Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius session-timeout still not working ? (SOLVED 1.2)

    Scheduled Pinned Locked Moved Captive Portal
    1 Posts 1 Posters 11.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      d4rg0
      last edited by

      Hi

      UPDATE:

      Under <captiveportal>in /cf/conf/config.xml.
      Add this line :
      <radiussession_timeout>1</radiussession_timeout>

      This seems to work now, acctterminatecause field in radius.radacct show session-timeout.

      source: http://forum.pfsense.org/index.php/topic,3970.0.html (ref. reply #14)

      Since this was written May 16, 2007 and 1.2 was released in Feb. 08, why is this not enabled by default?
      Is there still bugs or other problems related to using this attribute?

      –

      My original post :

      A google/forum search do mention this a lot, but there never seems to be a solution to the problem.

      Captive Portal(CP) is using radius with IP 192.168.1.3
      Idle and hard timeout is blank since I want to use dynamic timeout based on radius session-timeout attribute.
      And it's sending accounting packets.
      Even tried the "Reauthenticate connected users every minute" (all options) but that made no difference.
      (and since it can't handle more than around 50 users I can't/shouldn't use it)

      When a user go online through the CP I can use radsniff to see what's going on.
      First I see the Access-Reqest from pfSense (192.168.1.1) from Framed-IP-Address (192.168.1.11).
      Next the radius responds with Access-Accept AND Session-Timeout with the value of 180 (180 for testing only).
      Followed by the Accounting-Request from the pfSense with the following attributes set : (amongst others, but I recon these are the importan ones)
      Acct-Status-Type = Start
      Acct-Authentic = RADIUS
      Service-Type = Login-User
      Acct-Session-Id = (session id string)
      And the last thing that happends is that the radius sends the Accounting-Respons back (no other info/attributes/values).

      This give the user access to surf the net and everything is OK.
      If I enable the Reauthenticate, every minute this procedure loops and keeps the user logged in.

      But what it doesn't accomplish is to kick out the user after the time limit in the session-timeout attribute.

      Is this supposed to work or is this still a feature coming soon?

      Bonus questions:
      Is it possible to kill the session on the CP by removing the row in the mysql radius.radacct table? (Tried, didn't work)
      Or do I need to put a new row in the radius.radreply table?
      Since the CP doesn't loop the Access-Request while the Reauthenticate is not enabled I guess this is not possible either?
      In other words, is it possible to disconnect a user from remote (from LAN server) using php altering the radius database?
      Or do I have to use the Captive portal status page in pfSense to do this?

      Kind regards

      EDIT:
      versions in use : pfSense 1.2 and Freeradius 2.0.5
      and using mysql for freeradius backend.

      It might be a freeradius config error?
      In radiusd.conf I've included the sql/mysql/counter.conf and also listet the noresetcounter under the instantiate {}
      And in counter.conf I have :
      sqlcounter noresetcounter {
        counter-name = Session-Timeout
        check-name = Session-Timeout
        sqlmod-inst = sql
        key = User-Name
        reset = never
        query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'"
      }

      EDIT 2

      After going through the service_captiveportal.php file in pfSense I still notice that some lines defining (radius)session_timeout is commentet out.
      Anyone knows what else needs to be changed if I enable them?</captiveportal>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.