Users remain active after voucher expiration



  • Currently our company has been using pfsense for a few years and it has always worked flawlessly. We're currently using 2.1.5-RELEASE  (amd64).
    To protect our network and implement a guest network we've been using captive portal. Recently after making some modifications to our network we reinstalled our pfsense and it's captive portal. It's working like a charm in the sense that users are being redirected to the login page and given permission to access the network (or not) after delivering a valid or invalid password. The only problem we're experiencing atm is that the users remain active and are allowed on the designated network, long after the (24 hour) voucher expires. The voucher expires and is removed from the "active voucher"-tab, but the user remains in the "active users"-tab and has to be manually removed in order to deny further access after the expiration date.

    We're currently not using radius.

    A quick search tells me:

    Troubleshooting
    User is online after voucher expires  The session timeout must be enabled in order to allow the voucher session to expire and deactivate.

    Currently neither Idle time-out nor hard-timeout are activated. Is either one of these options mandatory to disconnect the user after expiration date or am I overlooking something else?

    Thanks in advance.


  • LAYER 8 Netgate

    I wonder if the pruning process doesn't run if no timeouts are set.


  • Rebel Alliance Developer Netgate

    The pruning process may have also been killed off. This has been fixed on 2.2, but for 2.1.x, try this patch with the System Patches package:

    http://files.pfsense.org/jimp/patches/cron_hup.patch

    Apply the patch then re-save the portal and see if it works after that.



  • Sorry for the late reply, just giving a quick update. So basically we updated our Pfsense to 2.2-RELEASE  (amd64) and gave him a reboot.
    It appears the problem has solved itselve. The active users and vouchers now disappear after expiring and the user is unable to log on.
    Cheers for the quick replies guys!

    So if anyone is experiencing the same problem this might be the solution.  :)



  • Hello.

    I'm having the same problem … the user remains active even though I inactivate the voucher manually in "Expire Vouchers" functionality

    • pfSense 2.2.4-RELEASE(amd64)
    • "Idle timeout" in blank (disabled)
    • "Hard timeout" in blank (disabled)

    Can someone help me?
    Thank you so much!



  • @psangelotti:

    Hello.

    I'm having the same problem … the user remains active even though I inactivate the voucher manually in "Expire Vouchers" functionality

    • pfSense 2.2.4-RELEASE(amd64)
    • "Idle timeout" in blank (disabled)
    • "Hard timeout" in blank (disabled)

    Can someone help me?
    Thank you so much!

    This was solved way back.

    IF (a user is logged in - has an active session)
    THEN disconnect user.

    Redmine Expiring a voucher doesn't disconnect a user who is using that voucher



  • Hello!

    Thanks for the reply.  :D
    The problem is this disconnect is not being automatic … The MAC address is recorded in Services / Captive Portal / MAC and even after the time expires and disconnection never happens. ???

    What can I be doing wrong ? ???

    Thank you in advance.


  • LAYER 8 Netgate

    Is the MAC address record tagged with the voucher as the username?

    There's a checkbox for that in the portal config.



  • This is normal:
    @psangelotti:

    … the user remains active even though I inactivate the voucher manually in "Expire Vouchers" functionality

    • pfSense 2.2.4-RELEASE(amd64)

    because you instructed the Captive Portal to behave like that:
    @psangelotti:

    The problem is this disconnect is not being automatic … The MAC address is recorded in Services / Captive Portal / MAC and even after the time expires and disconnection never happens. ???

    So: even when the voucher sessions gets destroyed (related firewall rule are thus removed) by you, the "MAC-whitelist" entry stays up, the client is still connected.

    Check for yourself : Read this https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting - check up your own captive firewall portal rules, and see for yourself. MAC 'pass' rules are at the beginning of the rules, so as soon as it's added, destroying the "voucher session" (and also voucher-time-out" won't break the connection.

    When you check the option (on the settings page of the captive portal) that MAC's should be added to the list when the user connects (initially using a voucher) destroying the voucher - or even letting it time out will NOT break the connection.

    This:
    @psangelotti:

    • "Idle timeout" in blank (disabled)
    • "Hard timeout" in blank (disabled)

    of course, as the pfSEnse doc states - and as quoted above, should never be set like that (both shouldn't be zero).


  • LAYER 8 Netgate

    I use it all the time.  It works great. 2.1.5.

    I have:

    Enable Pass-through MAC automatic additions

    and

    Enable Pass-through MAC automatic addition with username

    Checked.

    Pretty sure the key is the "with username" checkbox.  The voucher code is stored as the username so there is something for the pruner to key on when it expires.  All the MAC passthrough entries are automatically removed.

    I have idle timeout and hard timeout both set at 2000 minutes for some reason. This has no effect on vouchers that are good for longer than 2000 minutes. If I give someone a 7-day voucher, they are not molested again for the full 7 days.

    Oct 24 19:08:23 gw logportalauth[67485]: EXPIRED 3kdxuhm6 LOGIN - TERMINATING SESSION: 3kdxuhm6, 60:f8:1d:c2:ff:6e, 172.21.229.163
    Oct 24 19:08:24 gw logportalauth[67485]: EXPIRED 3kdxuhm6 LOGIN - TERMINATING SESSION: 3kdxuhm6, a4:5e:60:ef:ff:03, 172.21.226.112



  • @Derelict:

    …. It works great. 2.1.5.

    Same thing for 2.2.4.
    I just generated some vouchers, activates auto-add-mac support etc and started authenticating using vouchers.
    Everything works as advertised.

    I saw lines like:
    Oct 28 08:39:43 logportalauth[38194]: Zone: cpzone1 - Voucher login good for 120 min.: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40
    ….
    Oct 28 10:39:44 logportalauth[33421]: Zone: cpzone1 - EXPIRED SNWfCebPBQS LOGIN - TERMINATING SESSION: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40

    The device "0c:77:1a:xx:13:35" was disconnected and removed from the MAC white list.


Log in to reply