Captive Portal & Radius Authentication

Dmc

Hello,

Still working away trying to make sense of this. Going through all the posts over the years I am starting to suspect using the FreeRadius Package just does not do the job of limiting devices properly and MAYBE using a Windows Sever Manager to impliment the FreeRadius and LDAP might be the best approach - Would appreciate if someone could confirm this so I can put this chapter to rest and move on with my life.

Second - the reason why i am posting this. In experimenting with the device limitations, i found some interesting results. When I set the device limitation to "0", i get the following in the authentication logs:

Mar 19 23:25:06	logportalauth	398	Zone: comencecp - FAILURE: user4, 84:7b:eb:1c:8f:d3, 10.10.10.54, You are already logged in - access denied

This tells me, okay atleast the Radius is somehow aware that it shouldnt allow a connection when we set the attribute to 0.

However, the moment I change the attribute to anything greater than 0 (i.e. 1) and attempt to connect with a second or x+1 device, the authentication ALWAYS accepts the request

Mar 19 23:30:39	logportalauth	73750	Zone: comencecp - ACCEPT: user4, 84:7b:eb:1c:8f:d3, 10.10.10.54

That being said even assuming Raidus was somehow accounting correctly and deny or accepting requests. I found an issue with how the captive portal treats request.

So, they are 4 options available in CP for concurrent connections 1)Disabled 2)Multiple 3)First 4)Last

I experimented with all these and found the following conclusion

1. Disabled: Did not allow more than one connection

Mar 19 23:21:28	logportalauth	40156	Zone: comencecp - CONCURRENT USER LOGIN - NOT ALLOWED KEEPING OLD SESSION : user4, 92:1c:62:1f:5e:2e, 10.10.10.56

2. Multiple: This would allow multiple connections and pass through the accepted requests from the Radius. I believe this is the setting we should be selecting to allow to implement device limitations per user. So it relies on Radius to be doing its job and informing it that the request was rejected or else it will pass through

3. First: Also rejected the second device request since its connected

4. Last: Allowed the second device to connect. Did not observe if the first connection was disconnected or not - too dishearten to even wait to see when it disconnects.

Also waited 10 minutes before attempting to join the 2nd device which did not appears to have made an impact

Gertjan

@Dmc said in Captive Portal & Radius Authentication:

Going through all the posts over the years ...

There is one where I posted just 30 seconds ago, this one : Captive Portal Bandwidth-Max-Up Down Radius

Btw : I don't know why I (you) would need a "Windows Sever Manager " or an "LDAP".
I installed the pfSense FreeRadius package, created somewhere on my LAN a MYSQL ... oops : a Mariadb server, created a database, tables and then I started to understand how world's worst documented open source "program" works.
(Free)Radius is a pain. Its complex - the old leaning process needs to be used, there is no other way.
Added to that : the pfSense FreeRadius package surfaces in the GUI only a very small part of what is possible with FreeRadius.

@Dmc said in Captive Portal & Radius Authentication:

Would appreciate if someone could confirm this so I can put this chapter to rest and move on with my life.

Well ... yu're spot ion. If live is great, and you still free time over, then you might considering investing some time into FreeRaduius.
So, my advise : If you don't strictly need it, don't waste your time !

@Dmc said in Captive Portal & Radius Authentication:

Mar 19 23:25:06 logportalauth 398 Zone: comencecp - FAILURE: user4, 84:7b:eb:1c:8f:d3, 10.10.10.54, You are already logged in - access denied

For me, with looking things up, this line contains an error when you've set "device limitation to "0".
If "0" was really applied, then no = zero = "0" user can login in with the given credentials 'user4'.
So, at no time it can say that there was already one user 'user4' was logged in. After all"0" (and not more) were allowed.
Get my point ?

I was using "Simultaneous Usage" for a while, to see how it works.
I used a MySQL as a Freeradius data scratch pad (that's what I think FreeRadius is using MySQL for : a data storage place) and I found this
/usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf
Locate this :

#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query	- query for the number of current connections
#			- If this is not defined, no simultaneous use checking
#			- will be performed by this module instance
# simul_verify_query	- query to return details of current connections
#				for verification
#			- Leave blank or commented out to disable verification step
#			- Note that the returned field order should not be changed.
#
# Note: Sessions that started prior to the most recent reload of their NAS will
# be correctly considered inactive, even if the radacct entry itself is not
# marked as stopped.
#
#######################################################################

and from here on you have to find out how this query is used.

Example : The SQL query that counts the number of logged in users called :

simul_count_query = "\
	SELECT COUNT(*) \
	FROM ${acct_table1} a \
	LEFT OUTER JOIN nasreload n USING (nasipaddress) \
	WHERE username = '%{SQL-User-Name}' \
	AND acctstoptime IS NULL \
	AND (a.acctstarttime > n.reloadtime OR n.reloadtime IS NULL)"

Right now, I have a user logged in with the logging name 'cuisine'.
So I prepare the SQL statement manually (I use phpmyadmin) :

SELECT COUNT(*) FROM radacct a LEFT OUTER JOIN nasreload n USING (nasipaddress) WHERE username = 'cuisine' AND acctstoptime IS NULL AND (a.acctstarttime > n.reloadtime OR n.reloadtime IS NULL);

and this return "1" = the number of logged in users with the login name 'cuisine'.

When I use a second device, and also login with 'cuisine', the result becomes "2".

I've set up the user 'cuisine' with these settings at the bottom of the page :

So, in theory, when more then 4 users are logging in with the user name "cuisine", the login will fail.
I can't test that right now, as I haven't enough wifi devices around me ^^

AFAIK, more examples are present in the FreeRadius (source) script files.

Btw : I'm not saying you need to use MySQL, neither that my way of looking and finding about 'how to do it' is correct.

@Dmc said in Captive Portal & Radius Authentication:

So, they are 4 options available in CP for concurrent connections 1)Disabled 2)Multiple 3)First 4)Last

From what I recall, if you use FreeRadius, you can't use that option anymore. - But I'm not sure.

Last time I tried this :

without FreeRadius, it was working ... again : can't test this right now as it would disrupt my actual install, and people are logged in right now.

Dmc

@Gertjan

Hello hello my friend,

Yes that post and among many others. I went all the way back to 2012 to really understand.

3 months ago, I was an absolute newbie who was learning what a VLAN and wouldn't understand why the password in terminals wouldn't display :')

But fast forward to the present day I can proudly say I am somewhat proficient in the lingo and know better how to navigate and troubleshoot. Learning so much everyday, despite being midst of tax season - I've lost so much interest in the profession it seems.

Btw : I don't know why I (you) would need a "Windows Sever Manager " or an "LDAP".`

You're correct I do not need Windows server manager and LDAP. After reading about it more, it just wouldn't be appropriate for me since my goal is much more basic without the need to be on a Microsoft environment

From what I have found today, my action plan is now to figure out how to install Proxmox on my protecli device and create two VM's. One to host my Pfsense and the 2nd for the FreeRadius and Mariadb server.

The mistakes I made Is installing pfsense directly onto my device (obviously I didn't know better) which didn't allow me to install MySql and Freeradius and was forcing me use the package. Initially I thought I would need to hook up another machine to support the server for SQL and Freeradius which I was dreading but thank the lord for the beauty of Virtual Machines. I am hoping I can manage the SQL from myphpadmin (something I need to figure out as well - rather than using the terminal)

With 2nd server/VM I am hoping the AAA will work as I intended and be more robust. As jimp said in some post, pfsense is a firewall and not a database.

p.s. i also found a post which showed how to enable freebsd to install SQL which turned out to be a waste of time since it would just get corrupted with updates, changes or even bring the entire firewall to a halt. Though I must appreciate their efforts for sharing at the time. here's the link : https://forum.netgate.com/topic/96893/howto-captive-portal-freeradius-local-mysql-user-friendly-single-step

I used a MySQL as a Freeradius data scratch pad (that's what I think FreeRadius is using MySQL for : a data storage place) and I found this
/usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf]

I will get back to you on this once I implement the virtual machines

For me, with looking things up, this line contains an error when you've set "device limitation to "0".
If "0" was really applied, then no = zero = "0" user can login in with the given credentials 'user4'.
So, at no time it can say that there was already one user 'user4' was logged in. After all"0" (and not more) were allowed.
Get my point ?

Agreed, it was really late at night for me so I was just trying to grasp anything that would give me hope that the radius was working as intended. But you're right setting it to 0 making it behave weirdly rather than correctly.

So, in theory, when more then 4 users are logging in with the user name "cuisine", the login will fail.

Yes in theory, but definitely not possible with the freeradius package manager. Hopefully It can work with the full freeradius

From what I recall, if you use FreeRadius, you can't use that option anymore. - But I'm not sure.

I tested it thoroughly. The settings for concurrent DO NOT get disabled if FreeRadius is on or being used as an authentication method

Gertjan

@Dmc said in Captive Portal & Radius Authentication:

But I'm not sure.

Something starts to show up in my head :
It might be that 2.7.2 doing this :

is ... buggy. It was corrected in pfSense Plus.
Again, I'm not sure. Check out the resolved redmine bug reports ?

@Dmc said in Captive Portal & Radius Authentication:

Initially I thought I would need to hook up another machine to support the server for SQL and Freeradius which I was dreading but thank the lord for the beauty of Virtual Machines. I am hoping I can manage the SQL from myphpadmin (something I need to figure out as well - rather than using the terminal)

It is possible to install also the FreeBSD MySQL (mariadb actually) package on pfSense, but 'please' don't do that. A database server doesn't belong on a firewall (IMHO of course, you do what pleases you).
So, if possible, start some VM somewhere with a SQL database and you're good.
I talked about MySQL as a FreeRadius scratch pad because it permits me to see easily the values in the database files.
The build in 'file system files' scratch pad for FreeRadius on pfSense will also work, but these offer less visibility, and can wear out the pfSense file system. Anyway, I prefer SQL.

Dmc

@Gertjan said in Captive Portal & Radius Authentication:

MySQL as a FreeRadius scratch pad

Could you guide me how to lookup redmine bug reports? not sure what you mean

& agreed SQL with the help of phpadmin definitely appears to be way to go for user accessibility. Noway on earth am I willing to always having to go through the source code to view and change values.

Gertjan

@Dmc said in Captive Portal & Radius Authentication:

Could you guide me how to lookup redmine bug reports?

Here : https://redmine.pfsense.org/