NEW Package: freeRADIUS 2.x

Nachtfalke

I'm trying to use the "Amount of Download Traffic" under the Users Tab to limit users to 2.5GB/week, but for the life of me I can't figure out how to express that to freeRADIUS using the GUI/freeRADIUS/Users/Traffic and Bandwidth entry field?

After entering any number in the "billions" range, immediately when a user attempts logon freeRADIUS reports that "Your maximum daily usage time has been reached" even though the user has never logged on before. The most download traffic I seem to be able to reach is about 50MB. Users can download unlimited data if the field is empty. Is there a limit to the size number that can be used for "amount of download traffic"?

Any help is much appreciated…

Hi Sailorsknot,

there shouldn't be any limit when using freeradius2 and Captive Portal.
The unit for "Amount of download/upload" is bytes. So 2.5GB = 2500000000Byte. With the CP bug you must increase this value multiplied with 6 => 2500000000Byte x 6 = 15.000.000.000Byte

You must disable "Acct_unique" in FreeRADIUS => Settings.

To make sure that all old entries are deleted stop freeradius2 service, delete the "db." files:

rm /usr/local/etc/raddb/db.*

Then restart freeradius2 and try again.

This should work.

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Accounting_with_Captive_Portal

Sailorsknot

Thanks so much for the quick reply! :D

I stopped freeRadius and deleted the db files and restarted freeRADIUS. I created a new user (test11) and specified 15000000000 for "daily" download limit.

Fails when I try to logon:

Feb 11 18:33:14 logportalauth[3069]: FAILURE: test11, 00:22:43:60:ed:ca, 10.10.10.206, Your maximum daily usage time has been reached

any idea? (again, thanks for helping!!)

Nachtfalke

@Sailorsknot:

Thanks so much for the quick reply! :D

I stopped freeRadius and deleted the db files and restarted freeRADIUS. I created a new user (test11) and specified 15000000000 for "daily" download limit.

Fails when I try to logon:

Feb 11 18:33:14 logportalauth[3069]: FAILURE: test11, 00:22:43:60:ed:ca, 10.10.10.206, Your maximum daily usage time has been reached

any idea? (again, thanks for helping!!)

please show "users" file.
FreeRADIUS => View Config

Sailorsknot

/usr/local/etc/raddb/users

"siteno20" Cleartext-Password := "pquiip", Max-Weekly-Output := 2684354560

"siteno54" Cleartext-Password := "ugekwc", Max-Weekly-Output := 2684354560

"test11" Cleartext-Password := "test11", Max-Daily-Output := 15000000000

Sailorsknot

some poking around… seems the largest number that can be entered in GUI field "Amount of Download Traffic" is : 999999999. If the CP calculates 6 times (divided) then the maximum download can only be: 166MB? I seem to only be able to get to ~60MB.

Do you think it has something to do with this?

http://wiki.freeradius.org/FAQ#Why+do+Acct-Input-Octets+and+Acct-Output-Octets+wrap+at+4+GB%3F

Thanks, I appreciate the help…

Nachtfalke

Updates pkg v1.6.3:

Improved/changed: mobile-one-time-password. mOTP is now running as a freeradius2 module. All attributes (Expiration, bandwidth, VLAN, pp.) can now be used with it. Auth-Type is now "motp" and not always "Accept". So the new module decides if there is access or not and we do not have strange syslog outputs "Login: OK but Access denied".
Updated: freeradius 2.x package documentation

Known bugs:

When using "stop/start accounting on CP then "Amount of Time" isn't working correctly.
http://redmine.pfsense.org/issues/2164
When using CP + RADIUS + Vouchers and "reauthenticate every minute" is enabled then CP sends the voucher as username to RADIUS. This causes RADIUS to disconnect the "user/voucher" because of an unknown/wrong "username".
http://redmine.pfsense.org/issues/2155
When stop/start accounting on CP is enabled than the syslog shows many "wrong order" or "Login found bot no logout detected". This seems to not affect the usage of RADIUS but it is not 100% correct.
http://redmine.pfsense.org/issues/2143

=================================================================

@Sailorsknot:

some poking around… seems the largest number that can be entered in GUI field "Amount of Download Traffic" is : 999999999. If the CP calculates 6 times (divided) then the maximum download can only be: 166MB? I seem to only be able to get to ~60MB.

Do you think it has something to do with this?

http://wiki.freeradius.org/FAQ#Why+do+Acct-Input-Octets+and+Acct-Output-Octets+wrap+at+4+GB%3F

Thanks, I appreciate the help…

Hi again,
thanks for testing this!
The link you posted is - why I said - "In general there should be no limit with freeradius2 and Captive Portal. CP and freeradius2 can work with "gigawords"

There is a bug in CP which calculates other traffic volume than it should be. Many posts in the forum say that the real traffic multiplied with a factor of 6 is the traffic that CP counts.

GUI problems:
I need to check how many digits the GUI allows and perhaps if it makes sense to change from "bytes/s to MBytes/s).

I am not at home this weekend so I do not have all my "equipment" with me. I'll try to do some more tests with "Amount of traffic".

Sailorsknot

Again, many thanks!!

Nachtfalke

@Sailorsknot:

Again, many thanks!!

I think I could fix the problem. The "Disable Acct_Unique" option didn't work.
So please try again with new username.

I have a 100MB download running….but it is really slow because of my slow internet connection ;-)

----- EDIT -----
DAMN!
Seems to be the same "problem/bug" as here:
http://redmine.pfsense.org/issues/2164

But I am too tiered now and have to less time to test this more in detail today. Feedback would be appreciated… >:(

Sailorsknot

reinstalled package, created new user.. with Amount of Download Traffic :999999999 /daily no joy… ended at ~60MB... (sigh...)

valshare

Hi Nachfalke,

thanx for the update. I have installed the latest Radius Package and get the follow error:


/usr/local/etc/raddb/sites-enabled/default[301]: Failed to load module "motp".
/usr/local/etc/raddb/sites-enabled/default[301]: Failed to parse "motp" entry.

Radius service didn´t start anymore.

Are there missing anything?

Regards, Valle

marcelloc

@marcelloc:

@Cino:

Can't wait for FreeBSD9 snapshots but I have a feeling a lot of the packages i'm using wont be able to install :-(

good feeling :D

I`ll need to learn how to build pbi packages for pfsense.

2.1 will be based on freebsd 8.3

http://forum.pfsense.org/index.php/topic,46157.msg241830.html#msg241830

Nachtfalke

@valshare:

Hi Nachfalke,

thanx for the update. I have installed the latest Radius Package and get the follow error:
/usr/local/etc/raddb/sites-enabled/default[301]: Failed to load module "motp".
/usr/local/etc/raddb/sites-enabled/default[301]: Failed to parse "motp" entry.
Radius service didn´t start anymore.

Are there missing anything?

Regards, Valle

Did a fresh install of freeradius2 on a fresh pfsense without problems:
Server is running with motp off
server is running with motp on (downloaded bash)
server is running with motp user created
server is running after deactivating "motp" in Settings.

Jan 13 07:47:19 	radiusd[6352]: Ready to process requests.
Jan 13 07:47:19 	radiusd[5765]: Loaded virtual server <default>
Jan 13 07:47:17 	radiusd[27310]: Exiting normally.
Jan 13 07:47:17 	radiusd[27310]: Signalled to terminate
Jan 13 07:47:17 	php: /pkg_edit.php: FreeRADIUS: Uninstalling package "bash-4.1.7" which comes with Mobile-One-Time-Password (motp).
Jan 13 07:47:17 	check_reload_status: Syncing firewall
Jan 13 07:46:47 	radiusd[27310]: Ready to process requests.
Jan 13 07:46:47 	radiusd[27239]: Loaded virtual server <default>
Jan 13 07:46:45 	radiusd[3884]: Exiting normally.
Jan 13 07:46:45 	radiusd[3884]: Signalled to terminate
Jan 13 07:46:45 	check_reload_status: Syncing firewall
Jan 13 07:45:49 	sshd[41626]: Accepted keyboard-interactive/pam for admin from 192.168.17.1 port 59669 ssh2
Jan 13 07:44:42 	radiusd[3884]: Ready to process requests.
Jan 13 07:44:42 	radiusd[2552]: Loaded virtual server <default>
Jan 13 07:44:40 	radiusd[8880]: Exiting normally.
Jan 13 07:44:40 	radiusd[8880]: Signalled to terminate
Jan 13 07:44:37 	php: /pkg_edit.php: FreeRADIUS: Downloading and installing package "bash-4.1.7" to use Mobile-One-Time-Password (motp).
Jan 13 07:44:37 	check_reload_status: Syncing firewall
Jan 13 07:44:23 	radiusd[8880]: Ready to process requests.
Jan 13 07:44:23 	radiusd[8778]: Loaded virtual server <default>
Jan 13 07:44:13 	check_reload_status: Syncing firewall
Jan 13 07:44:13 	check_reload_status: Reloading filter
Jan 13 07:44:12 	check_reload_status: Syncing firewall
Jan 13 07:44:12 	radiusd[52258]: The server is not configured to listen on any ports. Cannot start.
Jan 13 07:44:12 	radiusd[52258]: The server is not configured to listen on any ports. Cannot start.
Jan 13 07:44:12 	radiusd[52161]: Loaded virtual server <default>
Jan 13 07:44:10 	radiusd[49566]: The server is not configured to listen on any ports. Cannot start.
Jan 13 07:44:10 	radiusd[49566]: The server is not configured to listen on any ports. Cannot start.
Jan 13 07:44:10 	radiusd[49532]: Loaded virtual server <default>
Jan 13 07:43:51 	php: /pkg_mgr_install.php: FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup
Jan 13 07:43:51 	php: /pkg_mgr_install.php: FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup</default></default></default></default></default></default>

There were some major changes in motp handling. Try to run this from "Diagnostics -> Command Prompt -> PHP execute"


require_once("freeradius.inc");
freeradius_dictionary_resync();
freeradius_modulesmotp_resync();
freeradius_users_resync();

Or disable motp, save, enable it again, save, edit one "user" and just click save without any changes because syntax in "users" file changed.

There were changes in:


Attributes added in:
/usr/local/etc/raddb/dictionary

New module created:
/usr/local/etc/raddb/modules/motp

Auth-Type motp added in:
/usr/local/etc/raddb/sites-available/default

Users file
/usr/local/etc/raddb/users

Nachtfalke

Updates pkg v1.6.4:

Added: mOTP: Custom options for password lifetime, Number of password attemtps, more syslog output

Known bugs:

When using "stop/start accounting on CP then "Amount of Time/Amount of Traffic" isn't working correctly.
http://redmine.pfsense.org/issues/2164
WORKAROUND: Do not use start/stop accounting - use only "interim update". Disadvantage: Counter only increases if a user gets disconnected. (Hard/Idle Timeout)
When using CP + RADIUS + Vouchers and "reauthenticate every minute" is enabled then CP sends the voucher as username to RADIUS. This causes RADIUS to disconnect the "user/voucher" because of an unknown/wrong "username".
http://redmine.pfsense.org/issues/2155
When stop/start accounting on CP is enabled than the syslog shows many "wrong order" or "Login found bot no logout detected". This seems to not affect the usage of RADIUS but it is not 100% correct.
http://redmine.pfsense.org/issues/2143

Sailorsknot

Known bugs:

When using "stop/start accounting on CP then "Amount of Time/Amount of Traffic" isn't working correctly.
http://redmine.pfsense.org/issues/2164
WORKAROUND: Do not use start/stop accounting - use only "interim update". Disadvantage: Counter only increases if a user gets disconnected. (Hard/Idle Timeout)

I Updated to latest package and changed accounting to "interim update". Created new user, and entered "999999999" in the "Amount of Download Traffic" field on new user GUI (any number greater immediately locks out user).

I tested by downloading 20MB test files and then disconnecting user from captive portal GUI after each download.

The total maximum traffic that could be downloaded ~160MB

So (currently) if you want to use "Amount of Download Traffic" user will only be able to download ~160/day, week, etc…

Nachtfalke, Again, thanks for your hard work... I'll keep testing as you make mods...

Nachtfalke

@Sailorsknot:

Known bugs:

When using "stop/start accounting on CP then "Amount of Time/Amount of Traffic" isn't working correctly.
http://redmine.pfsense.org/issues/2164
WORKAROUND: Do not use start/stop accounting - use only "interim update". Disadvantage: Counter only increases if a user gets disconnected. (Hard/Idle Timeout)

I Updated to latest package and changed accounting to "interim update". Created new user, and entered "999999999" in the "Amount of Download Traffic" field on new user GUI (any number greater immediately locks out user).

I tested by downloading 20MB test files and then disconnecting user from captive portal GUI after each download.

The total maximum traffic that could be downloaded ~160MB

So (currently) if you want to use "Amount of Download Traffic" user will only be able to download ~160/day, week, etc…

Nachtfalke, Again, thanks for your hard work... I'll keep testing as you make mods...

As far as I understand this it is not possible to create a data counter which resets (daily, weekly, monthly), just one with "forever".
In this mails they are talking about that "problem".
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49267.html
Perhaps you can have a look at that, try with reset=forever and perhaps try with a limit less than 4GB. If this is working we can slowly change the one or the other parameter.

zobber

@pszafer:

okay, I'm finally happier :)
I've got working freeradius + winbindd + ntlm_auth with Active Directory with MSCHAP v2

now I will remove from samba package as much as I can and then I would like to share my work with you.
I hope you will guide me if I should give you files or somehow make package etc.

hello pszafer.

i'm trying to set up freeradius with ldap and mschap v2. with pap it is no problem, but i would never send plain passwords. are you ready to share your work with us?

qbik

Hi,
I am glad there is finally a good package for this. I had done this before by custom package building on FreeBSD with VMWare and then installing on PFsense, no GUI. I am using it on a hotel right now with 1000 rooms. I would like to contribute and share my work to contribute to a robust solution with MySQL integrated. There are a couple of things that I've came across and want to fix are the following:
-Implement Freeradius with sqlippool or better manage DHCP leases
-If user is authenticated for 1 day and server reboots, he has to authenticate again ( I want accounting to continue where it left off)
-Better Voucher/User GUI and printing options.

I'l be glad to share my work and help where I can.

Regards

Nachtfalke

@qbik:

Hi,
I am glad there is finally a good package for this. I had done this before by custom package building on FreeBSD with VMWare and then installing on PFsense, no GUI. I am using it on a hotel right now with 1000 rooms. I would like to contribute and share my work to contribute to a robust solution with MySQL integrated.

You are welcome!

@qbik:

There are a couple of things that I've came across and want to fix are the following:
-Implement Freeradius with sqlippool or better manage DHCP leases

I do not have much experience with *SQL databases. The basic support to connect to an *SQL database is ready and working. But you are right. I didn't take a look at sqlippool and of course if there will be GUI support for creating a custom SQL query would be really nice.
I thought of to hardcode the main part of a counter (daily, weekly,time, data) in the sqlcounter.conf and from GUI everybody can add the queries he likes.

@qbik:

-If user is authenticated for 1 day and server reboots, he has to authenticate again ( I want accounting to continue where it left off)

I don't think there is any way around - if freeradius or the NAS reboots the user has to reauthenticate. If the NAS sends "interim updates" or "start/stop" accounting updates then there will be no big accounting loss when server reboots/crashes. To get high availability you need to use more than one RADIUS server and more than one database (freeradius2 package can do failover/loadbalancing for LDAP or *SQL).
So I would be interested in what we can do on this point.

@qbik:

-Better Voucher/User GUI and printing options.

You have to explain that more in detail.

@qbik:

I'l be glad to share my work and help where I can.

Regards

As I said above - if you have any SQL ideas or something developed (sqlcounter, sqlippool, DOCUMENTATION :D ) then I really would appreciate to implement your work! :)

zlyzwy

When I upgrade to latest version, it gives me the following error..

Beginning package installation for freeradius2…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading freeradius2 and its dependencies...
Checking for package installation...
Downloading http://e-sac.siteseguro.ws/packages/8/All/freeradius-2.1.12.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/freeradius-2.1.12.tbz.
of freeradius-2.1.12 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for freeradius-2.1.12...done.
Starting package deletion for openldap-sasl-client-2.4.26...done.
Removing freeradius2 components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file freeradius.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

marcelloc

The server is up and the file is there.

Are you blocking traffic to brazil on your pfsense?