Feature #2143: Captive Portal - RADIUS - attribute: Acct-Terminate-Cause - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.03 Plus - All Closed Issues
25.03 Plus - All Open Issues
25.03 Plus - Feedback Issues
25.03 Plus - Needs Attention/Work
25.03 Plus - New/Confirmed/In Progress Issues
25.03 Plus - Pull Request Review
25.03 Plus - Waiting on Merge
25.03 Target - All Closed Issues
25.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #2143

closed

Captive Portal - RADIUS - attribute: Acct-Terminate-Cause

Added by Alexander Wilke over 13 years ago. Updated almost 7 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Captive Portal

Target version:

Start date:

01/25/2012

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Description

When using Captive Portal with RADIUS and Captive Portal is restarting the FreeRADIUS server does not get any information that the NAS restarted. Whe should send an "Accounting-Request" with "Acct-Terminate-Cause = 7" (Admin Reboot) or "Acct-Terminate-Cause = 11" (NAS Reboot) before restarting CP or after CP has restarted.

This could fix the problem that FreeRADIUS has users authenticated even though they are disconnected because of CP restart. (Multiple-Connections-Problem when FreeRADIUS is configured with "Simultaneous-Use := 1".

Files

Download all files

NAS_reboot.cap (14.4 KB) NAS_reboot.cap		Alexander Wilke, 01/26/2012 04:18 PM
acct1.jpg (293 KB) acct1.jpg		Alexander Wilke, 01/29/2012 04:22 PM
acct2.jpg (372 KB) acct2.jpg		Alexander Wilke, 01/29/2012 04:22 PM

History
Notes
Property changes

Actions

Copy link

Updated by Alexander Wilke over 13 years ago

This is the RFC:
http://freeradius.org/rfc/rfc2866.html#Acct-Terminate-Cause

Actions

Copy link

Updated by Chris Buechler over 13 years ago

Target version deleted (~~2.1~~)
Affected Version deleted (~~2.0.1~~)

if you can implement and fully test and submit a merge request we'll get it in for 2.1, otherwise this probably can't be a priority as we won't have time before 2.1 with all the other things that have to be done.

Actions

Copy link

Updated by Alexander Wilke over 13 years ago

File NAS_reboot.cap NAS_reboot.cap added

The problem is that I cannot implement this but probably can help on testing. If it will not find a way into 2.1 than that's ok and I cannot change this. Nevertheless I added a capture between freeradius2 on pfsense and a NAS (D-Link DIR-300 + DD-WRT).

User "myuser101" authenticated using PEAP + MSCHAPv2, then the NAS rebooted and the client automatically reconnected.

Actions

Copy link

Updated by Alexander Wilke over 13 years ago

File acct1.jpg acct1.jpg added
File acct2.jpg acct2.jpg added

I bought a FreeRADIUS book: "FreeRADIUS Beginner's Guide by Dirk van der Walt" and I uploaded to excerpts which explain how a NAS should reboot and what accounting packets it should send to prevent simultaneous-use problems.

Actions

Copy link

Updated by Alexander Wilke about 13 years ago

There seems to be a function in /etc/inc/captiveportal.inc which has "Acct-Terminate-Cause = 7" but it seems not to work when CP restarts.

function captiveportal_radius_stop_all() {
    global $config;

    if (!isset($config['captiveportal']['radacct_enable']))
        return;

    $radiusservers = captiveportal_get_radius_servers();
    if (!empty($radiusservers)) {
        $cpdb = captiveportal_read_db();
        foreach ($cpdb as $cpentry) {
            RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno
                $cpentry[4], // username
                $cpentry[5], // sessionid
                $cpentry[0], // start time
                $radiusservers,
                $cpentry[2], // clientip
                $cpentry[3], // clientmac
                7); // Admin Reboot
        }
    }
}

Actions

Copy link

Updated by Alexander Wilke about 13 years ago

We need to add an accounting on packet like this after the CP service has restarted:

Frame 25 (113 bytes on wire, 113 bytes captured)
Ethernet II, Src: D-Link_f2:47:f1 (00:22:b0:f2:47:f1), Dst: Vmware_61:cc:a7 (00:0c:29:61:cc:a7)
Internet Protocol, Src: 192.168.0.20 (192.168.0.20), Dst: 192.168.0.22 (192.168.0.22)
User Datagram Protocol, Src Port: filenet-nch (32770), Dst Port: radius-acct (1813)
Radius Protocol
Code: Accounting-Request (4)
Packet identifier: 0x0 (0)
Length: 71
Authenticator: ED5D642062C77D3B4D67A4B2580F703E
[The response to this request is in frame 26]
Attribute Value Pairs
AVP: l=6 t=Acct-Status-Type(40): Accounting-On(7)
Acct-Status-Type: Accounting-On (7)
AVP: l=6 t=Acct-Authentic(45): RADIUS(1)
Acct-Authentic: RADIUS (1)
AVP: l=6 t=NAS-IP-Address(4): 192.168.0.20
NAS-IP-Address: 192.168.0.20 (192.168.0.20)
AVP: l=27 t=Called-Station-Id(30): 00-22-B0-F2-47-F1:TEST-AP
Called-Station-Id: 00-22-B0-F2-47-F1:TEST-AP
AVP: l=6 t=Acct-Terminate-Cause(49): NAS-Reboot(11)
Acct-Terminate-Cause: NAS-Reboot (11)

We need add an accounting OFF packet when CP is shutting down and after CP has restarted and before the accounting ON packet is send.

Actions

Copy link

Updated by Michael Newton over 12 years ago

We have done this on our installations, but the only patch file I have is rather comprehensive and covers all our RADIUS-related changes. I'll look at breaking out the NAS accounting bit.

The original request should not be for Acct-Terminate-Cause -- this must only be sent when ending individual client sessions, and is already included in stop packets. I'm not familiar with FreeRADIUS in particular, but sync problems typically show up when the NAS is unexpectedly restarted and doesn't get a chance to send those stop packets for the user sessions. I expect what the requester wants pfSense to be sending is an Accounting-Off packet at shutdown of the NAS, Accounting-On at boot, and both when the CP service is restarted. The server can use the Accounting-On packet as a signal to reset any active sessions for that NAS.

Actions

Copy link