NEW Package: freeRADIUS 2.x
-
What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.
-
Hi Nachtfalke,
I just tested with Captive Portal + FreeRadius + MySQL for a Hotspot site.
Basically it's now working here, I can login through CP and see the login information in MySQL.
There are still two options that I can't work it around.
1. per-user bandwidth restriction
This option is available in CP. But it's a global setting which means it will effect all clients with same setting.
I think there should have the same settings according to account? Does FreeRadius support it yet?2. RADIUS MAC authentication
I tested this function, it doesn't work. I always get the login page even I added the MAC in FreeRadius.
With the same setting, pass-through MACs in CP does work properly. Once I add the MAC, it works immediately.Thanks for your patient.
-
What's the advantage of enabling SQL server? Because I don't see it on pfSense documentation.
The advantage of a SQL database is if you have many many users. If you add many users to the freeradius users file - I would say 500+ - than your response time can be slow because the freeradius server has to go through the list from top to down until finding the user or not. So you should check the documentation about "Status server updates". There you will get information about how your RADIUS server performs and if the server can handle the requests. If you use a database the requests can be processes faster if you have many users because of the structur. This are the performance advantages.
For accounting there are better possibilities to do SELECTs on the database but you have to configure the sqlcounter module that it works for you.
An other point could be that you create a web GUI for your SQL database so that people could add new users to the database but should not have access to pfsense or freeradius. This could be useful in a hotel - you setup the freeradius and the connection to the database and the rest will be done from a separate web GUI from the hotel people.
That's my opinion. Perhaps I will add this to the pfsense docs ;)
@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?1.) I will add this in the next days so we have the possibility to set separate Download und upload bandwidth for users (overwriting the settings from CP which are for ALL users). I have coded this but it is on my HDD at home ;o)
Or do you meand volume of traffic like 500MB in max per week ? This is supported from freeradius and CP but with some disadvantages which I wrote down in the docs.2.) I will try to test this at home with CP if I found some time. Sending the "Calling-Station-ID" (MAC) is working but I didn't test it with CP.
-
Hi Guys,
i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.
In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
After Installation go to Services => FreeRADIUSAm I blind or is the package option just not on the 2.0.1 menu? :)
Regards,
Gigg
-
@zlyzwy
Can you write down the steps you did for creating the database, importing the tables (names of tables) and how you configured freeradius SQL ?Sure:)
In general, I used PhpMyAdmin to manage MySQL database, you can use any other tools as you like.
All the following .SQL files can be found in latest FreeRadius package.(http://freeradius.org/download.html)MYSQL
1. Create the database named radius from PhpMyAdminCREATE DATABASE `radius` ;
2. Import the table 'admin'. Please change 'localhost' to your Pfsense name or just changed it to '%' which means from any client can connect to MySQL. Of course you can also change the default password('radpass') here.
# # Create default administrator for RADIUS # CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); # The server can read any table in SQL GRANT SELECT ON radius.* TO 'radius'@'localhost'; # The server can write to the accounting and post-auth logging table. # # i.e. GRANT ALL on radius.radacct TO 'radius'@'localhost'; GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
3. Import the table 'schema'. I don't change anything and it works fine.
########################################################################### # $Id$ # # # # schema.sql rlm_sql - FreeRADIUS SQL Module # # # # Database schema for MySQL rlm_sql module # # # # To load: # # mysql -uroot -prootpass radius < schema.sql # # # # Mike Machado <mike@innercite.com># ########################################################################### # # Table structure for table 'radacct' # CREATE TABLE radacct ( radacctid bigint(21) NOT NULL auto_increment, acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, nasporttype varchar(32) default NULL, acctstarttime datetime NULL default NULL, acctstoptime datetime NULL default NULL, acctsessiontime int(12) default NULL, acctauthentic varchar(32) default NULL, connectinfo_start varchar(50) default NULL, connectinfo_stop varchar(50) default NULL, acctinputoctets bigint(20) default NULL, acctoutputoctets bigint(20) default NULL, calledstationid varchar(50) NOT NULL default '', callingstationid varchar(50) NOT NULL default '', acctterminatecause varchar(32) NOT NULL default '', servicetype varchar(32) default NULL, framedprotocol varchar(32) default NULL, framedipaddress varchar(15) NOT NULL default '', acctstartdelay int(12) default NULL, acctstopdelay int(12) default NULL, xascendsessionsvrkey varchar(10) default NULL, PRIMARY KEY (radacctid), KEY username (username), KEY framedipaddress (framedipaddress), KEY acctsessionid (acctsessionid), KEY acctsessiontime (acctsessiontime), KEY acctuniqueid (acctuniqueid), KEY acctstarttime (acctstarttime), KEY acctstoptime (acctstoptime), KEY nasipaddress (nasipaddress) ) ; # # Table structure for table 'radcheck' # CREATE TABLE radcheck ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY username (username(32)) ) ; # # Table structure for table 'radgroupcheck' # CREATE TABLE radgroupcheck ( id int(11) unsigned NOT NULL auto_increment, groupname varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY groupname (groupname(32)) ) ; # # Table structure for table 'radgroupreply' # CREATE TABLE radgroupreply ( id int(11) unsigned NOT NULL auto_increment, groupname varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '=', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY groupname (groupname(32)) ) ; # # Table structure for table 'radreply' # CREATE TABLE radreply ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '=', value varchar(253) NOT NULL default '', PRIMARY KEY (id), KEY username (username(32)) ) ; # # Table structure for table 'radusergroup' # CREATE TABLE radusergroup ( username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', priority int(11) NOT NULL default '1', KEY username (username(32)) ) ; # # Table structure for table 'radpostauth' # CREATE TABLE radpostauth ( id int(11) NOT NULL auto_increment, username varchar(64) NOT NULL default '', pass varchar(64) NOT NULL default '', reply varchar(32) NOT NULL default '', authdate timestamp NOT NULL, PRIMARY KEY (id) ) ;</mike@innercite.com>
4. Import the rest of tables one by one.
# # Table structure for table 'cui' # CREATE TABLE `cui` ( `clientipaddress` varchar(15) NOT NULL default '', `callingstationid` varchar(50) NOT NULL default '', `username` varchar(64) NOT NULL default '', `cui` varchar(32) NOT NULL default '', `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
# # Table structure for table 'radippool' # CREATE TABLE radippool ( id int(11) unsigned NOT NULL auto_increment, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', nasipaddress varchar(15) NOT NULL default '', calledstationid VARCHAR(30) NOT NULL, callingstationid VARCHAR(30) NOT NULL, expiry_time DATETIME NULL default NULL, username varchar(64) NOT NULL default '', pool_key varchar(30) NOT NULL, PRIMARY KEY (id), KEY radippool_poolname_expire (pool_name, expiry_time), KEY framedipaddress (framedipaddress), KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) ) ENGINE=InnoDB;
# # Table structure for table 'nas' # CREATE TABLE nas ( id int(10) NOT NULL auto_increment, nasname varchar(128) NOT NULL, shortname varchar(32), type varchar(30) DEFAULT 'other', ports int(5), secret varchar(60) DEFAULT 'secret' NOT NULL, server varchar(64), community varchar(50), description varchar(200) DEFAULT 'RADIUS Client', PRIMARY KEY (id), KEY nasname (nasname) );
# # WiMAX Table structure for table 'wimax', # which replaces the "radpostauth" table. # CREATE TABLE wimax ( id int(11) NOT NULL auto_increment, username varchar(64) NOT NULL default '', authdate timestamp NOT NULL, spi varchar(16) NOT NULL default '', mipkey varchar(400) NOT NULL default '', lifetime int(12) default NULL, PRIMARY KEY (id), KEY username (username), KEY spi (spi) ) ;
FreeRadius
After that, go back to your FreeRadius web interface, In SQL tab, enable the SQL support and change the following items.
Enable SQL Support –> Check
Enable SQL Authorization --> Enable
Enable SQL Accounting --> Enable
Enable SQL Session --> Enable
Enable SQL Post-Auth --> Enable
Server IP Address --> A.B.C.D
Database Password --> PASSWORDTEST
To test Freeradius work or not, follow the step in Freeradius doc (http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package)
Once you receiving the following msgrad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20
Check the 'radpostauth' table, if you find the record like this:
15 test test Access-Accept 2012-01-17 20:21:04
All right, your FreeRadius is now connecting to MySQL.
:) -
Hi Guys,
i have decided to see if I can replace another solution we using with a Pfsense Captive portal and a Psfense Radius solution. But, I follow the instructions on the Radius documentation, but the first hiccup I have is that i dont have the option to even install the package.
In pfsense 2.x go to System => Packages => Available Packages and click on the + behind freeradius2.
After Installation go to Services => FreeRADIUSAm I blind or is the package option just not on the 2.0.1 menu? :)
Regards,
Gigg
Hi Gigg,
freeradius2 package is available for i386 and amd64, pfsense 2.0 and 2.0.1. I could just try on server with a HDD. I used the .iso images and installed pfsense.
Not sure if this package is available (by default) for nanobsd and other system.@zlyzwy
Great to hear and to read this :D
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we need :)Further I tested with Plain-MAC-Auth an CP. At first: It is working as it should and you have different possibilities:
1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:
- Go to CP and enable "Enable RADIUS MAC authentication"
- Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
- the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
- enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33
Thats all. Browse the web and you will be connected. System Log and Portal Auth show this:
Systemlog:radiusd[33247]: Login OK: [00-04-23-5c-9d-19/blaaa] (from client pfsense port 2 cli 00-04-23-5c-9d-19)
Portal Auth:
logportalauth[14855]: MACHINE LOGIN: 00-04-23-5c-9d-19, 00:04:23:5c:9d:19, 192.168.0.88
2.) If you do NOT want to use Plain-MAC-Auth from pfsense GUI you can disable that.
- Go to pfsense GUI "Users" and add a user with username "00-04-23-5c-9d-19" - that is the MAC-address and as password choose the password from the CP (schared secret). In my case it was "blaaa".
CP is converting the MAC to the username field and adds the "shared secret" as the password field.
I will try to explain it a little bit more in detail and post it in my documentation - but now I will go out to dinner - it's my brothers birthday today :)
-
Updates pkg v1.5.3;
-
Added: Limit Bandwidth (WISPr-Bandwidth-Max-Down/WISPr-Bandwidth-Max-Up)
-
Modified: Rearranged options GUI for "users" a little bit
-
Fixed: Simultenous-Use isn't a "requiered" field anymore. If set to 1 and in CP "reauthenticate every minute" was checked it leads to a "multiconnect"/discoonect. Further if CP gets restarted and user wasn't disconnected before there is as well a "multiconnect"
-
Fixed: CP does not know ChilliSpot attribute so I choose "Acct-x-octets" in "reply-name"
-
Added: There are now the same CHECK-ITEMS and REPLY-ITEMS available for Plain-MAC-Auth as for 802.1X auth (users/macs)
-
Updated: pfsense documentation (Plain-MAC-Auth and Plain-MAC-Auth as 802.1X request with Captive Portal) and (Limit Bandwidth)
-
-
@zlyzwy
Great to hear and to read this
I would like to implement this how-to (copy and paste) to my pfsense documentation - makeing a copyright to your name and linking to this post. Is that ok ? It is a very detailed how-to and I think it is exactly what we needNo problem at all. I am glad it's helpful..:)
1.) If you want to use Plain-MAC-Auth from pfSense GUI then you should do the following:
- Go to CP and enable "Enable RADIUS MAC authentication"
- Enter any shared secret you like in the field below. This is NOT the shared secret which is used for the communication between NAS(CP) and freeRADIUS.
- the "MAC address format" you do not need to change. The "correct" setting would be "11-22-33-44-55-66" but this is not important because freeradius converts all MAC addresses formats to this format.
- enter the mac address in freeradius "MACs" in this format: 11-22-33-aa-bb-33
Thanks for your explanation.
I've got a bit confused about 'shared secret', as your explained there should have two 'shared secret'. The first one is for communication with client and CP. But what's the purpose for second one? Can I fill the same value as the first one? In fact I was thinking they should be same.
The MAC format I used is '00:11:22:33:44:55', but you mentioned it's not important then it should not be the problem.Anyway, I will give a try again with your procedures.
BTW: I can't see the v1.5.3 update pkg in 'installed packages'.
Update:
Now I can see the v1.5.3 pkg and it's great…I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log isJan 18 19:59:40 radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)
I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.
Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
I don't know why but it's working anyway:)
2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).I am afraid I may put too many requests here.
Many thanks for your help! -
The shared secret you enter on CaptivePortal in section "Primary RADIUS server" is the password which is for communication between CP as NAS and the freeRADIUS server. This shared secret you have to enter and match the shared secret you enter in FreeRADIUS -> NAS/Clients
The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users
pkg v.1.5.3 should be available now. When I am updating this post I pushed the changes on github but then we need to wait until some of the core teams is merging it. In general this takes not much time :-)
-
The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users
I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?
-
The shared secret you have to enter on chapter "RADIUS MAC authentication" is the user password. This is a little bit unclear on Captive Portal. This shared secret you have to enter in FreeRADIUS -> Users
I am sorry I can't understand this part. If it's really as you said, then all the users must use one password since there is only one shared secret in CP? Or we can only create one user?
That's correct. All Users have the same password (shared secret).
But that's no problem. Think about that: The host should be authorized by its MAC address. Now we can only send the Calling-Station-ID to freeRADIUS server and then freeRADIUS must be able to handle ONLY Calling-Station-ID and authorize or block the user. But before I enabled Plain-MAC-Auth ability on freeRADIUS the RADIUS server only accepted 802.1X (username + password).
That's the reason why we are able to configure captive portal to send the MAC address as username and a password - that's our shared secret.So username(mac address) is different but password(shared secret) is always the same.
If you have questions, just ask. Perhaps I am just not able to explain it in a way to make it clear :D
-
Hi Guyd,
Can you tell me what version of pfsense you using. Mine does not have a packages option under systems and I cant load the radius option.
Thx
-
Hi Guyd,
Can you tell me what version of pfsense you using. Mine does not have a packages option under systems and I cant load the radius option.
Thx
pfsense 2.0.1 full install x64
pfsense 2.0.1 full install i386 -
Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords
-
Updates pkg v1.5.4:
-
Added: Checks if a function or a part of it needs to be run (when disabled from GUI). This should speed up the starting process of freeradius after reboot.
-
Fixed: Accidentally deleted certs in ../raddb/certs/ folder after reboot when using pfSense Cert-Manager - this break freeRADIUS start until clicking save in EAP again.
=== edit ===
- Fixed: call some functions after installation to initialize configuration files.
Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords
What you say is absolutly correct - in general.
Captive Portal is using the name "shared secret" on two places. In Primary RADIUS server it is used in the correct context.
In RADIUS MAC authentication it is not the correct context I would say. This is explained one line below:If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and the password entered below to the RADIUS server.
-
-
Updates pkg v1.5.4:
-
Added: Checks if a function or a part of it needs to be run (when disabled from GUI). This should speed up the starting process of freeradius after reboot.
-
Fixed: Accidentally deleted certs in ../raddb/certs/ folder after reboot when using pfSense Cert-Manager - this break freeRADIUS start until clicking save in EAP again.
Shared secret is used between radius server and device, which is using radius server. it's another layer of security. This has nothing todo with user passwords
What you say is absolutly correct - in general.
Captive Portal is using the name "shared secret" on two places. In Primary RADIUS server it is used in the correct context.
In RADIUS MAC authentication it is not the correct context I would say. This is explained one line below:If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and the password entered below to the RADIUS server.
Ok thank you for info
-
-
Hi guys,
Thanks for all your patents and detail explanation…
To be honest, I am still not 100% understand this part, but I will need some test on it.Can you take a look at the following questions?
Update:
Now I can see the v1.5.3 pkg and it's great…I just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log isJan 18 19:59:40 radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)
I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.
Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
I don't know why but it's working anyway:)
2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).I am afraid I may put too many requests here.
Many thanks for your help!Thanks in advance!
-
(…)
@NachtfalkeI just tested with latest pkg,here comes some new questions>>
1. Plain-MAC-Auth
I followed your procedures, it doesn't work proerly. The error log isJan 18 19:59:40 radiusd[36524]: Login incorrect: [00-02-a5-4e-df-67] (from client CP port 210 cli 00-02-a5-4e-df-67)
I enable the PLAIN MAC AUTHORIZATION (FreeRadius–>Setting Tab), and it does solve the problem.
Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67)
I don't know why but it's working anyway:)
First I am sorry. I didn't see that you updated your post ;-)
First it is good that Plain-MAC-Auth is working :)
Second:
Disable Plain-MAC-Auth and put this in "FreeRADIUS -> Users tab"
Username: 00-02-a5-4e-df-67
Password: (The shared secret from Captive Portal below the point "Enable MAC authorization)
Delete the entry in "FreeRADIUS -> MACs" with this MAC address: 00-02-a5-4e-df-67Then it should work.
2. Virtual machine in VMware MAC Auth
I have a small server running VMware workstation. The host computer is a windows 2003 server. It's running well until I enable the CP, I add the server's MAC to pass list and the server works as it should be,but not for the virtual server inside VM. I tired to put the VM's MAC to pass list. it's not working. I am receiving the following error from system log:Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: Login OK: [00-02-a5-4e-df-67] (from client CP port 45 cli 00-02-a5-4e-df-67) Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order Jan 18 20:46:45 radiusd[63046]: rlm_radutmp: Login entry for NAS CP port 45 wrong order
00-02-a5-4e-df-67 –> Host Computer
There is one strange thing, usually if my virtual server ask the outgoing traffic, there should have the log with MAC. So I can add that MAC to pass list. But I didn't see any log with that MAC.
I also tried to set "Number of simultaneous connections" to 10, no luck...BTW: there are two virtual servers running in VMwork, one is Debian and another is PFsense itself. I am not sure if it's the reason for this issue. I think this picture will show you my network better than words.
(http://www.gliffy.com/pubdoc/2737259/L.png)Uuuhh..hmm..I am out of ideas why this is happening. But to make it clear "rlm_radutmp" is containing all clients which are authorized. This is the file which checks for "Simultaneous-Use". You increased the "Simultaneous-Use" - that is what I had told you, too. Check again that there is not a double entry in "MACs" and "Users" with this MAC address: 00-02-a5-4e-df-67.
3. Maximum Download Bandwidth/Maximum Upload Bandwidth
I have a 20m/s ADSL at home. I tested with 800 bit/s and 800000bit/s. There should have a obvious difference. However they give the similar result here(around 20m/s).I read about this behaviour on some forum posts. It has something to do with that CP is only changing bandwidth for users which authenticate new. It doesn't change this for existing connections.
When I tested this at home I found out that you have to enable "Bandwidth Limits" on CP first. You can enter a value but if you set a setting on FreeRADIUS then the value of the CP will be overwritten (that's what we want). And then I am not sure if there is the same bug in this function as with "amount of traffic". The traffic which goes through CP is for example 1MB but accounting will tell RADIUS that there are 6MB. Not sure if this affects Bandwidth Limits in any way, too.
So I am sorry but I could not tell you where the problem for Bandwidth Limits is. Need to test this more and find out which checkboxes on CP I need to enable and which services needs to be restartet.I am afraid I may put too many requests here.
Many thanks for your help!Thats no problem - for me :-)
-
do You have any other materials about freeradius and AD without samba?
I cannot find anything else and trully I am tired of doing same thing again and again and don't have chance to get it working properly :/ -
do You have any other materials about freeradius and AD without samba?
I cannot find anything else and trully I am tired of doing same thing again and again and don't have chance to get it working properly :/I am sorry. I don't have any how-tos or tutorial and I do not have access to any AD :(
But correct me if I am wrong: You got it working with PAP ?
If yes, can you please write down what you have configured - I would like to add it to the pfsense docs so this could be a basis for someone else who wants to try this - or for further if freeradius adds better support for connecting to an AD.