Hotspot success setup?



  • I had been trying to figure out how to setup pfsense+cp+fr2 for a hotspot, I wanted to add users and each one with his own daily time for $$$.

    I wanted to use just pfsense, no external machine for this and no mysql support for now, small networks 5-10 users.

    I was running pfsense 2.0.1 no success, latter I upgrade to 2.0.2.

    I had follow the doc about pfsense+freeradius2 without success.

    I want to understand fr2 debug info but I need to read more about the protocol, working on…

    My resume is that, once u setup cp+fr2, u can add users and no matter what "Amount of Time" u give to each one, cp "HardTime" always win, doesn't matter if user is "Amount of Time" is < or > than cp HardTime.

    Them all my users will be kickoff based on cp value.

    Using interim-updates doesn't work because it let users login again and continue surfing, this is not what I want.

    Login based on ACL days restriction Wk12001300,Sa this works, great.

    Why I don't want to use Mysql? well this equipment is a fan less system and embedded devices , pfsense is install on a CF card, 512RAM, MySQL is a big app and I don't want to sacrifice CPU, I had read that MySQL is went u need support for +512 users, but for 5-10 not worth it, right?.

    But I will give a try.

    My question is:  does some here have been able to setup pfsense+cp+fr2 for hotstop with the default counter module or with mysql?

    Thanks!!!



  • Sounds interesting ; As for me, CP have some error with freeradius, especially in time and data counter.  I really don't know which two of these cause the problem. And CP doesn't redirect https traffic to portal page. Although I am still using CP with the help of daloRadius. Only interim update is used in cp and just fine.  As I don't want to use two pc for that, I installed pfsense & daloRadius  on VMware with windows7 PC. They just work well for me as I don't have too many users.



  • In your case, u had setup a hotspot with pfsense:cp+dolaradius, this duo fix pfsense+fr2 issues?
    What db u are using with dolaradius?
    Thanks for your input.



  • I use mysql db . Time counter and data counter work well with daloRadius so far. In CP I can use only interim-update, Re-authenticate user every minute doesn't work with daloRadius.



  • Hi,

    for communication between fr2 and CP there are attributes used. Some of these attributes are "Check-Attributes" or "Check-Items" and others are "Reply-Attributes" or "Reply-Items". But it is important that CP and fr2 are talking about the same attributes. It will not have any effect if you put any attribute into fr2 "Users" file to check or to reply to CP if CP does not understand these attributes.

    So for the time based thing the following will happen:

    1. A user tries to authenticate on CP

    2. CP will send an Access-Request to fr2 with username and password, MAC address and some other information

    3. fr2 will check the username/password against the "Users" file. If all is correct fr2 sends back an "Access-Accept"

    4. If you have put more information (Check or Reply-Items) in "Users" file then fr2 will check these attributes, too.

    5. So if you have set "Max-Daily-Session" attribute then fr2 checks the db.daily database and if there is some time left fr2 sends back an attribute with "Session-Timeout" to CP.

    6. Now it is the work of CP to do the correct thing with "Session-Timeout" attribute and value. (This means that CP has to disconnect the user after Session-Timeout is zero or less. So you have to enable "Session-Timeout" on CP. Further I think that "HardTimeout" and "IdleTimeout" on CP are probably using the same attribute but HardTimeout will probably override the fr2 value. So if you are using timebased access on fr2 then you should disable Hardtimeout because HardTimeout kicks users - no matter what they do, after the time you entered there.)

    7. To make the time counter on fr2 work correctly it is absolutly neccessary that CP sends the correct value to fr2 in accounting updates. So when sending interim-updates the "Acct-Session-Time" (I think the attribute has this name) must increase between every accounting packet. And if there are 60seconds between accouting update 1 and accounting update 2 then the "Acct-Session-Time" must only increase 60 seconds. (I don't know how this is on pfsense 2.0.2 but if I remember correct then this didn't happen on older pfsense versions. There are still some tickets open on redmine and github)

    https://github.com/bsdperimeter/pfsense/pull/237
    https://github.com/bsdperimeter/pfsense/pull/236
    http://forum.pfsense.org/index.php/topic,43675.msg290136.html#msg290136



  • Please, if u have time guys make this test.
    Setup cp/fr2 start/stop option.
    HardTime empty in cp.
    Them add users and fr2 with any value > 5 minutes "Amount of Time".

    In my case, every user is kickoff after 5 minutes.



  • Periko- I have tried this setup on PFsense 2.0.2 according to the FR2 Docs the issue was patched on this release, however it remains in my case. I created 2 users in FR2 "hour" and "day" and have CP with start/stop accounting. The bug continues where it disconnects them after a few minutes with the same error. i am putting below the log of the system log with the error.

    Hour had 60 minutes and was logged of after 5 with and when i try to go back in it would tell me the time had expired and day had 1440 minutes and the same message.

    Is there a patch i must install on the 2.0.2?

    Jan 10 17:42:09

    logportalauth[25696]: USER LOGIN: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100

    Jan 10 17:42:17

    logportalauth[25696]: USER LOGIN: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100

    Jan 10 17:42:17

    logportalauth[25696]: CONCURRENT LOGIN - REUSING OLD SESSION: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100

    Jan 10 17:50:44

    logportalauth[25696]: DISCONNECT: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100

    Jan 10 18:14:58

    logportalauth[25696]: USER LOGIN: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100

    Jan 10 18:19:45

    logportalauth[5388]: RADIUS_DISCONNECT: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100, Your maximum never usage time has been reached

    Jan 10 23:31:24

    logportalauth[25087]: Restarting captive portal.

    Jan 10 18:31:51

    logportalauth[10022]: FAILURE: hour, 3c:d9:2b:1f:1f:0b, 192.168.1.100, Your maximum never usage time has been reached

    Jan 10 18:34:29

    logportalauth[10022]: USER LOGIN: day, 3c:d9:2b:1f:1f:0b, 192.168.1.100

    Jan 10 19:28:02

    logportalauth[12243]: RADIUS_DISCONNECT: day, 3c:d9:2b:1f:1f:0b, 192.168.1.100, Your maximum never usage time has been reached

    Jan 11 08:19:17

    logportalauth[10022]: FAILURE: day, 3c:d9:2b:1f:1f:0b, 192.168.1.100, Your maximum never usage time has been reached

    Jan 10 19:22:58

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:22:58

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:22:58

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:22:58

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:23:58

    radiusd[23151]: rlm_radutmp: Login entry for NAS CP port 3 wrong order

    Jan 10 19:23:58

    radiusd[23151]: rlm_radutmp: Login entry for NAS CP port 3 wrong order

    Jan 10 19:23:58

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:23:58

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:24:59

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:24:59

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:24:59

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:24:59

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:25:59

    radiusd[23151]: rlm_radutmp: Login entry for NAS CP port 3 wrong order

    Jan 10 19:25:59

    radiusd[23151]: rlm_radutmp: Login entry for NAS CP port 3 wrong order

    Jan 10 19:25:59

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:25:59

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:27:00

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:27:00

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:27:00

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:27:00

    radiusd[23151]: Login OK: [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:28:01

    radiusd[23151]: rlm_radutmp: Login entry for NAS CP port 3 wrong order

    Jan 10 19:28:01

    radiusd[23151]: rlm_radutmp: Login entry for NAS CP port 3 wrong order

    Jan 10 19:28:01

    radiusd[23151]: Invalid user (rlm_counter: Maximum never usage time reached): [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:28:01

    radiusd[23151]: Invalid user (rlm_counter: Maximum never usage time reached): [day] (from client CP port 3 cli 3c:d9:2b:1f:1f:0b)

    Jan 10 19:28:02

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record

    Jan 10 19:28:02

    radiusd[23151]: rlm_radutmp: Logout for NAS CP port 3, but no Login record



  • Thanks, I was thinking that I was the only one with this issue!!!
      I still don't get where is the issue, thanks for your info fsantaana.



  • periko,

    just want to update you on somethign i noticed with this issue as it's becoming more urgent that i find a way to resolve this. Maybe with the below you can help or see if you notice something. Do you know where the file or the line in the code that sends the session time out increments to the fr2?

    i've tried all the methods below and still having the problems with the code timing when using start/stop acct from the cp. I tried to remove all the idle/session timeouts from fr2 and cp page. Also removed th eoption to use the radius session time out and there are no session timeouts on the user.

    However what i did notice is that the first session time that is sent is not correct. it should send 60 second increments but the first time packet send 40 seconds and from there it throws the entire time off and it keeps increasing. So let's say that every time it should be 60 the first is 40 then the second is 100, 160, 220, etc. do you know where this is coded? maybe if we change the variable to a static number of 60 it will correct the problem? just an idea and what i noticed.

    Also with that the only way i can keep the code timer correct is if i switch to interim accounting but then the fr2 session time never decreases and thus hinders the valid time useless because it would never expire.



  • Hi fsantaana.

    Good information, I'm not a programmer but will be good to know if someone here could give us info about how CP from pfsense works and which files are involved.

    I will post updates if I get something, thanks!!!



  • @periko:

    Hi fsantaana.

    Good information, I'm not a programmer but will be good to know if someone here could give us info about how CP from pfsense works and which files are involved.

    I will post updates if I get something, thanks!!!

    Hi periko,

    I talked to fsantaana on another thread.
    He seems to found a solution to make the time counter work. Start reading the following thread starting with the post in the below URL.
    http://forum.pfsense.org/index.php/topic,56306.msg309438.html#msg309438

    You have to make some changes on the captiveportal.inc but then it should work.



  • Hi all.

    Looks like is working, I had made the changes in:

    /etc/inc/captiveportal.inc

    This patch http://redmine.pfsense.org/issues/2164 is for pfsense < 2.0.2, but analyzing a little the file, manually I thing I got it.

    I had been playing with fr2, adding users with 2/4/8/16/30/60 minutes each and pfsense kick out each user after they reach their time.
    I reboot my machine and he remember who had been eating his daily time, good.
    Now I must see what happen after 24hrs, waiting.

    This are the changes I made in the file:

    
    730,731c730
    <                                                 $stop_time - 60,
    <                                               //$cpentry[0], // start time
    ---
    >                                               $cpentry[0], // start time
    735,738c734
    <                                               //10); // NAS Request
    <                                                 10, // NAS Request
    <                                                 false, //Not interim update
    <                                                 $stop_time);
    ---
    >                                               10); // NAS Request
    741d736
    <                                         exec("sleep 1");
    799d793
    <                         $stop_time - 60,
    872d865
    <                 $stop_time = time();
    878d870
    <                                 $stop_time - 60,
    883,885c875
    <                               //7); // Admin Reboot
    <                                 7, // Admin Reboot
    <                                 false, $stop_time);
    ---
    >                               7); // Admin Reboot
    
    

    Hope u can understand this.

    I will continue testing, but until now is working, thanks all of u guys, I knew that this will happen sooner or latter this a great feature for a great product like pfsense.
    But with more testers we can make it better, thanks again  ;D



  • periko you are correct. I had made those changes earlier and posted on another Post.

    They have been working fine and no problems since that change. I have tested in 3 sites with approx 30-40 simultaneous connections and it keeps track of everyone just fine.



  • Hi fsantaana.

    Yes, I follow your posts here thanks, I just would like to see if we could add a billing system, other packages like daloradius require MySQL but some of my boxes are fan less they use CF and MySQL will killthose boxes.

    Hope we could see this feature in a near future.

    But like u, my system is working, thanks!!!



  • this is exactly what i'm working on with a fanless box and CF card which is why i used the USERS file. But i have done some research and found that if you use a SLC CF card (SSD drives/industrial) which has 100k writes as oppose to a MLC CF card (Cameras/commercial) then this shouldn't matter. You can use a full install of pfsense on the box and it will be ok to load the MySQL php addon to it like they've shown on other posts. With that you will have more control of your users/accounting.

    I will be trying this in the next week or so just waiting on the box to arrive from Taiwan :). I have implemented it already but using a MLC with the USERS file which we've had the few problems with and worked out here. I will keep you posted on my success/failure.

    Right now i'm trying to find out 2 things- how to convert the user name entered to all lowercase and then submitted to the CP page. I'm trying to play around with the forms on the default window but always manage to send a blank username to the CP/Freeradius for authentication.

    And trying to see if i can get per user idle timeout instead of a Global timeout.

    If you have any ideas let me know !



  • @fsantaana:

    (…)
    Right now i'm trying to find out 2 things- how to convert the user name entered to all lowercase and then submitted to the CP page. I'm trying to play around with the forms on the default window but always manage to send a blank username to the CP/Freeradius for authentication.

    Take a look here. RADIUS offers this by default:
    http://onlamp.com/pub/a/onlamp/excerpt/radius_5/index1.html?page=5

    
    lower_user and lower_pass
    
    To eliminate case problems that often plague authentication methods such as RADIUS, the FreeRADIUS developers have included a feature that will attempt to modify the User-Name and User-Password attributes to make them all lowercase; this is done either before an authentication request, after a failed authentication request using the values of the attributes as they came, or not at all.
    
    Clearly setting the lower_user directive to after makes the most sense: it adds processing time to each request, but unless this particular machine normally carries a high load, the reduced troubleshooting time is worth the extra performance cost. However, a secure password often makes use of a combination of uppercase and lowercase letters, so security dictates leaving the password attribute alone.
    
    Usage:
    
    lower_user = [before/after/no]; lower_pass = [before/after/no]
    
    Suggestion:
    
    lower_user = after; lower_pass = no
    
    nospace_user and nospace_pass
    
    Much like the lower_user and lower_pass controls, these directives preprocess an Access-Request packet and ensure that no spaces are included. The available options are the same: before, after, or no. Again, the most obvious choice is to set nospace_user to after to save helpdesk time. Some administrators have a tendency to not allow spaces in passwords; if this is the case, set nospace_pass to before (since there is a system-wide policy against spaces in passwords, testing a request as-is is not required).
    
    Usage:
    
    nospace_user = [before/after/no]; nospace_password = [before/after/no]
    
    Suggestion:
    
    nospace_user = after; nospace_password = before
    
    

    @fsantaana:

    And trying to see if i can get per user idle timeout instead of a Global timeout.

    If you have any ideas let me know !

    Idle Timeout on CP is user based as far as I know. If there isn't any traffic for that user more than idel timeout then this user gets disconnected. If the user is initiating traffic then the idle timeout will be reset and is starting counting again from beginning.

    Hard Timeout on CP is user based, too but it kicks the user when time is over and user needs to reconnect. CP offers a checkbox "Enable Session-Timeout from RADIUS". You can set this individual for every user and this seems to be the same as the CP hard timeout but could be set independent so every user has a different timeout.

    –- edit ---
    Loweruser and lower pass seems to be out to date in freeradius 2.x - you should test this if it works or not.

    Another possibility could be to use the policy.conf file of freeradius. It does the same with MAC addresses. No matter which format the NAS sends the MAC address, lowercase, uppercase, with ":" or with "-" at the end all MACs look like:
    11-22-aa-bb-55-66

    To check this look at this wiki:
    http://wiki.freeradius.org/guide/Mac-Auth#Plain-Mac-Auth

    For MAC addresses already implemented in freeradius –> settings --> "Enable Plain-MAC-Auth"


Log in to reply