Pfsense + freeradius2: wifi simultaneous login not working



  • Hi all,
    I'm pretty new at forum but I've been using pfSense with freeradius2 for a long time in a large high school in Italy.

    Our wifi access points do the authentication over freeradius2 on pfSense and they're working perfectly. We're not using captiveportal.

    Lately we'd like to limit the wifi access by simultaneous login. I've set up the correct limit in every user account but simultaneus login are still possible.

    I've searched around and I saw that freeradius writes on radutmp file login names to get simultaneous login working.

    I've noticed that on my freeradius2 radutmp file is empty (0 bytes).

    How can I get this works?

    I don't know if this can help but I must tell that we're using TL-WA901ND by TP-LINK as access points around the school and they're working great! We've about 20 of them!

    Thanks in advance to everyone who will help!!

    Regards,
    Paolo



  • What is the backend for your Radius? The pfSense config or a SQL or LDAP server?



  • My Radius works over pfSense config no SQL or LDAP server.

    Should I use a SQL db for getting simultaneous login works?

    Thanks in advance for your help.



  • radutmp file only fills up if you have "accounting" enabled on your WiFi Access Points.
    So every time a user connects to your WiFi the accounting for this user will start and will be written to radutmp file. If the user disconnects the accounting will stop and the user will be deleted from radutmp file. This will do the simultaneous checks.

    Perhaps this could give you some more help:
    https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package



  • @Nachtfalke:

    radutmp file only fills up if you have "accounting" enabled on your WiFi Access Points.
    So every time a user connects to your WiFi the accounting for this user will start and will be written to radutmp file. If the user disconnects the accounting will stop and the user will be deleted from radutmp file. This will do the simultaneous checks.

    Perhaps this could give you some more help:
    https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

    Thanks a lot for your reply.
    The problem is that our TP-LINK TL-WA901ND v2 and v3 firmware doesn't support accounting function (it doesn't really have a function about this, only Radius support with WPA/WPA2 Enterprise support!).

    So if you confirm that we must have accounting enabled over our Access Points, I was wondering if maybe converting all our APs with DD-WRT platform will then get accounting support working great! I know DD-WRT has a lot of functions!!

    Anyone know more about this??

    Thanks a lot!!  :)

    Paolo



  • I am not familar with actual pfsense version and CaptivePortal. But if I remember correct there is a possibility to give a user some credits so that this user can access the internet without logging in on CP. So you you try to use a high number of credits for each user and low timeout for resetting these credits and enabling Accounting on CP.

    Not sure at all if this works.

    When you are searching for "radutmp" file you find some interesting information:
    http://opensource.apple.com/source/freeradius/freeradius-25/freeradius/raddb/modules/radutmp

    Accounting information may be lost, so the user MAY
    #  have logged off of the NAS, but we haven't noticed.
    #  If so, we can verify this information with the NAS,

    #  If we want to believe the 'utmp' file, then this
    #  configuration entry can be set to 'no'.

    check_with_nas = yes

    So this part will tell us that accounting is used for simultaneous use checks and it tells us, that if the user logs of or is disconnected and the NAS (Access-Point is your case) will not tell freeradius that this user has disconnected, then freeradius will never know and this user will still exist in radutmp file. So when trying to use DD-WRT you should make sure that it works like it should and that you don't fix one problem and get a new one ;)

    Perhaps you should enable CaptivePortal and use this accounting feature and authentication. On CP add the Access-Points itself to bypass so that authentication with PEAP works. Users then authenticate against freeradius to get WLAN Access and then - this is not so comfortable but should work - again on CP to get internet access. With the same username and password and then simultaneous checks can be done on freeradius with accounting enabled on CP or better use the CP built-in feature of simultaneous-checks.

    Good Luck!