CP with Freeradius and MySQL - fixed number of concurrent logins per user



  • I have a pfSense 2.03 setup using captive portal and freeradius for user authentication.

    Freeradius is using a MySQL database on an external server (Hostgator).

    This is working fine for a basic setup - user values are stored in the table 'radcheck'.

    However I would like to limit the number of concurrent logins per user to 2, presently it appears they are unlimited. I have spent a lot of time searching the forums and documentation, but can't find anything quite specific enough to figure it out.

    I have tried checking/unchecking 'disable concurrent logins' in CP and instead defining the number allowed in the database.

    So in table 'radgroupcheck' I have defined groupname='user'  attribute='Simultaneous-Use'  op=':=' value='2'.
    Then in table 'radusergroup' I have defined username='joe' groupname='user' priority='1'
    And in table 'radcheck' I have username='joe' along with the other required attributes.

    But it appears I am missing something. If 'disable concurrent logins' in CP is checked, only one login is allowed, as you would expect. If it is unchecked, at least 3 concurrent logins are allowed, so my database entries are either being ignored or are misconfigured.

    Hope somebody can point me in the right direction here…



  • a bit more investigation, found some info at http://wiki.freeradius.org/guide/faq which has a checklist for non-functioning simultaneous use.  Notably,

    run radwho. If it says no one is logged in, Simultaneous-Use won't work.

    .

    When I run radwho it appears nobody is logged in which is odd, because I am logged in.

    The next item on the checklist says

    Verify that the NAS is sending accounting packets. Without accounting packets, Simultaneous-Use will NOT work.

    In Services –> Captive Portal --> Authentication --> Accounting, I have send RADIUS accounting packets checked.  In addition to the lack of radwho response, my MySQL table radacct is empty.

    What else might I do to switch on this accounting function?



  • Anyone got a solution for this problem? I cant figure it out.

    I need a solution were a username can use 2 MAC's maximum. So one user can register his phone and laptop on the same account.



  • @EMWEE:

    Anyone got a solution for this problem? I cant figure it out.

    I need a solution were a username can use 2 MAC's maximum. So one user can register his phone and laptop on the same account.

    The Solution is easy:
    Open /usr/pbi/freeradius-amd64/etc/raddb/sql/mysql/dialup.conf (or i386 if you run this) and search for the following:

    #simul_count_query = "SELECT COUNT(*) \
                                 #FROM ${acct_table1} \
                                 #WHERE username = '%{SQL-User-Name}' \
                                 #AND acctstoptime IS NULL"
    

    Change it to:

    simul_count_query = "SELECT COUNT(*) \
                                 FROM ${acct_table1} \
                                 WHERE username = '%{SQL-User-Name}' \
                                 AND acctstoptime IS NULL"
    

    As you can see it works fine:

    [2.1.5-RELEASE][root@hotspot.test.lan]/root(24): radtest USER PASS 172.16.1.1:1812 0 Start1234
    Sending Access-Request of id 199 to 172.16.1.1 port 1812
    	User-Name = "USER"
    	User-Password = "PASS"
    	NAS-IP-Address = 192.168.1.1
    	NAS-Port = 0
    	Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Reject packet from host 172.16.1.1 port 1812, id=199, length=68
    	Reply-Message = "\r\nYou are already logged in - access denied\r\n\n"
    [2.1.5-RELEASE][root@hotspot.test.lan]/root(25):
    

    Please note: You must configure the Accounting Table in Service/FreeRADIUS: SQL
    If you do not use your SQL Server for, the feature will not work.

    P.S.: I configured it on a group base, but it works also per user.



  • Well that was easy. Thanks!



  • @jhochwald

    @jhochwald said in CP with Freeradius and MySQL - fixed number of concurrent logins per user:

    @EMWEE:

    Anyone got a solution for this problem? I cant figure it out.

    I need a solution were a username can use 2 MAC's maximum. So one user can register his phone and laptop on the same account.

    The Solution is easy:
    Open /usr/pbi/freeradius-amd64/etc/raddb/sql/mysql/dialup.conf (or i386 if you run this) and search for the following:

    #simul_count_query = "SELECT COUNT(*) \
                                 #FROM ${acct_table1} \
                                 #WHERE username = '%{SQL-User-Name}' \
                                 #AND acctstoptime IS NULL"
    

    Change it to:

    simul_count_query = "SELECT COUNT(*) \
                                 FROM ${acct_table1} \
                                 WHERE username = '%{SQL-User-Name}' \
                                 AND acctstoptime IS NULL"
    

    As you can see it works fine:

    [2.1.5-RELEASE][root@hotspot.test.lan]/root(24): radtest USER PASS 172.16.1.1:1812 0 Start1234
    Sending Access-Request of id 199 to 172.16.1.1 port 1812
    	User-Name = "USER"
    	User-Password = "PASS"
    	NAS-IP-Address = 192.168.1.1
    	NAS-Port = 0
    	Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Reject packet from host 172.16.1.1 port 1812, id=199, length=68
    	Reply-Message = "\r\nYou are already logged in - access denied\r\n\n"
    [2.1.5-RELEASE][root@hotspot.test.lan]/root(25):
    

    Please note: You must configure the Accounting Table in Service/FreeRADIUS: SQL
    If you do not use your SQL Server for, the feature will not work.

    P.S.: I configured it on a group base, but it works also per user.

    Hi, i cant find this path /usr/pbi/freeradius-amd64/etc/raddb/sql/mysql/dialup.conf (or i386 if you run this)
    i am running pfsense 2.4.4-RELEASE-p3 (amd64)
    i am looking to limit the logins per user to 2, without a third login kicking out the first one.
    kindly guide me through please.


Log in to reply