PfSense 2.0-RC3 - CP, Radius MAC Auth with WISPr-Bandwidth-Max problem



  • pfSense 2.0-RC3 - CP, Radius MAC Auth with WISPr-Bandwidth-Max problem

    The problem:  pfSense does not re-learn new radius settings "WISPr-Bandwidth-Max-Up" and "WISPr-Bandwidth-Max-Down" for already connected MAC addresses on the LAN network.  Changes made in radius "WISPr-Bandwidth-Max" have no effect and MAC clients on the LAN and those MAC clients continue to run at the original radius "WISPr-Bandwidth-Max" when the MAC client on the LAN connected.

    My network is the following:

    • several i386 pfSence 2.0-RC3 (July through current August releases)
    • 30 to 150 MAC clients
    • Captive Portal, No NAT (Live IPs on WAN and LAN), Per-user bandwidth restriction
    • Radius MAC authentication, Re-Auth connected users every minute

    A sample of my "freeradius" Radius users file:

    00-13-10-e3-ff-a1 Cleartext-Password:= "pfsenseietf"
            WISPr-Bandwidth-Max-Up = 717999,
            WISPr-Bandwidth-Max-Down = 666000

    To duplicate the issue:
    Let a MAC client connect on the LAN and auth through radius.  The client will correctly upload and download at the "WISPr-Bandwidth-Max" in radius.
    Now change the "WISPr-Bandwidth-Max" in radius for the MAC client.  The client will continue to upload and download at the original radius "WISPr-Bandwidth-Max" settings - even though they have changed.
    NOTE: If you turn off captive portal then turn it back on the MAC client gets the new bandwidth settings - but I end up disconnecting established connections for hundreds of other MAC clients (VPN, FTP …).  All MAC clients must re-establish their connections to the remote server they were connected to.
    NOTE: If I use CP Hard-Timeout, the MAC client does get the new bandwidth settings but I end up disconnecting  established MAC LAN clients every 5 minutes -and- every 5 minutes all MAC clients must re-establish their connections to the remote server they were connected to.

    The CP setting for "Reauthenticate connected users every minute" appears to only check if the MAC address is still in radius and does not re-check (re-learn) any changes in "WISPr-Bandwidth-Max-Up".

    Is this a bug or a needed feature?

    Is there a work-around to hup and learn & use the new "WISPr-Bandwidth-Max" in radius?
    In a production environment hundreds of CP MAC clients, it is not practical to manually bounce off/on the CP to get a radius change to a MAC client because I will end up disconnecting hundreds of established VPNs, FTP sessions and who knows what else a customer may be using to talk to remote located servers.

    The only option I can think of is to auto-reboot or auto turn off then back on the CP every night.

    Any ideas?

    Tom Jones
    A wireless ISP (WISP) up in North Idaho



  • Not it is not considered today in code for this.
    You can do this during the prune-ing of the users where the re-authentication take place and check if there is any change and modify values.
    Should not be hard.


Locked