Feature #2143
closed
Captive Portal - RADIUS - attribute: Acct-Terminate-Cause
0%
Description
When using Captive Portal with RADIUS and Captive Portal is restarting the FreeRADIUS server does not get any information that the NAS restarted. Whe should send an "Accounting-Request" with "Acct-Terminate-Cause = 7" (Admin Reboot) or "Acct-Terminate-Cause = 11" (NAS Reboot) before restarting CP or after CP has restarted.
This could fix the problem that FreeRADIUS has users authenticated even though they are disconnected because of CP restart. (Multiple-Connections-Problem when FreeRADIUS is configured with "Simultaneous-Use := 1".
Files
| NAS_reboot.cap (14.4 KB) NAS_reboot.cap | |||
| acct1.jpg (293 KB) acct1.jpg | |||
| acct2.jpg (372 KB) acct2.jpg |
Updated by Alexander Wilke over 13 years ago
This is the RFC:
http://freeradius.org/rfc/rfc2866.html#Acct-Terminate-Cause
Updated by Chris Buechler over 13 years ago
- Target version deleted (
2.1) - Affected Version deleted (
2.0.1)
if you can implement and fully test and submit a merge request we'll get it in for 2.1, otherwise this probably can't be a priority as we won't have time before 2.1 with all the other things that have to be done.
Updated by Alexander Wilke over 13 years ago
- File NAS_reboot.cap NAS_reboot.cap added
The problem is that I cannot implement this but probably can help on testing. If it will not find a way into 2.1 than that's ok and I cannot change this. Nevertheless I added a capture between freeradius2 on pfsense and a NAS (D-Link DIR-300 + DD-WRT).
User "myuser101" authenticated using PEAP + MSCHAPv2, then the NAS rebooted and the client automatically reconnected.
Updated by Alexander Wilke over 13 years ago
I bought a FreeRADIUS book: "FreeRADIUS Beginner's Guide by Dirk van der Walt" and I uploaded to excerpts which explain how a NAS should reboot and what accounting packets it should send to prevent simultaneous-use problems.
Updated by Alexander Wilke about 13 years ago
There seems to be a function in /etc/inc/captiveportal.inc which has "Acct-Terminate-Cause = 7" but it seems not to work when CP restarts.
function captiveportal_radius_stop_all() {
global $config;
if (!isset($config['captiveportal']['radacct_enable']))
return;
$radiusservers = captiveportal_get_radius_servers();
if (!empty($radiusservers)) {
$cpdb = captiveportal_read_db();
foreach ($cpdb as $cpentry) {
RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno
$cpentry[4], // username
$cpentry[5], // sessionid
$cpentry[0], // start time
$radiusservers,
$cpentry[2], // clientip
$cpentry[3], // clientmac
7); // Admin Reboot
}
}
}
Updated by Alexander Wilke about 13 years ago
We need to add an accounting on packet like this after the CP service has restarted:
Frame 25 (113 bytes on wire, 113 bytes captured) Ethernet II, Src: D-Link_f2:47:f1 (00:22:b0:f2:47:f1), Dst: Vmware_61:cc:a7 (00:0c:29:61:cc:a7) Internet Protocol, Src: 192.168.0.20 (192.168.0.20), Dst: 192.168.0.22 (192.168.0.22) User Datagram Protocol, Src Port: filenet-nch (32770), Dst Port: radius-acct (1813) Radius Protocol Code: Accounting-Request (4) Packet identifier: 0x0 (0) Length: 71 Authenticator: ED5D642062C77D3B4D67A4B2580F703E [The response to this request is in frame 26] Attribute Value Pairs AVP: l=6 t=Acct-Status-Type(40): Accounting-On(7) Acct-Status-Type: Accounting-On (7) AVP: l=6 t=Acct-Authentic(45): RADIUS(1) Acct-Authentic: RADIUS (1) AVP: l=6 t=NAS-IP-Address(4): 192.168.0.20 NAS-IP-Address: 192.168.0.20 (192.168.0.20) AVP: l=27 t=Called-Station-Id(30): 00-22-B0-F2-47-F1:TEST-AP Called-Station-Id: 00-22-B0-F2-47-F1:TEST-AP AVP: l=6 t=Acct-Terminate-Cause(49): NAS-Reboot(11) Acct-Terminate-Cause: NAS-Reboot (11)
We need add an accounting OFF packet when CP is shutting down and after CP has restarted and before the accounting ON packet is send.
Updated by Michael Newton over 12 years ago
We have done this on our installations, but the only patch file I have is rather comprehensive and covers all our RADIUS-related changes. I'll look at breaking out the NAS accounting bit.
The original request should not be for Acct-Terminate-Cause -- this must only be sent when ending individual client sessions, and is already included in stop packets. I'm not familiar with FreeRADIUS in particular, but sync problems typically show up when the NAS is unexpectedly restarted and doesn't get a chance to send those stop packets for the user sessions. I expect what the requester wants pfSense to be sending is an Accounting-Off packet at shutdown of the NAS, Accounting-On at boot, and both when the CP service is restarted. The server can use the Accounting-On packet as a signal to reset any active sessions for that NAS.
Updated by Michael Newton over 12 years ago
Updated by Michael Newton about 12 years ago
Pull request is still up to date, if there is any interest in checking it in.
Updated by A FL almost 7 years ago
Pull request https://github.com/pfsense/pfsense/pull/236 has been merged in 2013.
The feature is working well.
This feature request can be safely marked as resolved.
Updated by 
