Project

General

Profile

Actions

Bug #1013

closed

Captive Portal Reauthentication broken

Added by L J over 13 years ago. Updated about 13 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Captive Portal
Target version:
Start date:
11/16/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

B.0-BETA4 (i386)
built on Sun Nov 14 03:54:29 EST 2010

If the option "Accounting updates" with "no accounting updates
" is enabled nothing happens.


Files

pfsense.pcap (1.43 KB) pfsense.pcap L J, 01/05/2011 02:24 PM
config-pfsense.20110105192745.xml (18.2 KB) config-pfsense.20110105192745.xml L J, 01/05/2011 02:26 PM
Actions #1

Updated by Chris Buechler over 13 years ago

  • Target version set to 2.0
  • Affected Version set to 2.0
Actions #2

Updated by Ermal Luçi over 13 years ago

  • Status changed from New to Closed

This is working as mentioned.
Read the radius accounting RFC to understand why.
You will get data only after the client is disconnected.

Actions #3

Updated by L J over 13 years ago

But then there would be a bug in older beta releases and in 1.2.3 Stable.

There every minute the client is reauthenitcated.

Actions #4

Updated by Chris Buechler over 13 years ago

  • Status changed from Closed to Feedback
Actions #5

Updated by L J over 13 years ago

Please change status to new.

Bug1050:
As described in Bug#1013 the reauthentication feature is broken! I installed a 1.2.3 stable machine and configured the following:

X Reauthenticate connected users every minute

If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately.
Accounting updates

X no accounting updates
stop/start accounting
interim update

with this configuration the pfsense server sendsa radius authentication to the RADIUS server every minute.

If i do EXACTLY the same configuration with 2.0beta4 the logon pocess works but there a no packages witch are send to the RADIUS server every minute after authentication!

An update from the 1.2.3 to the 2.0beta4 does not work either (same result).

Actions #6

Updated by Ermal Luçi over 13 years ago

I just committed fixes to this please test latest snapshots.

Actions #7

Updated by L J over 13 years ago

Does still not work at
2.0-BETA5 (i386)
built on Sun Dec 26 01:03:42 EST 2010

Same behaviour.

Actions #8

Updated by Ermal Luçi over 13 years ago

Can you give me a packet trace and your config.xml about this?

Actions #9

Updated by L J about 13 years ago

I reinstalled pfsense from CD. I created the complete configuration via webinterface.

Is there any option to create a packet capture with pfsense?

Actions #10

Updated by L J about 13 years ago

An internal server error happens if I try to upload the config.xml.

http://depositfiles.com/files/3dwu89fko

Actions #11

Updated by L J about 13 years ago

There seems to be no feature for packet sniffing ;-). I used Wireshark at the RADIUS Server. The used user was test, the password 0000.

Actions #12

Updated by L J about 13 years ago

config file again (now it works ?!?)

Actions #13

Updated by Ermal Luçi about 13 years ago

I just tested this and it works fine.
19:02:26.807863 IP 192.168.30.1.30906 > pfSense.localdomain.radius: RADIUS, Access Request (1), id: 0x77 length: 126
19:02:26.808225 IP pfSense.localdomain.radius > 192.168.30.1.30906: RADIUS, Access Accept (2), id: 0x77 length: 26
19:02:27.564663 IP 192.168.30.1.39478 > pfSense.localdomain.radius: RADIUS, Access Request (1), id: 0xae length: 126
19:02:27.564953 IP pfSense.localdomain.radius > 192.168.30.1.39478: RADIUS, Access Accept (2), id: 0xae length: 26
19:03:27.111498 IP 192.168.30.1.40081 > pfSense.localdomain.radius: RADIUS, Access Request (1), id: 0xe5 length: 126
19:03:27.111854 IP pfSense.localdomain.radius > 192.168.30.1.40081: RADIUS, Access Accept (2), id: 0xe5 length: 26

Can you please do a ps -ax | grep prune?

The prunning process is run every 60secs by default possibly you are not waiting enough ?

Actions #14

Updated by L J about 13 years ago

The command above gives no result. I captured the traffic for 2 minutes after logging in.

Could you please post whitch snapshot you used, I will retry.

Actions #15

Updated by Chris Buechler about 13 years ago

  • Status changed from Feedback to New

There is still a regression here with reauthentication. It does re-authenticate, but at least MS IAS refuses the request as malformed where it accepts the initial auth request.

A malformed RADIUS message was received from client pfs-test1. The data is the RADIUS message.

The exact same config on 1.2.3 re-authenticates fine, and gets an access-accept in response.

will email pcaps to Ermal.

Actions #16

Updated by Ermal Luçi about 13 years ago

I just committed a fix for the issue Chris reported.

L J -> if you ahve no output from that command means you will never see re-authentication because the script that is supposed to do that is not running. Try upgrading to latest version and click again save with the proper options selected and see what happens.

Actions #17

Updated by Ermal Luçi about 13 years ago

  • Status changed from New to Feedback
Actions #18

Updated by L J about 13 years ago

Update to new version did not work, reinstall did. Ticket could be closed!

Thx.

Actions #19

Updated by Ermal Luçi about 13 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF