Captive portal and Freeradius



  • Hi,
    I am using PfSense 2.0, I have CP enabled and using freeradius, also disable concurrent logins is on. Now my question is, is there a way that if for any reason the server needs to rebooted that the users that have not expired continue with the remainder of their session and continue using the internet until their session times out.

    Thanks



  • Hi,

    are you running freeradius on pfsense or on a different server ? If both are on different servers which one restarts ? And if you are running freeradius on pfsense - which version of freeradius do you run ?



  • Hi,
    I am using freeradius2 (2.1.12) package on the same pfsense server.

    thanks



  • Ok, but I am not sure if I understand your problem. If pfsense restarts - this is only if you change something of pfsense which needs a radiusd restart - this is only for less seconds.

    And if you restart pfsense…then the CaptivePortal and everything is down.

    Perhaps you could explain a problem a little bit more in detail and/or post a screenshot of your environment.



  • Is a small hotel, and users are given tickets to login, tickes have different time durations, 30 min, 1 hour, 1 day, 5 days. Once the user is logged in, there is no idle or hard time out, the session is opened as long as freeradius session timeout (30 min, 1 hour, 1 day, 5 days) is active. Now, let's say i have a 5 day ticket, my session is opened for 5 days, now on day 3 we have a power loss and the server reboots, now I have to login again. I want to prevent this second login.

    On my CP configuration under the freeradius part, I have it as follows:

    send RADIUS accounting packets [On]
    interim update [On]
    Reauthenticate connected users every minute [On]
    Use RADIUS Session-Timeout attributes [On]

    Hope it's clearer now.

    thanks again



  • Hi,
    thanks for explaination - now it is clear for me :-)

    But I do not know a solution for that. if the NAS - that is the CP in this case - reboots that it lost all information about which user is/was logged in.

    Is there a reason why you need this ?



  • Well, the reason is because the tickets only contains instructions on how to connect, the way they authenticate is with their room number and last name, it then pushes the charge to their room via a script. Now if the server reboots, they are asked to login again and then they get charged again, hence I just want their stalled session to continue counting. But I have yet to find what is the normal behavior on a normal setup if the system reboots. for example if I was using vouchers, would the same thing have happened?

    Thanks



  • Hi,

    if A NAS reboots then all sessions get disconnected. If a NAS is rebooting normaly because of the admin is rebooting the NAS then the NAS sends "accounting-off" packet to RADIUS to tell that it is rebooting. FreeRADIUS then deletes the open sessions.

    If the NAS crashes then there is after the reboot of the NAS an "accounting-off" followed by an "accounting-on" packet. so the NAS tells the RADIUS to delete all stalled sessions and then restarts accounting.

    CP isn't sending accounting-off packets at the moment - perhaps this will be fixed - but thats not really neccessary for your environment because is the NAS crashs then it is losing everything so it does not know who was connected and who was connected on which "port" an so on. I am pretty sure that there is no way around that.



  • For me, I think the best solution to your problem is to setup a Radius server and use a counter. Instead of specifying 5 days, you simply convert the 5 days to seconds : 5d x 24hrs x 60min x 60sec.

    Counter will keep on reducing time even if your server goes off, it will pick up on where it left - especially with re-auth every minute.



  • @mutheu:

    For me, I think the best solution to your problem is to setup a Radius server and use a counter. Instead of specifying 5 days, you simply convert the 5 days to seconds : 5d x 24hrs x 60min x 60sec.

    Counter will keep on reducing time even if your server goes off, it will pick up on where it left - especially with re-auth every minute.

    The time counter module only works on "accounting stop" packets. The time value in Accounting stop packets from CP are not correct in 2.0.1. Ermal did some changes on this (redmine) and perhaps it will be implemented on 2.1. But I am not up-to-date with this problem.

    But if the NAS or the server reboot - the user has to re-login - and that's the problem and not the "time management". That's the way I understand qbik's posts.


Log in to reply