Daloradius, PFsense and Simultaneous-Use
Just wondering if anyone on the forum might have some ideas about this one.
I'm running a PFsense 2.2.5 firewall as a test system in conjunction with a Daloradius (FreeRadius + MySQL) authentication system. I've Googled this problem to death, as well as scoured this forum for possible answers, but I still can't seem to get the Simultaneous-Use directive to work properly.
After looking up various sources, including some from the forum, I think I've managed to get the Daloradius server to limit logins to just 2 concurrent sessions. However, it seems that the radius server is kicking off the first user and allowing the newer user (using the same credentials) to connect. When I check the captive portal status page, however, there are three concurrent sessions with the same user showing. It seems that the radius server is kicking off an existing user, but not sending the disconnect directive back to the captive portal, assuming this is possible.
Up until now, I've been using Freeradius as a backend authenticator (running on a separate system from the firewall, btw), with just a flat-file of username/passwords and the simultaneous-use parameter defined directly in the '/etc/raddb/users' file. This works, in that when a user reaches their session limit they will just be refused entry by the captive portal. Ultimately, it would be best if I could get Daloradius to do this also. Does anyone have a working setup of this kind and if so, are there any parameters/configs/hints you could pass on? I've already stumbled on uncommenting the 'simul_count_query' in the sql.conf file, but that still doesn't seem to resolve the issue completely.
Ok, I've got a little further…
It seems the problem is possibly to do with the radgroupcheck table, or the way the system is referencing it. If I put the Simultaneous-Use parameter directly into the user's own attributes, it works! If I assign the Simultaneous-Use parameter to a profile/group and make the account a member of that group, the Simultaneous-Use setting fails. So somehow the check is failing to parse the settings in the group membership of the account.
I can always do a bulk import of the Simultaneous-Use attribute across every login ID, but that would defeat the purpose in having groups to begin with, and make the management of the whole thing a bit more complicated. If this rings any bells with anyone, feel free to dump your ideas here.
Hi dude. Did you resolve your problem? Can you share?