Pfsense 2.0.1: Problem with 'Re-authenticate Every minute' + FreeRadius 2.1.12
-
My Setup:
–> FreeRADIUS: Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct3 2011 at 21:39:42
--> Mysql: Server version: 5.1.51 Source distribution
--> Captive Portal: pfSense 2.0.1 releaseMy setup works fine - i.e, user gets authenticated, and uses internet until 'session-timeout' (as supplied by Radius server) is reached, then user is kicked out.
Now, the problem comes if I turn on the "re-authenticate every minute" option. Basically, I would like to "add expenses" to the user when he accesses certain resources on the network or buys items like CDs. (basically implementing this idea: http://computing-tips.net/M0n0wall_Captive_Portal_Logout_URL/#onlinestore). When he has no more 'airtime' he is kicked out!
However, when is option is one, user gets kicked immediately with the message that he is already logged in:
Sending delayed reject for request 2 Sending Access-Reject of id 234 to 10.250.78.200 port 64881 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
What am I missing?
-
simultaneous-use must be off or needs a value equal or higher than 2 when using re-authenticate every minute on CP.
If you want to make sure that there is only one simultaneous connection do this on CP settings page or modify the way/attributes CP sends the accounting packets to freeradius. -
i use a product that i pay for called raidus manager 4 from dmasoftlab.com … it uses freeradius2 however they modified it in some weird ways. not that far from the original i believe. anyway they say in their install guide
Because pfSense uses reauthentication method to check the validity of the logged on account,
at least sim-use = 2 has to be set for every pfSense user in Radius Manager ACP / Edit user dialog.
Sim-use = 1 will result immediately disconnection of the user when the first reauthentication packet
is sent to the RADIUS server (RADIUS server thinks the user is already online and doesn’t give a
permission for a new concurrent connection which causes pfSense to close the active session of the
current user).so ya. it would have to be set to 2.
-
The problem is not the re-authentication at all.
freeradius2 checks simultaneous-use using accounting packets. An accounting-on/start packet tells freeradius2 to put the user in the "/var/log/radurmp" file. An accounting-stop/off packet tells freeradius that the user logged off and freeradius deletes the user from "/var/log/radutmp"To check who is already logged in just type "radwho" on the shell.
Read the following redmine entry, try to apply the patch and see if it helps you:
http://redmine.pfsense.org/issues/2164@mutheu
I saw you posted on freeradius mailing lists. The developer and maintainer Alan DeKok wrote that the problem is the attributs from the NAS and probably that the re-authentication time of one minute is to short and should be at least 10min.I am far away from beeing an freeradius expert but I think the NAS/CP needs some fixes/improvements. But that's not so easy for me so it would help if some more users do some tests.
-
@all
Thank you for your input.
Indeed in my radcheck table, I have "Simultaneous-Use := 1", so I will try to set to 2 and see how it goes.
@Nachtfalke
I did post in freeradius list as I didn't know whether I should troubleshoot from the Radius point of view or the NAS. Pfsense is excellent and will definitely setup a test bed. I am currently overwhelmed by interesting features it carries.As I was thinking what to do, I noticed some user accounts were showing negative values (account balance). Then on checking the radacct table in mysql, I realized that mysql was being given duplicate entries (now is this by the NAS or freeradius?). In this example, the user "KALEMBA" is actively using internet.
316 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:47:18 NULL 0 RADIUS 0 0 10.250.78.200 d0:df:9a:86:08:a5 Login-User 192.168.192.137 0 0 314 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:46:18 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 312 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:45:18 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 298 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:38:16 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 310 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:44:18 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 300 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:39:17 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 308 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:43:17 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 304 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:41:17 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 306 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:42:17 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0 302 23c77fca1abb4446 292ae1ead667f343 KALEMBA 10.250.78.200 18 Ethernet 2012-03-23 11:40:17 2012-03-23 11:47:18 1754 RADIUS 31665377 323554601 10.250.78.200 d0:df:9a:86:08:a5 NAS-Request Login-User 192.168.192.137 0 0
I'm currently prunning the duplicates by crond.
-
It's probably because of the NAS. The NAS must send always the same Acct-Session-ID and so on. If something of this changes then for freeradius this is a new user.
Go to freeradius -> settings and disable "Acct_unique". Perhaps this will help you. I added this as a "workaround". -
Thank you for your quick response.
But I use external Freeradius server. Will this have any effect?
-
Thank you for your quick response.
But I use external Freeradius server. Will this have any effect?
Aahh, I am sorry. I talked from the pfsense freeradius2 package. But this confirms that it is a NAS problem and not a freeradius2 problem because the effect is the same with CP and freeradius2 package from pfsense :-)
edit:
../raddb/sites-available/defaultgo to "preacct" section and comment out "acct_unique". Then try again.