Simultaneous-Use CP??



  • I’m trying to follow the tips on this page http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Plain_MAC_Auth_besides_802.1X

    First off I’m searching for “Simultaneous-Use must be set to a value from at least 2” leave empty in free radius.
    I can’t find it in CP.  Using PF2.0.1
    I have tried this Mac auth both ways and neither work.
    If I set the value “Pass-through credits allowed per MAC addres” too 2 I can get through a router with 2 laptops connected to a router wan too pf lan.  but the Cp status shows

    IP address 	MAC address 	            Username 	                 Session start 	
    192.168.1.100 	00:23:69:fb:79:33  	unauthenticated  	04/16/2012 12:10:24
    

    With the above blank I do not get authenticated

    And I have too set a speed in CP "Per-user bandwidth restriction"
    When the page above says to leave it blank or a 0.



  • Hi,

    I think you mixed up different things. I hope I could make it clear 🙂

    1.) Simultaneous-Use
    To check for simultaneous connections there are two possibilities when using freeradius and CP. You can enable “Disable concurrent logings” on CP page. Then the CP itself checks for simultaneous connections.

    The other possibility is to use “Simultaneous-Use” on freeradius. This ONLY works if you have accounting enabled. If you set it to “1” then only one connection per time is allowed. If you leave it empty, unlimited connections are allowed.

    BUT if you use the “re-autheticate every minute” on CP then you have to leave the “Simultaneous-use” check empty or set it to 2 or higher. This is because of the way CP sends the re-authentication oackets/attributes.

    2.) MAC based authentication and CP:
    Captive Portal isn’t using a real “Plain Mac-Auth”. CP is doing 802.1X auth BUT is uses the MAC address as username and the “shared-secret” you entered on CP. So every authentication has the same shared secret but the username changes because it is the MAC address.
    So in freeradius you have to enter the MAC address in “Users” as username and the shared secret as password.

    In freeradius -> settings there is a setting “Enable Plain MAC-Auth”. You do NOT need this when using with CP and it will NOT work with CP.

    3.) Bandwidth restrictions:
    If you set a value on CP then all users which authenticate through the CP will have this bandwidth limit. If you like to set individual bandwidth limits then set any value or “0” on CP because this value will be opverwritten by freeradius. So you have to set the limit on freeradius under “Users” tab.

    PS: Bandwidth limit is not 100% sure to work - test it. If it doesn’t work it is a problem of CP.



  • Hey Thanks for taking time to explain that.
    After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
    Now she’s ticking away and working.
    The user speed limit seems to work. Set it to 256K up down and a speed test verified that.
    Now I’ll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?

    I also need to know how it regulates speed as compared to the traffic shaper.

    I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.

    Does CP do the same?

    Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
    Thanks
    Allan



  • @Alan87i:

    Hey Thanks for taking time to explain that.
    After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead.
    Now she’s ticking away and working.

    If you use  *  as interface IP then radius is listening on all interfaces. Probably the easiest one for testing.

    @Alan87i:

    The user speed limit seems to work. Set it to 256K up down and a speed test verified that.

    Do you mean the limit set on CP only or do you mean the override freeradius does ?

    @Alan87i:

    Now I’ll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?

    This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
    When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the “KNOWN BUGS” to make sure you know what is going on 🙂

    @Alan87i:

    I also need to know how it regulates speed as compared to the traffic shaper.

    I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.

    Does CP do the same?

    Don’t know anything about that.

    @Alan87i:

    Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well?
    Thanks
    Allan

    All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a “Pass-through IP address” on CP. So you are able to bypass the CP for specific destination IPs.



  • Do you mean the limit set on CP only or do you mean the override freeradius does ?

    The freeradius limiter for the user mac seems to work great.

    This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.
    When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the “KNOWN BUGS” to make sure you know what is going on 🙂

    I’m testing the daily limit set in freeradius2 right now I set 1000MB and will download some files from an HFS server through the WAN.

    All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a “Pass-through IP address” on CP. So you are able to bypass the CP for specific destination IPs.

    Thanks I tried that and it does work SUPER



  • Auth log when the user has a set usage limit in radius

    Apr 16 19:44:27 	logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 20:45:17 	logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 20:47:25 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 21:48:07 	logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 21:49:03 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    

    Using interim update  in CP because from reading start stop has a bug. Seems as though this one does too.



  • @Alan87i:

    Auth log when the user has a set usage limit in radius

    Apr 16 19:44:27 	logportalauth[40065]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 20:45:17 	logportalauth[27313]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 20:47:25 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 21:48:07 	logportalauth[49897]: TIMEOUT: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    Apr 16 21:49:03 	logportalauth[39722]: MACHINE LOGIN: 00-23-69-fb-79-33, 00:23:69:fb:79:33, 192.168.1.100
    

    Using interim update  in CP because from reading start stop has a bug. Seems as though this one does too.

    The “bug” I mentioned above is that it counts traffic wrong but in general it is working. What your log means - I don’t know. It is related to CP or in other word it is a CP log and not a freeradius log.
    Did you read the documentation of freeradius about “acct_unique” ? Probably disable acct_unique
    Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing
    Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached

    Can the user get access or does it timeout when accounting and usage limit is enabled ?



  • Did you read the documentation of freeradius about “acct_unique” ? Probably disable acct_unique

    Yes it has been disabled the whole time.

    Did you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testing

    Hard time out was at 60 , I took it out and added 120 too idle timeout.

    Did you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached

    Yes this is checked also.

    I set it back too start stop updates.
    Deleted the user and created a new one. With limit in the account set too 500 MB then downloaded a 700 mb file. The user is still connected.

    Found this issue http://redmine.pfsense.org/issues/2164  Not sure how too apply a patch.



  • Are you running pfsense on embedded or nanobsd ?

    Check if these folders and files exist:

    
    /var/log/radacct/datacounter/
    /var/log/radacct/timecounter/
    /usr/local/etc/raddb/scripts/datacounter_acct.sh
    
    

    If not, reinstall freeradius2 package please.

    The redmine ticket you found is for time-based accounting. I opened that ticket in the past 😉
    Datacounter is working - with the known bug that CP sends 6 times more MB as used in reality.



  • Yes all the files exist .
    I have opened the daily data file and in bytes it had the number that matched the MB limit I set for the user 505 MB When in fact I downloaded close too 2.5 GB off my server. And it’s not a server I set in the allowed IP field. I thought that might stop the counter from working.



  • You could stop radiusd process from GUI.
    connect with SSH to your pfsense and run radius in debug mode. type:

    radiusd -X
    

    You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.



  • @Nachtfalke:

    You could stop radiusd process from GUI.
    connect with SSH to your pfsense and run radius in debug mode. type:

    radiusd -X
    

    You can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.

    Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers  No such file or dircetory

    same for used octets



  • Could it be some permissions problem? The files seem to be there .

    EDIT
    From the debug ssh window
    the max and used octets-00X23X69XfbX79X33
    That file as you can see from the screen shot does not exist.

    max-octets-00-23-69-fb-79-33

    max-octets-00:23:69:fb:79:33

    Edit again !!
    I went ahead and tried editing the files replacing the - with X’s and voila
    I see this in the log file

    Apr 17 10:13:38 	admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!
    

    So I put " 1048576000 " into the modified file and was able to log back in just fine .




  • I updated freeradius2 package to replace the "  :  " with "  X  ".
    Try if this helps. Perhaps try and test with a username and password like “John” and “mypass” if this in general works for you.



  • I want to run this with mac auth like I’ve been testing.

    What would cause my system to put : for the file name and freeraduis to look for the X .
    Creating the files with an X didn’t work , perhaps the new files don’t have correct permissions ?



  • radiusd -X
    

    Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)

    Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

    ± entering group post-auth {…}
    cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
    cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
    Exec-Program output:
    Exec-Program: returned: 0
    ++[exec] returns ok
    Sending Access-Accept of id 198 to 192.168.1.1 port 36700
            WISPr-Bandwidth-Max-Up := 262144
            WISPr-Bandwidth-Max-Down := 8192000
            Session-Timeout = 53872310
    Finished request 0.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 0 ID 198 with timestamp +19
    Ready to process requests.

    I killed radius removed the files from the daily folder , deleted the user account , then re made a new account. This is what I still have for a problem. It’s looking for a ocetets file with X’s and it makes an octets file with :'s



  • For me it is working but I have to set the correct MAC format according to the username entry in freeradius -> “Users”.

    So if I chose “ietf” on CP then my username must look like “ietf”: 11-22-33-44-55-66
    If i chose “default” on CP then my username must look like “default”: 11:22:33:44:55:66

    But I found another “bug” - if I delete the files in:

    /var/log/radacct/datacounter/daily
    

    by hand then the script will not recreate these files withe the according values. To recreate the files I need to go to “users” tab, edit a user (not change anything) and press save so that “users” file will be created new and so there will be new “datacounter limit files if not exist”.

    I will try to find a solution for that.



  • Well I tried the latest version and it didn’t seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
    Re installed freeraduis2 and set it up again.

    Now I can’t get a user to log with a mac and shared secret.
    This is from the log
    Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
    Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857

    1.1. is PF lan IP The router is on DHCP at 1.100

    So I reinstalled PF from the disk. and get the same problem.



  • @Alan87i:

    Well I tried the latest version and it didn’t seem to work. So I uninstalled downloaded pf config NO package info and RE uploaded it .
    Re installed freeraduis2 and set it up again.

    Now I can’t get a user to log with a mac and shared secret.
    This is from the log
    Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:42 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:45 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 60612
    Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857
    Apr 17 15:33:52 radiusd[48787]: Ignoring request to authentication address 192.168.1.1 port 1812 from unknown client 192.168.1.1 port 44857

    1.1. is PF lan IP The router is on DHCP at 1.100

    So I reinstalled PF from the disk. and get the same problem.

    This means you did not enter the pfsense LAN IP as a “NAS” in freeradius and/or wrong shared secret. That’s a communication problem between NAS/CP and freeradius.



  • Thanks I was having a brief stupid moment.
    And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
    I set 18432MB in radius witch should give me 3 GB.
    I read in the guide that cron could be used to reset the daily folder every night.
    Is that needed?

    I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
    BTW
    Thanks very much for all the help!!



  • @Alan87i:

    Thanks I was having a brief stupid moment.
    And yes things seem to be working now. I removed the used octets file and saved the user again in radius , that made a new blank used file.
    I set 18432MB in radius witch should give me 3 GB.
    I read in the guide that cron could be used to reset the daily folder every night.
    Is that needed?

    I want too run this with all users on a monthly basis. Should a cron job be set up to reset the counter monthly?
    BTW
    Thanks very much for all the help!!

    Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes “used” and “max” octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.

    If you chose “daily”, “monthly” or whatever in the GUI places the files in the specific …/datacounter/daily or …/datacounter/monthly folder.

    To make it a little more clear:
    Setting up daily, monthly and so on in the GUI just places the files in different folders.
    You have to setup a cron job manually to delete these folders daily, monthly or whatever
    After the files were deleted by cron you need to re-run the “squid.xml” file (Users tab). There is a check if a user has set a limit but no files exist in the folder they will be created new ones. If they exist, nothing will be done. (For this behaviour I need to write an additional script or someone provides it for us).

    PS: To reset a users counter just edit the user, empty the value for limit, save, edit the user again and setup a new limit. This deletes the old files and creates new ones with new limit.

    Thanks for testing 🙂



  • Ok With CP set too Mac format type default and radius user xx:f4:ff format I still get the octets 00X33X what have you file not found.
    With CP set too ietf and user 00-99-ff format it counts .
    But
    The figure of the counting bug using start stop or interm seems to count much faster than 6 times the real rate.

    I set the user mac too 18432 MB total daily = 18gb divide by 6 gives 3 GB
    The octets file shows this as 19327352832 bytes witch is correct
    I test download a 1.4 GB file
    I get roughly 732MB about 1/2 of it and I get kicked
    Used octets reads 21725770732 bytes witch is roughly 20.2 GB



  • I did some more tests and you are right.  😞

    The traffic counter is not working as it should. At the moment I am unsure if the CP sends the accounting information according to the RFC and my script is not correct or if it is vice versa.  😞



  • I deleted the two scripts and reinstalled changed format too default ran radiusd -X

    Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
    # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    cat: /var/log/radacct/datacounter/daily/max-octets-00X23X69XfbX79X33: No such file or directory
    cat: /var/log/radacct/datacounter/daily/used-octets-00X23X69XfbX79X33: No such file or directory
    Exec-Program output:
    Exec-Program: returned: 0
    ++[exec] returns ok
    Sending Access-Accept of id 86 to 192.168.1.1 port 1436
            WISPr-Bandwidth-Max-Up := 262144
            WISPr-Bandwidth-Max-Down := 15360000
            Session-Timeout = 53777840
    Finished request 3.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 3 ID 86 with timestamp +48
    Ready to process requests.
    
    


  • @Nachtfalke:

    I did some more tests and you are right.  😞

    The traffic counter is not working as it should. At the moment I am unsure if the CP sends the accounting information according to the RFC and my script is not correct or if it is vice versa.  😞

    Yea I just did another test and got the same result. set radius user for 20 Gb and could not pass 1 GB before it cut the user off.
    I’m happy to test any updates or ideas . I would really like to implement this on 2 networks.



  • Hi again,

    I took some time to remember what my scripts are doing and I would like to let you know and understand:

    To count the traffic we use octets. One octet is one byte. The CP sends Input and Output Octets.

    If you set volume limit for a user this limit will be calculated as octets/bytes and written to the file “max-octets-username”.
    The script runs everytime an interim or stop/start accounting packet arrives. Both packets include information about the input and output octets. the script summates the both values and summates this with the value written in the “used-octets-username” file. After this the script checks if used-octets is greater than max-octets and rejects the connection or still allows it.

    The changes below will not summate the values sent from CP with the values in the file but still writes the new values to the file.
    But the problem with this is that if a user disconnects and reconnets 2hours later the CP starts to count the octets from zero.

    You try to edit the script. Go to:

    /usr/local/etc/raddb/scripts/datacounter_acct.sh
    

    Change line 22 from this:

    USEDOCTETS=$(($ACCTINPUTOCTETS+$ACCTOUTPUTOCTETS+`cat "/var/log/radacct/datacounter/$TIMERANGE/used-octets-$USERNAME"`))
    

    to

    USEDOCTETS=$(($ACCTINPUTOCTETS+$ACCTOUTPUTOCTETS))
    

    This could perhaps help when using stop/start accounting.

    For the problem with the username and the" : " try to edit line 4 to this on datacounter_acct.sh

    USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z.:_-]/X/g' `
    

    and datacounter_auth.sh on line 4 to this

    USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._:-]/X/g' `
    


  • Ok that seems to fix the : mac address bug for octets file not found.

    I noticed one other thing for the back burner,

    I’m testing this with a PC WAN too a switch on MY lan 100 Mbps
    I have tried several max speeds , but to make things faster I set it for now too 45000 Kbits .
    I’m downloading from a PC running an HFS file server. (It will not allow a full 100 MB download ever on the lan )
    I cleared the usage total and saved to clean the used octets file and started a download, (forgot too reset the usage limit. ( never changed the speed up/down. )
    I noticed it was running up over 1M per second where normally with the limit for usage set it runs at 700/706 KB.

    Updated the scripts and testing another download  will report back later.
    Thanks



  • Ok those updates seem to work !
    I have start/stop set in CP
    Mac is with :: in radius and default in cp.
    I downloaded a 1.1 gb file and the used octets show 1184268463  = 1.1 GB



  • Yes, you must setup a cron job. When I wrote the documentation in the past I forgot to mention that after the cron job deletes “used” and “max” octets files it does not automaticalle recreate the files with the new/resetted values. I need to create a script which recreates the users file and recreates the max-octets file after cron job deleted them.

    If you chose “daily”, “monthly” or whatever in the GUI places the files in the specific …/datacounter/daily or …/datacounter/monthly folder.

    I’m no script writer but could you  make a script that would simply delete the used octets file contents every 30 days /24 hours or 7 days ?
    That way they would not have to be recreated.
    Even better would be the option too back the octet files up too another folder with the date as the folder name. That way some one could manually add them up or use another program to read and chart the usage.
    Random thoughts .



  • I will think about that but I am no script writer, too.  😉
    But I thought about a script that rotates the files or something like this.

    PS: The changes you made on the script has a side effect:
    If you set a limit of 1GB and the user disconnects after 950MB and reconnects then the user has again 1GB traffic.



  • @Nachtfalke:

    I will think about that but I am no script writer, too.  😉
    But I thought about a script that rotates the files or something like this.

    PS: The changes you made on the script has a side effect:
    If you set a limit of 1GB and the user disconnects after 950MB and reconnects then the user has again 1GB traffic.

    Ya that will become a problem. I haven’t tested it for the reconnect yet.
    Most of the users will be routers or a CPE wireless radio. 1 or 2 will be a PC.
    Except for the PC’s shutting off at night the routers/radios should stay connected unless the power goes out.
    I have also noticed since changing those 3 lines that the syslog no longer reports the client (user) reconnecting every minute although this is still checked in CP.

    Ok I just set the user limit too below what has already been used.

    See the syslog below. Seems disconnecting from radius restarting has had no ill effect. I’m not able too connect. Only the 2 sites I enabled pass through are working.

    Apr 19 08:44:56 	check_reload_status: Syncing firewall
    Apr 19 08:44:59 	radiusd[2890]: Loaded virtual server <default>
    Apr 19 08:44:59 	radiusd[2964]: Ready to process requests.
    Apr 19 08:45:01 	radiusd[2964]: rlm_radutmp: Logout for NAS admin port 8, but no Login record
    Apr 19 08:45:01 	radiusd[2964]: rlm_radutmp: Logout for NAS admin port 8, but no Login record
    Apr 19 08:45:02 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
    Apr 19 08:45:02 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
    Apr 19 08:45:02 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!
    Apr 19 08:45:56 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
    Apr 19 08:45:56 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 8 cli 00:23:69:fb:79:33)
    Apr 19 08:45:56 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!
    Apr 19 08:46:01 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 10 cli 00:23:69:fb:79:33)
    Apr 19 08:46:01 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 10 cli 00:23:69:fb:79:33)
    Apr 19 08:46:02 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!
    Apr 19 08:46:07 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 12 cli 00:23:69:fb:79:33)
    Apr 19 08:46:07 	radiusd[2964]: Login OK: [00:23:69:fb:79:33] (from client admin port 12 cli 00:23:69:fb:79:33)
    Apr 19 08:46:07 	root: FreeRADIUS: Credentials are probably correct but the user 00:23:69:fb:79:33 has reached the daily Amount of Upload and Download Traffic which is 2048 MB! The user was rejected!!!</default>
    


  • @Alan87i:

    (…)
    Ya that will become a problem. I haven’t tested it for the reconnect yet.
    Most of the users will be routers or a CPE wireless radio. 1 or 2 will be a PC.
    Except for the PC’s shutting off at night the routers/radios should stay connected unless the power goes out.

    Perhaps it will help that you setup the idle timeout on CP on a high value so that there is no early disconnect. But pay attention on the lease time of DHCP. DHCP lease should be higher than idle/hard timeout because of IP/MAC mismatch check on CP.



  • I did some fixes on the scripts. Further I updated the documentation (how to create a cron job).

    In the shell scripts (datacounter_auth.sh and datacounter_acct.sh) I added a line I commented out because this line was just for you in this case. So go and edit the scripts like I describe some posts above after you have installed the newest freeradius package version (1.6.6_3)

    More infos here.
    http://forum.pfsense.org/index.php/topic,43675.msg256682.html#msg256682



  • I updated and re=added the patches (3 lines ) .
    Then I installed cron package and played with that.  Tried the daily reset from the wiki.
    I set up a few downloads and quit for the night.
    It seems that after installing the cron package CP stopped authing every minute, As in the sys log this morning there was nothing listed since last night (package started cron)

    Also the command for the daily reset didn’t remove the count from the used octets files. Note I have one used octet file still with - - not : and it was set too 0 I have two with : and they were the same as when I checked last night. A mix of installing cron maybe Since they did not update all night.
    I just rebooted PF and will check later. For now syslog reports as normal with CP re authing every minute.

    One other thing I noted was after rebooting PF a laptop user had the octets file reset! But another user where a linksys router MAC is the user did not reset.  I think this is because The router did not have time to notice and request an IP, where the laptop did. So I wonder if setting the leases to static would not help.
    As soon as the system rebooted CP status showed the laptop as connected and the router was not in the list.



  • Ok I found a different bug with the latest version. And the 3 lines patched like you said.
    The used counter seems to add fine for a while then resets it’s self too a lower number.

    Copied these while downloading over 2 GB from my server.
    2515282576
    2345490533
    2657888437
    1304058479
    2509741330

    I ran this from the command prompt

    /bin/rm /var/log/radacct/datacounter/daily/used-octets-*
    

    The first time when I checked the used octets files were gone .
    Then I refreshed a page on both user PC’s and they returned but both still had the same numebr or bytes in the file.
    So I ran

    rm /var/log/radacct/datacounter/daily/used-octets-*
    

    That took them out and a refresh did not bring them back. So I resaved the 2 users in radius and they were back Both still showing the same amount of bytes , not a 0 .



  • That’s not a bug of the script - that’s the sideffect of the CP accounting “problem”.

    The octets increase - CP continuosliy increases the octets if the users is downloading somthing. this value will be added to the used-octets-file.
    If you reset the counter (used-octets-*) this does not reset the information of the used octets the CP has. For this you would need to disconnect the user from CP /Status -> Captive Portal -> Disconnect) or restart the CP.

    If you reset the used-octets file to a value of zero and you did not restart the CP it will write the used-octets to the file that CP knows from before.

    We will not find a clean solution for that until CP is resetting the countet octets between every stop/start accounting packet. I am sorry to say that but we need to hope that this is fixed on pfsense 2.1.



  • Bummer
    Any word on when that might happen?
    Is your radius2 package running on 2.1?

    Do you know if I can accomplish what I want too do with M0nowall?



  • @Alan87i:

    Bummer
    Any word on when that might happen?
    Is your radius2 package running on 2.1?

    Do you know if I can accomplish what I want too do with M0nowall?

    They want to release pfsense 2.1 on world IPv6 day - someone in june as far as I know.
    For pfsense 2.1 all freeradius2 binaries needs to be recompiled and .pbi packages needs to be build. The compilation of the binaries did another forum user for me who has more knowledge about that.

    I didin’t ask him about that till now because he seems to be very busy if I follow his other posts.

    Monowall:
    You can try the CP of monowall with freeradius2 package. perhaps it will do accurate accounting but I don’t know.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy