pfSense Support Subscription

Author Topic: Captive portal and Freeradius  (Read 3198 times)

0 Members and 1 Guest are viewing this topic.

Offline qbik

  • Jr. Member
  • **
  • Posts: 36
    • View Profile
Captive portal and Freeradius
« on: January 07, 2012, 06:45:44 pm »
Hi,
I am using PfSense 2.0, I have CP enabled and using freeradius, also disable concurrent logins is on. Now my question is, is there a way that if for any reason the server needs to rebooted that the users that have not expired continue with the remainder of their session and continue using the internet until their session times out.


Thanks

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Captive portal and Freeradius
« Reply #1 on: January 08, 2012, 09:07:20 am »
Hi,

are you running freeradius on pfsense or on a different server ? If both are on different servers which one restarts ? And if you are running freeradius on pfsense - which version of freeradius do you run ?

Offline qbik

  • Jr. Member
  • **
  • Posts: 36
    • View Profile
Re: Captive portal and Freeradius
« Reply #2 on: January 08, 2012, 09:42:15 am »
Hi,
I am using freeradius2 (2.1.12) package on the same pfsense server.

thanks

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Captive portal and Freeradius
« Reply #3 on: January 08, 2012, 10:48:44 am »
Ok, but I am not sure if I understand your problem. If pfsense restarts - this is only if you change something of pfsense which needs a radiusd restart - this is only for less seconds.

And if you restart pfsense...then the CaptivePortal and everything is down.

Perhaps you could explain a problem a little bit more in detail and/or post a screenshot of your environment.

Offline qbik

  • Jr. Member
  • **
  • Posts: 36
    • View Profile
Re: Captive portal and Freeradius
« Reply #4 on: January 08, 2012, 11:23:22 am »
Is a small hotel, and users are given tickets to login, tickes have different time durations, 30 min, 1 hour, 1 day, 5 days. Once the user is logged in, there is no idle or hard time out, the session is opened as long as freeradius session timeout (30 min, 1 hour, 1 day, 5 days) is active. Now, let's say i have a 5 day ticket, my session is opened for 5 days, now on day 3 we have a power loss and the server reboots, now I have to login again. I want to prevent this second login.

On my CP configuration under the freeradius part, I have it as follows:

send RADIUS accounting packets [On]
interim update [On]
Reauthenticate connected users every minute [On]
Use RADIUS Session-Timeout attributes [On]

Hope it's clearer now.

thanks again

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Captive portal and Freeradius
« Reply #5 on: January 08, 2012, 11:59:24 am »
Hi,
thanks for explaination - now it is clear for me :-)

But I do not know a solution for that. if the NAS - that is the CP in this case - reboots that it lost all information about which user is/was logged in.

Is there a reason why you need this ?

Offline qbik

  • Jr. Member
  • **
  • Posts: 36
    • View Profile
Re: Captive portal and Freeradius
« Reply #6 on: January 08, 2012, 01:18:46 pm »
Well, the reason is because the tickets only contains instructions on how to connect, the way they authenticate is with their room number and last name, it then pushes the charge to their room via a script. Now if the server reboots, they are asked to login again and then they get charged again, hence I just want their stalled session to continue counting. But I have yet to find what is the normal behavior on a normal setup if the system reboots. for example if I was using vouchers, would the same thing have happened?

Thanks

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Captive portal and Freeradius
« Reply #7 on: February 01, 2012, 01:38:51 pm »
Hi,

if A NAS reboots then all sessions get disconnected. If a NAS is rebooting normaly because of the admin is rebooting the NAS then the NAS sends "accounting-off" packet to RADIUS to tell that it is rebooting. FreeRADIUS then deletes the open sessions.

If the NAS crashes then there is after the reboot of the NAS an "accounting-off" followed by an "accounting-on" packet. so the NAS tells the RADIUS to delete all stalled sessions and then restarts accounting.

CP isn't sending accounting-off packets at the moment - perhaps this will be fixed - but thats not really neccessary for your environment because is the NAS crashs then it is losing everything so it does not know who was connected and who was connected on which "port" an so on. I am pretty sure that there is no way around that.

Offline mutheu

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Captive portal and Freeradius
« Reply #8 on: March 21, 2012, 04:25:57 am »
For me, I think the best solution to your problem is to setup a Radius server and use a counter. Instead of specifying 5 days, you simply convert the 5 days to seconds : 5d x 24hrs x 60min x 60sec.

Counter will keep on reducing time even if your server goes off, it will pick up on where it left - especially with re-auth every minute.

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
    • View Profile
Re: Captive portal and Freeradius
« Reply #9 on: March 21, 2012, 05:08:34 am »
For me, I think the best solution to your problem is to setup a Radius server and use a counter. Instead of specifying 5 days, you simply convert the 5 days to seconds : 5d x 24hrs x 60min x 60sec.

Counter will keep on reducing time even if your server goes off, it will pick up on where it left - especially with re-auth every minute.

The time counter module only works on "accounting stop" packets. The time value in Accounting stop packets from CP are not correct in 2.0.1. Ermal did some changes on this (redmine) and perhaps it will be implemented on 2.1. But I am not up-to-date with this problem.

But if the NAS or the server reboot - the user has to re-login - and that's the problem and not the "time management". That's the way I understand qbik's posts.