Project

General

Profile

Feature #2143

Captive Portal - RADIUS - attribute: Acct-Terminate-Cause

Added by Alexander Wilke over 7 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Captive Portal
Target version:
-
Start date:
01/25/2012
Due date:
% Done:

0%

Estimated time:

Description

When using Captive Portal with RADIUS and Captive Portal is restarting the FreeRADIUS server does not get any information that the NAS restarted. Whe should send an "Accounting-Request" with "Acct-Terminate-Cause = 7" (Admin Reboot) or "Acct-Terminate-Cause = 11" (NAS Reboot) before restarting CP or after CP has restarted.

This could fix the problem that FreeRADIUS has users authenticated even though they are disconnected because of CP restart. (Multiple-Connections-Problem when FreeRADIUS is configured with "Simultaneous-Use := 1".

NAS_reboot.cap (14.4 KB) NAS_reboot.cap Alexander Wilke, 01/26/2012 04:18 PM
acct1.jpg (293 KB) acct1.jpg Alexander Wilke, 01/29/2012 04:22 PM
acct2.jpg (372 KB) acct2.jpg Alexander Wilke, 01/29/2012 04:22 PM

History

#2 Updated by Chris Buechler over 7 years ago

  • Target version deleted (2.1)
  • Affected Version deleted (2.0.1)

if you can implement and fully test and submit a merge request we'll get it in for 2.1, otherwise this probably can't be a priority as we won't have time before 2.1 with all the other things that have to be done.

#3 Updated by Alexander Wilke over 7 years ago

The problem is that I cannot implement this but probably can help on testing. If it will not find a way into 2.1 than that's ok and I cannot change this. Nevertheless I added a capture between freeradius2 on pfsense and a NAS (D-Link DIR-300 + DD-WRT).

User "myuser101" authenticated using PEAP + MSCHAPv2, then the NAS rebooted and the client automatically reconnected.

#4 Updated by Alexander Wilke over 7 years ago

I bought a FreeRADIUS book: "FreeRADIUS Beginner's Guide by Dirk van der Walt" and I uploaded to excerpts which explain how a NAS should reboot and what accounting packets it should send to prevent simultaneous-use problems.

#5 Updated by Alexander Wilke over 7 years ago

There seems to be a function in /etc/inc/captiveportal.inc which has "Acct-Terminate-Cause = 7" but it seems not to work when CP restarts.

function captiveportal_radius_stop_all() {
    global $config;

    if (!isset($config['captiveportal']['radacct_enable']))
        return;

    $radiusservers = captiveportal_get_radius_servers();
    if (!empty($radiusservers)) {
        $cpdb = captiveportal_read_db();
        foreach ($cpdb as $cpentry) {
            RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno
                $cpentry[4], // username
                $cpentry[5], // sessionid
                $cpentry[0], // start time
                $radiusservers,
                $cpentry[2], // clientip
                $cpentry[3], // clientmac
                7); // Admin Reboot
        }
    }
}

#6 Updated by Alexander Wilke over 7 years ago

We need to add an accounting on packet like this after the CP service has restarted:

Frame 25 (113 bytes on wire, 113 bytes captured)
Ethernet II, Src: D-Link_f2:47:f1 (00:22:b0:f2:47:f1), Dst: Vmware_61:cc:a7 (00:0c:29:61:cc:a7)
Internet Protocol, Src: 192.168.0.20 (192.168.0.20), Dst: 192.168.0.22 (192.168.0.22)
User Datagram Protocol, Src Port: filenet-nch (32770), Dst Port: radius-acct (1813)
Radius Protocol
Code: Accounting-Request (4)
Packet identifier: 0x0 (0)
Length: 71
Authenticator: ED5D642062C77D3B4D67A4B2580F703E
[The response to this request is in frame 26]
Attribute Value Pairs
AVP: l=6 t=Acct-Status-Type(40): Accounting-On(7)
Acct-Status-Type: Accounting-On (7)
AVP: l=6 t=Acct-Authentic(45): RADIUS(1)
Acct-Authentic: RADIUS (1)
AVP: l=6 t=NAS-IP-Address(4): 192.168.0.20
NAS-IP-Address: 192.168.0.20 (192.168.0.20)
AVP: l=27 t=Called-Station-Id(30): 00-22-B0-F2-47-F1:TEST-AP
Called-Station-Id: 00-22-B0-F2-47-F1:TEST-AP
AVP: l=6 t=Acct-Terminate-Cause(49): NAS-Reboot(11)
Acct-Terminate-Cause: NAS-Reboot (11)

We need add an accounting OFF packet when CP is shutting down and after CP has restarted and before the accounting ON packet is send.

#7 Updated by Michael Newton almost 7 years ago

We have done this on our installations, but the only patch file I have is rather comprehensive and covers all our RADIUS-related changes. I'll look at breaking out the NAS accounting bit.

The original request should not be for Acct-Terminate-Cause -- this must only be sent when ending individual client sessions, and is already included in stop packets. I'm not familiar with FreeRADIUS in particular, but sync problems typically show up when the NAS is unexpectedly restarted and doesn't get a chance to send those stop packets for the user sessions. I expect what the requester wants pfSense to be sending is an Accounting-Off packet at shutdown of the NAS, Accounting-On at boot, and both when the CP service is restarted. The server can use the Accounting-On packet as a signal to reset any active sessions for that NAS.

#9 Updated by Michael Newton over 6 years ago

Pull request is still up to date, if there is any interest in checking it in.

#10 Updated by A FL about 1 year ago

Pull request https://github.com/pfsense/pfsense/pull/236 has been merged in 2013.
The feature is working well.

This feature request can be safely marked as resolved.

#11 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Resolved

Also available in: Atom PDF