Testing freeradius2 with MAC Auth and accounting

Alan87i

Ok I applied the patch  and it seemed to count even faster?
very strange so I took it off again

Nachtfalke

did you use "Interim-update" or "stop/start" ?
The patch is - as far as I know - for stop/start

Alan87i

stop /start
I don't think removing it worked correctly as it still seems to count even faster

Alan87i

Re-authenticate every minute is - in the opinion of the freeradius developer on the mailing list - too fast. Re-connection should be at least 10mins or more but the reconnection is not the problem. Reconnection is only for checking if the user can access again or not.

But you are absolutly right:
Default behaviour of a "correct" working NAS ist that there is only an accounting stop packet when a user disconnects (shutdown PC or something else). If the user reconnects (turning PC on) the accounting starts again and of course by zero.

But CP offers stop/start accounting which sends accounting stop packets every minutue (could be every 5minutes or any other value) but it does not reset the value.
So as you said: Reset the valu to zero would "fix" the problem.
http://redmine.pfsense.org/issues/2164

Ermals postet a fix here - perhaps you can try this if it is working.

I would like to see re auth changed to 5 or 10 minutes or have the option for either or!!

Also there seem to be a lot of extra log entry's

Jun 26 09:58:01 	radiusd[31540]: Login OK: [00:1b:38:b0:e1:51] (from client pfsense port 2 cli 00:1b:38:b0:e1:51)
Jun 26 09:58:01 	radiusd[31540]: Login OK: [00:1b:38:b0:e1:51] (from client pfsense port 2 cli 00:1b:38:b0:e1:51)
Jun 26 09:58:01 	root: FreeRADIUS: Used amount of daily traffic by 00:1b:38:b0:e1:51 is 114 of 2048 MB! The user was accepted!!!
Jun 26 09:58:02 	radiusd[31540]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 6 cli 00:1e:ec:ad:45:29)
Jun 26 09:58:02 	radiusd[31540]: Login OK: [00:1e:ec:ad:45:29] (from client pfsense port 6 cli 00:1e:ec:ad:45:29)
Jun 26 09:58:02 	root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 118 of 10044 MB! The user was accepted!!!

Another option is would it be possible to too add a [NO login required] status page that lists the used octets files , displayed in MB per user ID ? So users can check their consumption.

If I could write code here is how I would do it.

A script that is run when a browser connects through the portal looking for the address  (routerIP/usage.php)
The script would grab the user ID (in my case it's the mac address. )  then tail the syslog for that ID from the log line```
root: FreeRADIUS: Used amount of daily traffic by 00:1e:ec:ad:45:29 is 118 of 10044 MB! The user was accepted!!!

I thought about a random pop up but  when using mac auth a router is usually the head with cell phones /xboxs/ playstations and so on behind it.

I'll post a bounty or donate towards this. But first the accounting bug that has carried on since pf2.0 needs to be fixed.

Nachtfalke

If you can - the best way would be to do accounting on a sql database. then just do a query on a user for his amount of traffic. this query will be secured by the user's username/password.
Or you copy the accounting logiles to another server every hour and then you read thios from the files. the number in the files is "Bytes" - if you divide it two times with 1024 you will get the MB.

This would avoid that you need to give someone access to your pfsense in any way.