Captive Portal Reauthentication broken
built on Sun Nov 14 03:54:29 EST 2010
If the option "Accounting updates" with "no accounting updates
" is enabled nothing happens.
- Use exclusive locking for parts of config involving CP db.
- Use more strict checking against empty/not set values for timeout and idletimeout
- Do not overwrite idletimeout value with the per user idletimeout value during processing
- Make distinction between radius accounting and re-authentication with radius to allow the code to be executed correctly. Ticket #1013
#5 Updated by L J over 8 years ago
Please change status to new.
As described in Bug#1013 the reauthentication feature is broken! I installed a 1.2.3 stable machine and configured the following:
X Reauthenticate connected users every minute
If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately.
X no accounting updates
with this configuration the pfsense server sendsa radius authentication to the RADIUS server every minute.
If i do EXACTLY the same configuration with 2.0beta4 the logon pocess works but there a no packages witch are send to the RADIUS server every minute after authentication!
An update from the 1.2.3 to the 2.0beta4 does not work either (same result).
#13 Updated by Ermal Luçi over 8 years ago
I just tested this and it works fine.
19:02:26.807863 IP 192.168.30.1.30906 > pfSense.localdomain.radius: RADIUS, Access Request (1), id: 0x77 length: 126
19:02:26.808225 IP pfSense.localdomain.radius > 192.168.30.1.30906: RADIUS, Access Accept (2), id: 0x77 length: 26
19:02:27.564663 IP 192.168.30.1.39478 > pfSense.localdomain.radius: RADIUS, Access Request (1), id: 0xae length: 126
19:02:27.564953 IP pfSense.localdomain.radius > 192.168.30.1.39478: RADIUS, Access Accept (2), id: 0xae length: 26
19:03:27.111498 IP 192.168.30.1.40081 > pfSense.localdomain.radius: RADIUS, Access Request (1), id: 0xe5 length: 126
19:03:27.111854 IP pfSense.localdomain.radius > 192.168.30.1.40081: RADIUS, Access Accept (2), id: 0xe5 length: 26
Can you please do a ps -ax | grep prune?
The prunning process is run every 60secs by default possibly you are not waiting enough ?
#15 Updated by Chris Buechler over 8 years ago
- Status changed from Feedback to New
There is still a regression here with reauthentication. It does re-authenticate, but at least MS IAS refuses the request as malformed where it accepts the initial auth request.
A malformed RADIUS message was received from client pfs-test1. The data is the RADIUS message.
The exact same config on 1.2.3 re-authenticates fine, and gets an access-accept in response.
will email pcaps to Ermal.
#16 Updated by Ermal Luçi over 8 years ago
I just committed a fix for the issue Chris reported.
L J -> if you ahve no output from that command means you will never see re-authentication because the script that is supposed to do that is not running. Try upgrading to latest version and click again save with the proper options selected and see what happens.