed - FreeRadius can do much more, but the client, pfSense, is pretty dumb, and handle only these cases.

When you use "radius -X" on the command line, you can follow this process, you'll see that radius receives constant requests up until pfSense tells that the logged in user is termiantd (by the admin) or, from the Radius side, because a STOP event happened = access refused as the time elapsed (can be daily, weekly, monthly), or the max number of bytes consumed was reached.