Add users to FreeRadius USERS file without restart

fsantaana

I am trying to do have the usernames for freeradius package generated from a proprietary software that we use and updated into the pfsense box automatically. Our software can insert the file into the pfsense firewall with STP connection and replace the USERS file which freeradius uses. Now what I want to know is if this is the best method? and if there is a way to make the freeradius server update the USERS file without needing to restart the service after each modification.

This is for a hotel hotspot and so each time we sell a code it will need to be restarted and knock the connected users off. I was trying to see a better way of doing this.

Any feedback will be appreciated.

Nachtfalke

If you change something on any freeradius file it will not take effect until freeradius service was restartet.
So you need to restart the service or it will not work.

If you problem is that the GUI will overwrite the file you copied on pfsense then you can modify the freeradius.inc file:
edit /usr/local/pkg/freeradius.inc on line 571
The is a line called:

file_put_contents($filename, $conf);

Remove this line or uncomment it. This is the part which writes the file.

edit /usr/local/pkg/freeradius.inc on line 576
The is a line called:

restart_service('radiusd');

Remove this line or uncomment it. This is the command which restarts the service. But remember if you remove it there you need to do it somewhere else. There is now way around to restart the service.

fsantaana

Nachtfalke thanks for the response and sorry it took me so long to look at this i was out of the country for all of december. I will try these change to line 571 to disable the update from the GUI.

Do you know if there is a limit on the number of lines on the USERS file? Can i have 10 000 users?

Also i manage to update the USERS file with WINSCP replacing the current one and then have a script that runs and restarts the server for it to apply the changes. Is this the best way to do this? I am just trying to see if there is another way or if this is alright how i'm doing it now.

It will only run maybe once a month if that sometimes once every 2 months.

Nachtfalke

@fsantaana:

Nachtfalke thanks for the response and sorry it took me so long to look at this i was out of the country for all of december. I will try these change to line 571 to disable the update from the GUI.

Do you know if there is a limit on the number of lines on the USERS file? Can i have 10 000 users?

Also i manage to update the USERS file with WINSCP replacing the current one and then have a script that runs and restarts the server for it to apply the changes. Is this the best way to do this? I am just trying to see if there is another way or if this is alright how i'm doing it now.

It will only run maybe once a month if that sometimes once every 2 months.

Managing the file this way should work. Of course the file formatting must be correct ;-) Make sure the freeradius server has the permission to read the file after you copied it. And just remember - changes on the users file will first take effect if you restart freeradius. When you do that and which way is up to you :-)

10.000 users. This is big number of users.
If you are just using "username" and "password" it could work if you have up to date hardware. But more it depends on how ofthen users authenticate and how many users are doing that at the same time. So you can have 1 million users in that file - if there is only one authenticating every 10s probably no problem. but if you have 100 users and they all try to authenticate in 1 or 2 seconds - this could be very much.

So you should test this - do not set the timeouts to low. Increase the threads a little bit and try.
But probably a database like mysql or postgreql would be better.

If you are doing accounting there will be no way around a database as backend.

HINT: You can do authentication using the users file and do accounting to a database. Thats no problem.

If you have other attributes like VLAN-ID, Session-Timeout and so on - this will increase the usersfile fast and 10.000 with ~4 lines - thie file then counts 40.000 lines.

Here are some references even if they are based on older freeradius versions. rlm_fastusers is todays just "users" by default.
http://freeradius.org/testimonials.html
Jeff Carneal - Apex Internet
~25k ppp users

fsantaana

@Nachtfalke:

@fsantaana:

Nachtfalke thanks for the response and sorry it took me so long to look at this i was out of the country for all of december. I will try these change to line 571 to disable the update from the GUI.

Do you know if there is a limit on the number of lines on the USERS file? Can i have 10 000 users?

Also i manage to update the USERS file with WINSCP replacing the current one and then have a script that runs and restarts the server for it to apply the changes. Is this the best way to do this? I am just trying to see if there is another way or if this is alright how i'm doing it now.

It will only run maybe once a month if that sometimes once every 2 months.

Managing the file this way should work. Of course the file formatting must be correct ;-) Make sure the freeradius server has the permission to read the file after you copied it. And just remember - changes on the users file will first take effect if you restart freeradius. When you do that and which way is up to you :-)

10.000 users. This is big number of users.
If you are just using "username" and "password" it could work if you have up to date hardware. But more it depends on how ofthen users authenticate and how many users are doing that at the same time. So you can have 1 million users in that file - if there is only one authenticating every 10s probably no problem. but if you have 100 users and they all try to authenticate in 1 or 2 seconds - this could be very much.

So you should test this - do not set the timeouts to low. Increase the threads a little bit and try.
But probably a database like mysql or postgreql would be better.

If you are doing accounting there will be no way around a database as backend.

HINT: You can do authentication using the users file and do accounting to a database. Thats no problem.

If you have other attributes like VLAN-ID, Session-Timeout and so on - this will increase the usersfile fast and 10.000 with ~4 lines - thie file then counts 40.000 lines.

Here are some references even if they are based on older freeradius versions. rlm_fastusers is todays just "users" by default.
http://freeradius.org/testimonials.html
Jeff Carneal - Apex Internet
~25k ppp users

wow 25k that is a huge number. I will look into changing the configuration for a MySQL backend but i was trying to avoid this since i was looking for an embedded system to host the cp/authentication. Just for clarification the accounting is what keeps the time of the authenticated users in the CP correct?

Nachtfalke

Accounting is for example counting the users time "Amount of Time" and the kick the user after he used his amount of - let's say - 60 minutes.
Or if you give a user 2000MB to use per day. Simultaneous-Use checks on freeradius will be done by accounting. But you could do that easier with the CP - if you need it.

So what you say is correct.

The huge number of users:
Try it. Probably there will never be so many users which authenticate at the same time and - if I remember correct - on CP there is an option how many users can visit the CP page simultaneously.

Here is a tutorial which could allow you to test the performance on your hardware:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Test_FreeRADIUS_performance_with_jRadius
if you did some tests - please feel free to share your experience - I will add this to the pfsense doc so that other people know what can be done with freeradius on pfsense :-)

fsantaana

Thanks for the info. The accounting is what i would need the most because i need to be able to pause the 1 hour limit by logging out. I don't think the CP time limit allows this to happen which is why i'm relying to the freeradius and users for accounting to assist with this.

is there no way to get accounting with the USERS file? i will try various work arounds to see i will keep you posted on any progress.

Nachtfalke

Accounting without any database is possible.
The accounting data will be stored in

/var/log/radacct/datacounter/

or

/var/log/radacct/timecounter/

Of course you can test if the hardware can handle that, then you do not need any mysql database.

fsantaana

Thanks for the info Nachtfalke. I set it all up and have it working. next week thrusday i will be testing with a large amount of users on the USERS file and i will let you know the results.

However i ran into some problems with the time expiring before the set time and i saw that you have a bug report for this on redmine and various posted about the issue in the forums. I also read your document on FR2 pfsense DOCS and on there you state that the problem was resolved on 2.0.2 I upgraded to this version and i can confirm that the error still continues. Please see my reply in the post from Periko with the logs to see if this helps. http://forum.pfsense.org/index.php/topic,57303.0.html

Is there a work around i can do for the moment? I tried interim accounting but the problem with that is it doesn't report back the Session Timeout so it remains the same until the user logs out. Also in my logs i don't see the session timeout decreasing once the user is logged on.

Nachtfalke

hi,

this is a really annoying problem but I depends on the data CP is sending.

In the post you mentioned there are some links to github pull requests from another user who did some changes on CP code. Did you try that ?

Further did you try with "accountion stop/start" on CP ?

And please try with freeradius –> settings "acct_unique" di-/enabled.

Enable "Session-Timeout" on CP.

Do not set any "Session-Timeout" on a user which should use the time feature.

If the daily usage time has expired then do not try again with the same username as longs as you:

• did not delete the db.daily database
• mindnight is not over
  create another username

Try to disable the CP hardt imeout and idle timeout

fsantaana

Hi,

I implemented the pfsense with fr2 and freeradius list of 30k codes yesterday in our test hotel. The machine handles the number of users and codes with no problems and the cp page runs fine. There are just 2 things that i'm stuck with maybe you can help.

1. the "users" file gets reset every time i restart the box. I generated a custom users file not through the gui and uploaded it with all the correct information and it works but when i restart the box it gets erased. Will the method you posted earlier altering freeradius.inc line 571 prevent this from happening?

2. i've tried all the methods below and still having the problems with the code timing when using start/stop acct from the cp. I tried to remove all the idle/session timeouts from fr2 and cp page. Also removed th eoption to use the radius session time out and there are no session timeouts on the user.

However what i did notice is that the first session time that is sent is not correct. it should send 60 second increments but the first time packet send 40 seconds and from there it throws the entire time off and it keeps increasing. So let's say that every time it should be 60 the first is 40 then the second is 100, 160, 220, etc. do you know where this is coded? maybe if we change the variable to a static number of 60 it will correct the problem? just an idea and what i noticed.

Also with that the only way i can keep the code timer correct is if i switch to interim accounting but then the fr2 session time never decreases and thus hinders the valid time useless because it would never expire.

Nachtfalke

1.)
Remove or comment the two lines I posted in the posts before if you want to prevent that any process overwrites your "users" file.

2.)
Try the patch/changes from ermal or find the corresponding file and lines:
http://redmine.pfsense.org/issues/2164

In this patch ermal is reducing the time every accounting stop by 60 seconds.

fsantaana

i've never done the patch before and so what is the command i'll need to run to add the patch from that cp.diff? Sorry i'm not the greatest with these BSD commands but inside the files i can find my way around.

I did comment out the lines and now all is ok with the users file.

Thanks!

Nachtfalke

I am no BSD guy, too ;-)

Find the file "captiveportal.inc"

Probably modify the file by hand would be the easiest way:
The lines with an  "-" in front need to be removed.
The lines with an  "+" in front need to be added

What the patch - as far as I understand it does is:
It just substracts 60 seconds from the stop-time.

$stop_time - 60,

You said that the first accounting stop packet sends 40 seconds instead of 60. The reason could be this comment:

/* XXX: *start time* Timer is static since prunce records is every 60secs. Max it needs to be configurable with prune records interval */

Fesoj

Wouldn't it still be easier to install the MySQL server by hand inside pfSense so you can leave the current sources the way they are? Setting up users from outside the pfSense GUI is so much easier using a "realtime" DB setup.

fsantaana

nachtfalke - i tried both those changes and everything is ok for the moment!! thanks for your help with this. While updating the captiveportal.inc from the redmine link i saw that you posted a fix for the rladump error that comes up on the logs. Where do you add the line exec("sleep 1");? thanks!

If found a fix for an other "bug":

rlm_radutmp: Logout for NAS CP port 76, but no Login record
rlm_radutmp: Login entry for NAS CP port 76 wrong order

This is happening because the accounting stop/start packets are to short after another. I added this line:

exec("sleep 1");

fesoj- would but i'm running this on a CF card on embedded device. Don't think it's too smart to use mysql on a CF card because of the amount of writes it's required. So far with these latest patches the USERS file of 30k users is working great no problems and loads really quick. It's relativily small 1.3MB. However if you have any other ideas of how i can improve this system i would be glad to hear them. I am just testing all of the solution at the moment to see if it will hold up before we deploy to our different sites.

Fesoj

You may be right. My hotel solutions are hosted inside Atom boxes with real disks, so this is not an issue here.

On the other hand, maybe not. If the CF card is large enough and there is enough RAM, it might still work. Only interim updates require a lot of writes.

Nachtfalke

@Fesoj:

(…)
Only interim updates require a lot of writes.

For CP on pfsense this is not correct because the updates - no matter if interim or stop/start will be send every 60 seconds. So in this case there will be no difference.

Unfortunately there are some thing which pfsense CP does not support or does not support correctly according RADIUS protocol. But as far as I can see that, there are some improvements made on CP on the new version 2.1.

@fsantaana
You are right - on redmine I posted this exec("sleep 1"); command … but I opend these tickets in the past when I developed the freeradius2 package and tried to test these features. I am not using this at the moment so I need some time to remember where I added this line ;-)

Nachtfalke

Ok, I think I found the part where I probably added this in the past  ::)

This is the part in the captiveportal.inc which generates the accouting stop/start packets.
First part is accouting stop and then there is immediatly an accounting start. In most cases this is to short after another so I added this one second of sleep time. Not sure if there is any other value shorter than one second which can be used or not. This is the actual code on github:

	if ($config['captiveportal']['reauthenticateacct'] == "stopstart") {
/* stop and restart accounting */
RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno
$cpentry[4], // username
$cpentry[5], // sessionid
$cpentry[0], // start time
$radiusservers,
$cpentry[2], // clientip
$cpentry[3], // clientmac
10); // NAS Request
exec("/sbin/ipfw table 1 entryzerostats {$cpentry[2]}");
exec("/sbin/ipfw table 2 entryzerostats {$cpentry[2]}");
RADIUS_ACCOUNTING_START($cpentry[1], // ruleno
$cpentry[4], // username
$cpentry[5], // sessionid
$radiusservers,
$cpentry[2], // clientip
$cpentry[3]); // clientmac

So probably adding the sleep between this two lines would help:

exec("/sbin/ipfw table 2 entryzerostats {$cpentry[2]}");
exec("sleep 1");
RADIUS_ACCOUNTING_START($cpentry[1], // ruleno

Remember:
This will make accouting a little bit inaccurate over a long distance because you lose one second every minute which will not be counted. In theory you could try to use:

$stop_time - 59,

instead of:

$stop_time - 60,

Not sure if there are side effects or not.
If you calculate one day which has 24*60 accounting stop/start packets you lose 24min or your customer wins 24min per day ;-)

PS: If this will help you and fix your problem(s) - It would be nice to comment this on redmine what you changed, on which version of pfsense and what it fixed so that there will be hopefully a commit on future pfsense 2.0.x and pfsense 2.1.x versions.

Fesoj

Nachtfalke:

whether writing to MySQL results in any disk activity is largely a matter which storage engine is used. There's none if the MEMORY engine is used, though this is vulnerable to various hardware and power problems. Maybe a temporary copy to a disk based format make this usable.

I'll try to measure the disk activity on my boxes with iostat or s.th. similar to see whether FreeRadius on a pfSense box really triggers a lot of disk activity. I could report later about this.

Except for the transferred number of octets FR basically works for my setups.