Feature lost in transaction? M0n0 MAC addreses are gone?



  • I've just solve many RADIUS problems so that FreeRadius can easily work with Captive portal…. but I did noticed that pfSense Caprive portal and M0n0 are diferent,... Mono sens all data that I need such as User MAC and NAS (Mono or pfSense box) MAC... but with pfSense in getting only half of the information send to me? Why? here is what Radius gets when I'm ratting in debug mode:

    Service-Type = Login-User
            User-Name = "alexus"
            NAS-Identifier = "pfSense.local"
            NAS-Port = 0
            NAS-Port-Type = Ethernet
            Acct-Status-Type = Start
            Acct-Authentic = RADIUS
            Acct-Session-Id = "327d19a986eadf00"
            Framed-IP-Address = 192.168.1.199

    I thought we are running exact clone of M0n0 here? Dont we? ???



  • Yes we do.  So I am not sure what the problem is.



  • Basically, the pfSense sends less informattion for radius accounting, I dot know why but it is… it doesnt send Calling Staton ID and Called Staton ID....  I have absolutly the same configs for Mono and Pfsense, but I getting diferent accounting responses..

    Ive made a txt file where you can see the diferense in accounting records... as you can seee everything is identical but mono sends more informatiom. Also the hardware is the same, I just swaped the CF cards....  I dono, maybe some part of orogonal mono file was missing? well it has only 3 files to it... but i see you added extra page that shows the user status, and maybe that one "kill" the wariables or something?

    Any ideas?

    [pfSense Acc debug.txt](/public/imported_attachments/1/pfSense Acc debug.txt)



  • No, I don't think we missed anything. We sync'd everything that I could find.

    Word is that there will be a new m0n0wall release soon.  If so, then we'll most likely import the captive portal changes (again).



  • yes they have 1.23b



  • Isn't that the FreeBSD 6 beta?  Not exactly what I am talking about.



  • well I didnt really paid attention on what it runs but I know it has impruvcements for captive portal anyway…



  • what is the file name for captive portal index.php? and what is the name for accounting.php (or whatever it used to be called in mono) I want to chek if it cheks for MAC?  Because in original it will not let it work if there is no user MAC….



  • dit you eneable the mac check on the pfsense portal pages ?
    if not than mac adress is ignored and ipadress is used



  • Isnt that function is tryyingto use MAC as both username and pass to identify user?
    I will try it too? Just in case



  • jeroen234, I did the trial ran for what u sudgested, and as I said it didnt work, because this fature is designed for diferent purpuse… it works like major cable troviders do for theit clients... so that they dont have to use username and passwords... they just go online right away...

    BUT, what  I found is that this feature dosnt work as it desined too... It suppose to send Radius-Request when I open web brower but it doesnt... Debug off everything is attached, I used my username to login...

    So, I dont know why, but big part of m0n0 functionality is gone?  :(

    Ready to process requests.
    rad_recv: Access-Request packet from host 192.168.0.102:60873, id=214, length=79
            Service-Type = Login-User
            User-Name = "alexus"
            User-Password = "xxxxxxxx"
            NAS-Identifier = "pfSense.local"
            NAS-Port = 0
            NAS-Port-Type = Ethernet
    rlm_sql (sql): Reserving sql socket id: 3
    rlm_sql (sql): Released sql socket id: 3
    Sending Access-Accept of id 214 to 192.168.0.102 port 60873
    rad_recv: Accounting-Request packet from host 192.168.0.102:50951, id=195, length=97
            Service-Type = Login-User
            User-Name = "alexus"
            NAS-Identifier = "pfSense.local"
            NAS-Port = 0
            NAS-Port-Type = Ethernet
            Acct-Status-Type = Start
            Acct-Authentic = RADIUS
            Acct-Session-Id = "1285ff05b364519a"
            Framed-IP-Address = 192.168.1.199
    rlm_sql (sql): Reserving sql socket id: 2
    rlm_sql (sql): Released sql socket id: 2
    Sending Accounting-Response of id 195 to 192.168.0.102 port 50951



  • The code is there, I promise you.  Why its not working is beyond me.



  • I think, i found the proble, did you use the Captive Portal from M0n0 SVN? (http://svn.m0n0.ch/wall/branches/freebsd5/captiveportal/)  Because I'm looking at the file right now and I think it is different from the one that they have in actual relseae.



  • Their file in SVN has not even been released yet!  We are not using that until they release it.



  • ok, … can i take a look on the file that you are using? did you keep the original names? and what is the location of files?



  • Look in cvsweb.



  • i serched all over the plce but missed the directory i need (murphy's law) can u just tell me the location?





  • ok, I think the problem is in Dropdown menu that select either "defult" or "cisco" type … thats the only thing that I can think off....



  • Did not modify that…



  • :-(



  • @alexus:

    jeroen234, I did the trial ran for what u sudgested, and as I said it didnt work, because this fature is designed for diferent purpuse… it works like major cable troviders do for theit clients... so that they dont have to use username and passwords... they just go online right away...

    BUT, what  I found is that this feature dosnt work as it desined too... It suppose to send Radius-Request when I open web brower but it doesnt... Debug off everything is attached, I used my username to login...

    So, I dont know why, but big part of m0n0 functionality is gone?  :(

    Ready to process requests.
    rad_recv: Access-Request packet from host 192.168.0.102:60873, id=214, length=79
            Service-Type = Login-User
            User-Name = "alexus"
            User-Password = "xxxxxxxx"
            NAS-Identifier = "pfSense.local"
            NAS-Port = 0
            NAS-Port-Type = Ethernet
    rlm_sql (sql): Reserving sql socket id: 3
    rlm_sql (sql): Released sql socket id: 3
    Sending Access-Accept of id 214 to 192.168.0.102 port 60873
    rad_recv: Accounting-Request packet from host 192.168.0.102:50951, id=195, length=97
            Service-Type = Login-User
            User-Name = "alexus"
            NAS-Identifier = "pfSense.local"
            NAS-Port = 0
            NAS-Port-Type = Ethernet
            Acct-Status-Type = Start
            Acct-Authentic = RADIUS
            Acct-Session-Id = "1285ff05b364519a"
            Framed-IP-Address = 192.168.1.199
    rlm_sql (sql): Reserving sql socket id: 2
    rlm_sql (sql): Released sql socket id: 2
    Sending Accounting-Response of id 195 to 192.168.0.102 port 50951

    on this debug list you are oke

    the only thing i can think off is that you dit'n open on youre wan conection the ports 1812 and 1813
    on witch you radius server has to send its radius pakets to pfsense



  • isnt it reverse? NAS send request to the radius server? and then gets replay with Access_accept or Access-Reject… ?  Actuall accounting packets are stored in radius itself or im My Sql, but nas does not send accounting info



  • the access data is send on port 1812 to the radius server
    and will be send back on port 1812 from the radius server a oke or a reject

    same for accounting now using port 1813



  • but avvording to standard the acc paks are not sent back to NAS… thet sent from NAS to Radius and that is it... mean while AVPs are sent on 1812 in both directioons



  • accounting pakets are not send back
    but what is send is a oke or a reject
    on a reject bv when the time is empty for that user

    when portal resieves the reject it disconect the user
    on oke the user can contineu to surf

    i have pfsense check every 60 sec. with the radius server if the user is still oke to surf



  • yes, but I didnt say that I have problems with logging in, the user is authenticfated and allowed to access external network, the accounting pakt is sent to MySQL server and recorded, the problem is that accounting packt is not full, it is mising banch of stuff such as MAC addreses and octans etc…



  • jeroen234, to make sure that im not mostaken, I set WAN rules to Allow * to * from *  (aka "hakers are welcome"  ;) ) well as I assdumd it didnt work…

    I also posted the probmen in mono list and someone wrote me that this could be because pfSense is using diferent web server and or OS? is that correct??



  • i dont see the trouble accounting packets are not forwarded back to the radius server till the session is finished.
    the access request was made the accounting request is recorded.

    where is the rest of you data. close your session in the captive portal and then check the cleanup on your radius server.
    nothing else is needed at stage one. i looks just like our sessions from our NAs boxes to the radius server.



  • yep u are correct, everywjhere exept the part tha MAC addresses are sent during Accounting-Start…. all other junk thta I dont care about is sent when Accounting-Stop is sent :-(


Locked