Multiple login limits for captive portal voucher system

Dmc

@Gertjan Thank you, I will give it a try. I've been spending time customizing the src to include a countdown and an option to update the password within the captive portal..... hopefully it'll update the radius user password rather than "regular user"

QuickQuestion - would I need to type in this configuration each time a add a user in the RAD? :/

Gertjan

@dmchavoc said in Multiple login limits for captive portal voucher system:

option to update the password within the captive portal..... hopefully it'll update the radius user password rather than "regular user"

Noop.
The pfSense System > User Manager > Users
and
Services > FreeRADIUS > Users
are different lists, and have to be maintained separately.

You can check the "flat file" that is used to indicate the allowed FreeRadius users :
See for yourself Services > FreeRADIUS > View Configuration and click on the Users button.

Or look here : /usr/local/etc/raddb/mods-config/files/ and check out the 4 files you find there.
Look in all the file you can find in /usr/local/etc/raddb/ and all sub folders.
( Now you start to understand what FreeRadius is ..... don't worry, I see you running I did the same thing )

@dmchavoc said in Multiple login limits for captive portal voucher system:

QuickQuestion - would I need to type in this configuration each time a add a user in the RAD? :/

Maybe not. Can't remember.
If you declare :

for the very first user in the file, and you omit the "Fall-Trough=Yes", and that "Simultaneous-Use" for the rest of the file, unless set to another value.
You test, and you tell me ^^, (and answer yourself while doing so)

Dmc

@Gertjan

Hello Hello,

Sorry for the late resposne, i went down a deep rabbit hole of setting up the custom captive portal with its authentications and a logout page that shows a countdown ad a successful disconnection - thanks to all your contributions.

Now i am back to the main goal, limiting devices per user. I tried to use the code you shared but i do not appear to have any luck. It appears to be an enforcement issue for accounting. Based on your other discussions - im getting the sense that maybe it has something to do with the SQL (which i have not setup)

Could you please share your SQL settings with me? whenever I enable SQL and input the default settings then authentication starts to fail on the captive portal.

So im pretty lost, i feel like im missing something essential in settingup the Radius itself :/

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

Could you please share your SQL settings with me? whenever I enable SQL and input the default settings then authentication starts to fail on the captive portal.

Default SQL settings :

with a notable difference :
pfSense isn't a SQL server.
So the address can't be 'localhost' or 127.0.0.1. I've chosen 192.168.1.33, as that is my NAS, on which I installed SQL support. On this SQL server you have to create a database with the name "Database Table Configuration".
You don't have to do this manually. There is an SQL script that does this for you : see here : /usr/local/etc/raddb/mods-config/sql/main/mysql
Be aware : when you read these files, you should know what to do. If you don't .... you don't what what SQL is/does etc.

Even with SQL activated, the FreeRadius pfSense package doesn't make use of all the features. A lot of stuff is hard coded. For example the login user names and passwords is still file based (on pfSense). This can be changed, but that means you have to change the pfSensee FreeRadius package files, who generates the needed config files, one of them is /usr/local/etc/raddb/sites-enabled/default
radius is .... great to setup if you really have nothing else to do. radius is huge. It's one of world's most known software (we all use it without knowing it) and it's also one of worlds less known software. Not something you do in a lost afternoon.

Dmc

@Gertjan

hmm, im confused. are you suggesting that I do not need to setup SQL for the FreeRadius accounting policies/device restrictions to work?

or do I need to setup SQL for it to work.

I've it the peak of my understanding of all this networking knowledge, I'm a CPA by trait trying to make sense of all this. I am convinced it has something to do with how I setup my RAD to which is why it is not accepting the device restrictions.

This is all so frustrating, I spent so much time customizing all the other elements of PfSense that I left the most important factor out.

thanks Gertjan

Dmc

@Gertjan
P.s you're spot on about the resources available for RADIUS. i was pulling my hairout in frustration over the limited guides and discussions available on RADIUS, especially when it ought to be readily available since it has so many applications. My initial thought was perhaps the community did not want it's tradesecrets out or just not supportive. and then I came across PFSense for which I've been more than grateful for each discussion post and exponentially expanding my knowledge.

I plan to share my logout and login pages with the countdown timer and disconnect since its such a highly requested topic on here - will probably dm you on the proper etiquette to do so.

Dmc

@Gertjan

Okay, i gave myself a crash course on how to access ssh and its commands.

P.S. thanks for pointing towards the raddb directory and the subfolders - it gave me alot more insight on how RadiusServer is operating and all the talks about flat-file and hardcoded.

So based on all the diagnosis i could run, ive concluded that the radutmp file is communicating properly and is logging all information.

SQL does not appear to be required at this stage either. The issue lays within FreeRadius not enforcing the Simultaneous variable based on the radutmp which itself i believe is collecting information from users file in Look in all the file you can find in /usr/local/etc/raddb/ or in some sort of manner

i ran radiusd -X in the ssh but i keep getting the same error

Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128

Initially i was getting this error on port 18127 - i reinstalled the freeradius package and then it shifted to 18128 .... any thoughts? :/

i also attempted to changed the NAS, authentication and interface ports to 10.10.10.1 (my Lan) which also did not give me any luck - thats where i actually troubleshooted the issue - despite changing the IP to 10.10.10.1 the IP/port for both the innertunnel files remained the same 127.0.0.1.

I since changed it back to 127.0.0.1 from 10.10.10.1 but no luck

ive read on other forums that i should stop and restart the radius. ive done that multiple times, i even used kill, i also attempted to give it a random port , even with that it consistently says the port is binded.

i think this is why its not enforcing the smultaneous connection requests - maybe

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

Failed binding to auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap[3]: Error binding to port for 127.0.0.1 port 18128

Initially i was getting this error on port 18127 - i reinstalled the freeradius package and then it shifted to 18128 .... any thoughts? :/

You've tried using plain default settings ?
Like :

And the client (pfSense user manager) side :

Btw : be ware that 10.10.10.1 is also use default by pfBlockerng - so be careful with that one.

Dmc

@Gertjan Auth Server.PNG

heres my settings - i believe they're identical.

So, i also attempted to delete the raddb files after uninstalling the package and reinstalling. the error moved to port 1812.... i reinstalled again and it moved to 18127 instead of 18128 port. i feel like im going in circles. is this even relevant?

Failed binding to auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls[3]: Error binding to port for 127.0.0.1 port 18127

Gertjan

@Dmc said in Multiple login limits for captive portal voucher system:

Failed binding to auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls: Address already in use

By who ? Ask pfSense ?!

[24.11-RELEASE][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'radiusd'
root     radiusd    33785 8   tcp4   192.168.1.1:14796     192.168.1.33:3307
root     radiusd    33785 11  tcp4   192.168.1.1:57128     192.168.1.33:3307
root     radiusd    33785 20  udp4   127.0.0.1:18128       *:*
root     radiusd    33785 21  udp4   *:1812                *:*
root     radiusd    33785 22  udp4   *:1816                *:*
root     radiusd    33785 23  udp4   *:1813                *:*
root     radiusd    33785 24  udp4   127.0.0.1:18127       *:*

Even if this port '18127' isn't set nowhere in the GUI - FreeRadius settings, it is used (hard coded) for the TLS 'inner' tunnel :

grep -R '18127' /usr/local/*

so if you use these also in your GUI settings then I can understand the error.

Also, your one and only different settings :

I have :

as 192.168.2.1 as the "Client IP" - an interface I used for my captive portal, the one using (indirectly) FreeRadius.
You have "127.0.0.1" there ... what happens when you use a LAN interface ?