CP shared-user accounts



  • Hello,

    I've got pfSense up and running, using captive portal. All seems to work fine (running 5 days, 50 users).

    Currently I've enabled 'Disable concurrent logins', but I really would like to allow (certain) users to share their account with a limit.
    And that without Radius, I think Radius is too much for this little additional feature.

    Mikrotik calls it shared-users on their User Profile.  – easy setting, need this in pfSense
    freeRadius calls it Simultaneous-Use -- hard, requires freeRadius, MySQL etc.. to be setup (also adds risks).

    Let me know if it's possible and if not, please tell me if there is an manual on configuring radius, mysql and the Simultaneous-Use setting correctly (radius and mysql are running already, but can't get Simultaneous-Use to work).

    Thank you for any help!

    Remon



  • You'll need RADIUS to do that. No need for MySQL though. Not sure offhand of a guide, but if you Google "freeradius site:pfsense.org" you'll find a good deal of things.



  • The first line of my /etc/radd/users file on my RADIUS server has the setting you need:

    DEFAULT Simultaneous-use := 4

    The above setting sets the limit of concurrent logins per account to 4. Just point your pfSense box to the radius server and you should be good. Not sure what your config is, so I'm assuming you may have put the required line in the clients file (possibly) or somesuch.



  • Hi muswellhillbilly,

    And this works without Accounting or MySQL enabled? Thought I've read I really needed MySQL for Accounting and only with Accounting enabled this feature would work.
    I can simply remove MySQL and only use freeRadius2 Package, I would be glad to have it this way! (only a package, no 'hacking' on the shell to install mysql).

    minor other question:

    • is there a quick way to test this feature (concurrent use)? Currently I have to get all my devices (laptops/ipads) to check if this works or not.

    Thank you!

    Remon



  • You can enable accounting in FreeRadius without requiring MySQL. It just depends how you want to manage your accounts. In my own case, I simply use a flat-file list of names/passwords in the /etc/raddb/users file.

    Test the concurrent limit by simply logging in on more than one device (laptop, phone, tablet, etc). If you haven't got that many devices, set the concurrent limit to just 1 temporarily and see if the system rejects any other logins for that account after the initial successful session is active.



  • Hi muswellhillbilly,

    I can confirm it works as you say, I only got one minor strange thing.

    If I set it to 3, I can logon 2 times. When I change it to 4 I can logon 3 times. Always X minus 1.

    Any idea why this might happen?

    Thank you for your assistance so far!

    Regards,

    Remon



  • Without seeing your config I can't say why exactly. So if you set the simultaneous-use setting to 1, does it not allow access at all?

    Below is the top part of my own setup's users file. You might want to check this against your own config to see if anything might be missing or wrongly entered:

    DEFAULT Simultaneous-use := 4
            Fall-Through = 1

    DEFAULT Framed-Protocol == PPP
            Framed-Protocol = PPP,
            Framed-Compression = Van-Jacobson-TCP-IP

    DEFAULT Hint == "CSLIP"
            Framed-Protocol = SLIP,
            Framed-Compression = Van-Jacobson-TCP-IP

    DEFAULT Hint == "SLIP"
            Framed-Protocol = SLIP



  • Hi again,

    This is my users file;
    _/usr/local/etc/raddb/users

    "testuser" Cleartext-Password := "testpassword", Simultaneous-Use := "1"

    WISPr-Bandwidth-Max-Up := 204800,
    WISPr-Bandwidth-Max-Down := 2048000

    "testuser2" Cleartext-Password := "testpassword2", Simultaneous-Use := "1"

    WISPr-Bandwidth-Max-Up := 512000,
    WISPr-Bandwidth-Max-Down := 3072000_

    And yes, with above config I can't login?

    My radiusd.config:

    _/usr/local/etc/raddb/radiusd.conf
    prefix = /usr/pbi/freeradius-amd64
    exec_prefix = ${prefix}
    sysconfdir = ${prefix}/etc
    localstatedir = /var
    sbindir = ${exec_prefix}/sbin
    logdir = ${localstatedir}/log
    raddbdir = ${sysconfdir}/raddb
    radacctdir = ${logdir}/radacct
    confdir = ${raddbdir}
    run_dir = ${localstatedir}/run
    libdir =
    pidfile = ${run_dir}/radiusd.pid
    db_dir = ${raddbdir}
    name = radiusd
    #chroot = /path/to/chroot/directory
    #user = freeradius
    #group = freeradius

    ###############################################################################

    Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x

    delete_blocked_requests = no

    usercollide = no

    lower_user = no

    lower_pass = no

    nospace_user = no

    nospace_pass = no

    ###############################################################################

    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    hostname_lookups = no
    allow_core_dumps = no
    regular_expressions = yes
    extended_expressions = yes
    listen {
    type = auth
    ipaddr = *
    port = 1812
    }
    listen {
    type = acct
    ipaddr = *
    port = 1813
    }

    log {
    destination = syslog
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = yes
    auth_badpass = no
    auth_goodpass = no
    msg_goodpass = ""
    msg_badpass = ""
    }

    checkrad = ${sbindir}/checkrad
    security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
    }

    disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server

    #proxy_requests = yes
    #$INCLUDE  proxy.conf
    $INCLUDE  clients.conf
    thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_queue_size = 65536
    max_requests_per_server = 0
    }

    modules {
    $INCLUDE ${confdir}/modules/
    $INCLUDE eap.conf

    Dis-/Enable sql.conf INCLUDE

    #$INCLUDE sql.conf

    Dis-/Enable sql/mysql/counter.conf INCLUDE

    #$INCLUDE sql/mysql/counter.conf

    #$INCLUDE sqlippool.conf
    }

    instantiate {

    exec
    expr
    daily
    weekly
    monthly
    forever
    expiration
    logintime

    Dis-/Enable sql instatiate

    #sql
    }
    $INCLUDE policy.conf
    $INCLUDE sites-enabled/_

    Captive Portal:

    • Radius authentication (pap, accounting enabled, start/stop accounting)
    • Bandwidth restriction check (so radius can override them).

    To be honest I don't know what to use on the accounting setting: no accounting, start/stop or interim

    Thanks!

    Remon



  • Ok, backup your existing /etc/raddb/users file and create a new one. Try this as the config:

    DEFAULT Simultaneous-use := 4
            Fall-Through = 1

    DEFAULT Framed-Protocol == PPP
            Framed-Protocol = PPP,
            Framed-Compression = Van-Jacobson-TCP-IP

    DEFAULT Hint == "CSLIP"
            Framed-Protocol = SLIP,
            Framed-Compression = Van-Jacobson-TCP-IP

    DEFAULT Hint == "SLIP"
            Framed-Protocol = SLIP

    testuser  Cleartext-Password := "testpassword"
            WISPr-Bandwidth-Max-Up := 204800,
            WISPr-Bandwidth-Max-Down := 204800

    testuser2 Cleartext-Password := "testpassword2"
            WISPr-Bandwidth-Max-Up := 512000,
            WISPr-Bandwidth-Max-Down := 3072000

    I think you may have extra double-quotes in your config which might be creating a problem. This ought to preserve your bandwidth restrictions per user while limiting concurrent logins to 4 per account.



  • Hi,

    still need to test this "DEFAULT", in the meantime I (somehow!?) fixed the issue with Simultaneous-Use. So that issue is fixed, I'm happy with that.

    Will the following work for setting some defaults?

    DEFAULT Simultaneous-use := 1, WISPr-Bandwidth-Max-Up := 204800, WISPr-Bandwidth-Max-Down := 2048000, Fall-Through = 1

    testuser  Cleartext-Password := "testpassword"
    testuser2 Cleartext-Password := "testpassword2"
    etc…

    Thank you!

    Remon



  • To be honest I've never set those parameters up in that way. Try it and see if it works. For that matter there are plenty of examples by way of Google.



  • Will do that, thank you!