CaptivePortal with freeradius + mysql: Max-Daily-Session



  • Hello everyone, i have a question for you, i hope someone can help me out because i really can't get this :)

    i have enabled captive portal on my pfsense "wifi" interface (i named it like that) and configured the captive portal to use freeradius, i've installed the freeradius2 package on pfsense and it really works fine, i can also connect it to an external MySQL, it can read users, bandwidth limit per user works and i'm really happy about that.

    the only problem that i'm facing now is that i would like to give a limited amount of time to users per day.

    i noticed that there is this parameter i can add into the radcheck table: Max-Daily-Session := <time in="" seconds="">which should do the trick.

    the problem is that the user doesn't get disconnected by the captive portal once the timelimit has expired.
    If i log out and try to login again i receive the message i can't login because of timelimit exceeded, but the captive portal won't force me out.

    i tried the same feature with local user database and in that case everything seems to work fine, do you know if i need to enable something in particular in the freeradius configuration for this to work with mysql?

    i also add another quick question (if this can be done) without opening another thread.
    i'd like to have a popup showing me the remaining time when i login to the captive portal, i've seen a popup for disconnecting the user is available, do you know if it can be tweaked to add that information?

    thanks a lot :)</time>



  • Do you have "re-authenticate every minute" enabled on CP ?
    A user can only be rejected if he tries to authenticate. So if a user authenticates with a time limit remaining of 10min and then is browsing the web for 20minutes the CP will not reject the user because there is no authentication reaquest the RADIUS server could answer.

    Popup:
    Perhaps you can edit the .php file of CP to display your session-timeout attribute. But I am not sure.



  • meh…
    thanks for the help, i wasn't reauthenticating users every minute :)

    now it disconnects users accordingly.



  • @Rampage:

    Hello everyone, i have a question for you, i hope someone can help me out because i really can't get this :)

    i have enabled captive portal on my pfsense "wifi" interface (i named it like that) and configured the captive portal to use freeradius, i've installed the freeradius2 package on pfsense and it really works fine, i can also connect it to an external MySQL, it can read users, bandwidth limit per user works and i'm really happy about that.

    the only problem that i'm facing now is that i would like to give a limited amount of time to users per day.

    i noticed that there is this parameter i can add into the radcheck table: Max-Daily-Session := <time in="" seconds="">which should do the trick.

    the problem is that the user doesn't get disconnected by the captive portal once the timelimit has expired.
    If i log out and try to login again i receive the message i can't login because of timelimit exceeded, but the captive portal won't force me out.

    i tried the same feature with local user database and in that case everything seems to work fine, do you know if i need to enable something in particular in the freeradius configuration for this to work with mysql?

    i also add another quick question (if this can be done) without opening another thread.
    i'd like to have a popup showing me the remaining time when i login to the captive portal, i've seen a popup for disconnecting the user is available, do you know if it can be tweaked to add that information?

    thanks a lot :)</time>

    Hello Rampage

    Could you explain, how you limit bandwidth per user and group in MySql database? I have tried a lot but it is not success. I used phpMyAdmin to edit MySql database. Here under is my config:

    radreply
    username–-------attribute-----------------------op----value

    student1             WISPr-Bandwidth-Max-Down     ==      512
    student1             WISPr-Bandwidth-Max-Up         ==      128
    student2             WISPr-Bandwidth-Max-Down     ==      512
    student2             WISPr-Bandwidth-Max-Up         ==      128

    radgroupreply
    Group name–-----Attribute-----------------------op----Value

    GroupA              WISPr-Bandwidth-Max-Down     ==   512
    GroupA              WISPr-Bandwidth-Max-Up         ==   128

    Thank you



  • Are you sure, that the operator must be "==" and not better ":=" ?



  • @Nachtfalke:

    Are you sure, that the operator must be "==" and not better ":=" ?

    Ok, Nachtfalke

    I try to change to (:=) and test it again.

    I limited bandwidth to "radreply"and "radgroupreply" in MySql database and next, at Captive Portal I enabled option "Enable per-user bandwidth restriction". After that at Captive Portal login page I use my username "student1" from MySql database to login but I could not access to internet at all. But if I do not enable this option "Enable per-user bandwidth restriction" in Captive Portal I can surfing to internet. It look like MySql and Captive Portal and FreeRadius2 does not work together with bandwidth limit per user and group. Do you have some idea what I have done something wrong?

    Thank you

    ![Enable per-user bandwidth restriction.png](/public/imported_attachments/1/Enable per-user bandwidth restriction.png)
    ![Enable per-user bandwidth restriction.png_thumb](/public/imported_attachments/1/Enable per-user bandwidth restriction.png_thumb)



  • set 1000 as bandwidth limit. If the description is correct then it will be overwritten by RADIUS. Perhaps an emty value causes a problem.

    Further I know it is working on pfsense 2.0.1 CP + freeradius2 + bandwidth-limit in users file. I do not see any reason why it should not work with MySQL.

    You can run radiusd -X from console in debug mode.
    This will show you the attributes which are sent to CP.



  • @Nachtfalke:

    set 1000 as bandwidth limit. If the description is correct then it will be overwritten by RADIUS. Perhaps an emty value causes a problem.

    Further I know it is working on pfsense 2.0.1 CP + freeradius2 + bandwidth-limit in users file. I do not see any reason why it should not work with MySQL.

    You can run radiusd -X from console in debug mode.
    This will show you the attributes which are sent to CP.

    Hello Nachtfalke
    I set 1000 bandwidth limit that you recommended and it is working. I think that there have some bugs between pfSense 2.1, Captive Portal, FreeRadius2 and MySql. Today I just updated pfSense 2.1 Beta0 and Captive Portal, FreeRadius2 and MySql as bandwidth limit does not work again. I think, I am going back to use pfSense 2.0.1 again. I will try to test Captive Portal, FreeRadius2 and MySql from there. To be honest I do not have too much experiences how phpMyAdmin and MySql work together. I am appreciate if someone can explain and make some screenshot. This is a links: http://forum.pfsense.org/index.php/topic,43675.msg235475.html#msg235475 that I read it.

    Thank you



  • Why do you use MxSQL ?
    It can be done without MySQL.
    How many users do you have on CP ?
    If there are not mor ethan 500 users it will be probably ok with some "up to date" hardware and without mysql.



  • @Nachtfalke:

    Why do you use MxSQL ?
    It can be done without MySQL.
    How many users do you have on CP ?
    If there are not mor ethan 500 users it will be probably ok with some "up to date" hardware and without mysql.

    Hello Nachtfalke
    I just repeat your question.

    "Why do you use MxSQL ?"
    Ans: Because at school, there are more than 800 students.

    "It can be done without MySQL"

    Could you explain how could be done without MySql, if the school has more than 800 students ?
    You mean that I have to type all 100-450 users name at FreeRadius users tab and then using them together with FreeRadius and Captive Portal.

    Also, How can you limit bandwidth per "Group" if your school has more than 800 students?

    "If there are not mor ethan 500 users it will be probably ok with some "up to date" hardware and without mysql"
    You mean that I have to buy a new hardware if I have around 500 users.

    I hope that I don't ask you too much.

    Thank you
    Donny



  • @Donny
    I am so sorry. I forget about the fact that you would like to use group limits. This is not working without any database. So sorry for that.

    Hardware:
    No need to buy new hardware if you are running MySQL on an external server. Most load will be on the MySQL database for the authentication and accounting. This can be done with lots more than your 800 users.

    Sorry that I cannot help you with the MySQL part. Perhaps ask user Rampage in a personal messag how he created the sql tables.



  • @Nachtfalke:

    @Donny
    I am so sorry. I forget about the fact that you would like to use group limits. This is not working without any database. So sorry for that.

    Hardware:
    No need to buy new hardware if you are running MySQL on an external server. Most load will be on the MySQL database for the authentication and accounting. This can be done with lots more than your 800 users.

    Sorry that I cannot help you with the MySQL part. Perhaps ask user Rampage in a personal messag how he created the sql tables.

    Thank you, Nachtfalke

    I will try to contact him/her soon. I still keep testing it by my self first before I am asking some one to help. To be honest I have tested almost one week now but bandwidth limits for group is not successed. To use MySql users on database with Captive portal and MySql to authentication, I do not have any problem. Now time to get rest.

    Anyway, thank you again

    Donny



  • Just to make sure - you have enabled accounting on mysql and captiveportal, right ?



  • @Nachtfalke:

    Just to make sure - you have enabled accounting on mysql and captiveportal, right ?

    Thank you Nachtfalke

    I will try it again soon. Hë, tired.



  • it's not enaugh to set the limit on the radius server, you also need to enable the feature on the NAS (captive portal setup) leaving fields empty.

    Then the captive portal will refer to the values specified in radcheck or radgroupcheck in your mysql database.

    the operator is :=

    sorry if i took that long to reply, but it's been a while since i last visited the forum :)



  • in sorry if im asking something silly ..

    it is possible to set an 'airtime' for every voucher? using CP or maybe thru freeradius?
    for example user will able using 30minutes for surfing and download within 2 days.

    scenario example, user using 5 minutes and then log out. login again for 10 minutes more.
    user keep going login and logout for 2 days until his time limit reach 30 minutes as i set.
    in this case user will have 2 days 'airtime' and 30 minutes quota of time (time limit)

    sorry for my bad english ..thanks in advance to everyone



  • You need a radius server of sorts for that.



  • im installed freeradius2. after looked around for a few hours inside freeradius2.
    kill some of my times google around but i found nothing similar to what i need

    i managed to create username and password. set a limit and quota for each of them.
    but what i need is user only able to access using generate voucher without a username.
    for example:
    voucher package 1 : 30 minutes quota within 1 day (24hours) time limit(airtime)
    voucher package 2 : 1440 minutes quota within 3 days (72hours) time limit(airtime)

    im sorry if im asking to much, im very new with pfsense but im willing to learn more.
    i still do not have any idea what to do and where to start ..pls link me to any tutorial
    thanks





  • @Nachtfalke:

    http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

    i already read that and still i cant find the way to solve my problem..
    anyway thanks for ur kind reply



  • @asura:

    @Nachtfalke:

    http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

    i already read that and still i cant find the way to solve my problem..
    anyway thanks for ur kind reply

    The quota and limit functions only work with username/password.
    The problem is that username/password is stored on freeradius2 users file and the vouchers are stored on the CP itself.

    And if you enable RADIUS authentication and CP with vouchers there is a bug in CP that if you enable "re-aithenticate every minute" on CP the CP sends the voucher code as username to the RADIUS server and the RADIUS server of course does not know this "user".
    I described this here:
    http://redmine.pfsense.org/issues/2155

    So I would say it is only possible to use voucher which has time limit or you use username/password which could have time limit and/or quota.



  • u mean there is no way for voucher on CP to work together with freeradius?

    after time limit reached. My costumer need to get new ticket/voucher to relogin via CP.
    i think it is impossible to create hotspot for making money using freeradius  ;D



  • @asura:

    (…)
    i think it is impossible to create hotspot for making money using freeradius  ;D

    This statement is right if you focus on the freeradius2 package offered for pfsense.
    but it is wrong if you use CaptivePortal from pfsense with another radius solution like daloradius or something else which focus on such things like "making money" and do accounting in this way.

    the freeradius2 package on pfsense is more a security tool within a company or at home to secure your wireless network, your company LAN or VPN with One-Time-Password.

    You have to find the best solution for your needs :-)



  • @Nachtfalke:

    the freeradius2 package on pfsense is more a security tool within a company or at home to secure your wireless network, your company LAN or VPN with One-Time-Password.

    You have to find the best solution for your needs :-)

    thankss ..i have noticed that.
    mayb i need to put it on try and see how its gonna be.  ;)



  • Yeah, or just improve the freeradius2 code and put in some more features  ;)



  • can some1 provide me the mysql schema with some sample data to use captive portal with freeradius2 on pfsense using alix and an external mysql db as im about to develop a whole web GUI in php which can be used to edit the mysql db directly without phpmyadmin etc making life easier for many such as creating new users, editing them, creating data transfer based recharges etc



  • 
    /usr/local/share/examples/freeradius/raddb/sql/mysql
    /usr/local/etc/raddb/sql/mysql
    
    

    These schemes come with freeradius. I think it will help you.

    Or take a look here at chapter "Populating MySQL"
    http://www.frontios.com/freeradius.html



  • is the schema same as for freeradisu2 package for pfsense as i need it for the package which is available for pfsense



  • Rampage, looks like u setup captive portal+freeradius2 and u can disconnect user based on time right?

    If so, may u could show me some light here, could u please read my post:

    http://forum.pfsense.org/index.php/topic,54923.0.html

    I got issue trying to make this setup works, for some reason FR2 disconnect my users before time.

    I my post I got all the info, any input will be appreciated, I got weeks trying to setup this.

    Thanks!!!



  • Hi.

    I setup freeradius 2.x on a Centos server 5.x and setup PF->CP for this server, the counter is not working either, I was thinking that maybe this could solve the issue but no.

    Does this is related to pfsense CP module?

    Thanks!!!



  • @xbipin:

    is the schema same as for freeradisu2 package for pfsense as i need it for the package which is available for pfsense

    freeradius2 for pfsense is the same code as from freeradius.org. The only difference is that we have a GUI on pfsense.
    Everything else is the same.

    @periko:

    Hi.

    I setup freeradius 2.x on a Centos server 5.x and setup PF->CP for this server, the counter is not working either, I was thinking that maybe this could solve the issue but no.
     
    Does this is related to pfsense CP module?

    Thanks!!!

    Hi periko,
    I think if it is not working with pfsense freeradius and not working with a standalone server that the problem must be the pfsense CaptivePortal.

    You should open a bug report on:
    https://redmine.pfsense.org/

    And post on the pfsense developer mailing list so that can be fixed on future versions of pfsense.



  • I will open 1 ticket, thanks Nachtfalke.


Locked