CP shared-user accounts

remonboonstra · Jun 30, 2015, 9:48 PM

Hello,

I've got pfSense up and running, using captive portal. All seems to work fine (running 5 days, 50 users).

Currently I've enabled 'Disable concurrent logins', but I really would like to allow (certain) users to share their account with a limit.
And that without Radius, I think Radius is too much for this little additional feature.

Mikrotik calls it shared-users on their User Profile. – easy setting, need this in pfSense
freeRadius calls it Simultaneous-Use -- hard, requires freeRadius, MySQL etc.. to be setup (also adds risks).

Let me know if it's possible and if not, please tell me if there is an manual on configuring radius, mysql and the Simultaneous-Use setting correctly (radius and mysql are running already, but can't get Simultaneous-Use to work).

Thank you for any help!

Remon

cmb · Jul 1, 2015, 12:39 AM

You'll need RADIUS to do that. No need for MySQL though. Not sure offhand of a guide, but if you Google "freeradius site:pfsense.org" you'll find a good deal of things.

muswellhillbilly · Jul 1, 2015, 7:51 AM

The first line of my /etc/radd/users file on my RADIUS server has the setting you need:

DEFAULT Simultaneous-use := 4

The above setting sets the limit of concurrent logins per account to 4. Just point your pfSense box to the radius server and you should be good. Not sure what your config is, so I'm assuming you may have put the required line in the clients file (possibly) or somesuch.

remonboonstra · Jul 1, 2015, 8:05 AM

Hi muswellhillbilly,

And this works without Accounting or MySQL enabled? Thought I've read I really needed MySQL for Accounting and only with Accounting enabled this feature would work.
I can simply remove MySQL and only use freeRadius2 Package, I would be glad to have it this way! (only a package, no 'hacking' on the shell to install mysql).

minor other question:

is there a quick way to test this feature (concurrent use)? Currently I have to get all my devices (laptops/ipads) to check if this works or not.

Thank you!

Remon

muswellhillbilly · Jul 1, 2015, 11:51 AM

You can enable accounting in FreeRadius without requiring MySQL. It just depends how you want to manage your accounts. In my own case, I simply use a flat-file list of names/passwords in the /etc/raddb/users file.

Test the concurrent limit by simply logging in on more than one device (laptop, phone, tablet, etc). If you haven't got that many devices, set the concurrent limit to just 1 temporarily and see if the system rejects any other logins for that account after the initial successful session is active.

remonboonstra · Jul 1, 2015, 8:17 PM

Hi muswellhillbilly,

I can confirm it works as you say, I only got one minor strange thing.

If I set it to 3, I can logon 2 times. When I change it to 4 I can logon 3 times. Always X minus 1.

Any idea why this might happen?

Thank you for your assistance so far!

Regards,

Remon

muswellhillbilly · Jul 2, 2015, 7:55 AM

Without seeing your config I can't say why exactly. So if you set the simultaneous-use setting to 1, does it not allow access at all?

Below is the top part of my own setup's users file. You might want to check this against your own config to see if anything might be missing or wrongly entered:

DEFAULT Simultaneous-use := 4
Fall-Through = 1

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP

remonboonstra · Jul 2, 2015, 7:27 PM

Hi again,

This is my users file;
_/usr/local/etc/raddb/users

"testuser" Cleartext-Password := "testpassword", Simultaneous-Use := "1"

WISPr-Bandwidth-Max-Up := 204800,
WISPr-Bandwidth-Max-Down := 2048000

"testuser2" Cleartext-Password := "testpassword2", Simultaneous-Use := "1"

WISPr-Bandwidth-Max-Up := 512000,
WISPr-Bandwidth-Max-Down := 3072000_

And yes, with above config I can't login?

My radiusd.config:

_/usr/local/etc/raddb/radiusd.conf
prefix = /usr/pbi/freeradius-amd64
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
libdir =
pidfile = ${run_dir}/radiusd.pid
db_dir = ${raddbdir}
name = radiusd
#chroot = /path/to/chroot/directory
#user = freeradius
#group = freeradius

###############################################################################

Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x

delete_blocked_requests = no

usercollide = no

lower_user = no

lower_pass = no

nospace_user = no

nospace_pass = no

###############################################################################

max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}

log {
destination = syslog
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
msg_goodpass = ""
msg_badpass = ""
}

checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}

disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server

#proxy_requests = yes
#$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
}

modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf

Dis-/Enable sql.conf INCLUDE

#$INCLUDE sql.conf

Dis-/Enable sql/mysql/counter.conf INCLUDE

#$INCLUDE sql/mysql/counter.conf

#$INCLUDE sqlippool.conf
}

instantiate {

exec
expr
daily
weekly
monthly
forever
expiration
logintime

Dis-/Enable sql instatiate

#sql
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/_

Captive Portal:

Radius authentication (pap, accounting enabled, start/stop accounting)
Bandwidth restriction check (so radius can override them).

To be honest I don't know what to use on the accounting setting: no accounting, start/stop or interim

Thanks!

Remon

muswellhillbilly · Jul 3, 2015, 8:57 AM

Ok, backup your existing /etc/raddb/users file and create a new one. Try this as the config:

DEFAULT Simultaneous-use := 4
Fall-Through = 1

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP

testuser Cleartext-Password := "testpassword"
WISPr-Bandwidth-Max-Up := 204800,
WISPr-Bandwidth-Max-Down := 204800

testuser2 Cleartext-Password := "testpassword2"
WISPr-Bandwidth-Max-Up := 512000,
WISPr-Bandwidth-Max-Down := 3072000

I think you may have extra double-quotes in your config which might be creating a problem. This ought to preserve your bandwidth restrictions per user while limiting concurrent logins to 4 per account.

remonboonstra · Jul 7, 2015, 10:35 AM

Hi,

still need to test this "DEFAULT", in the meantime I (somehow!?) fixed the issue with Simultaneous-Use. So that issue is fixed, I'm happy with that.

Will the following work for setting some defaults?

DEFAULT Simultaneous-use := 1, WISPr-Bandwidth-Max-Up := 204800, WISPr-Bandwidth-Max-Down := 2048000, Fall-Through = 1

testuser Cleartext-Password := "testpassword"
testuser2 Cleartext-Password := "testpassword2"
etc…

Thank you!

Remon

muswellhillbilly · Jul 7, 2015, 11:04 AM

To be honest I've never set those parameters up in that way. Try it and see if it works. For that matter there are plenty of examples by way of Google.

remonboonstra · Jul 7, 2015, 11:06 AM

Will do that, thank you!