Project

General

Profile

Correction #9381

FreeRadius 2.X package documentation and CaptivePortal associated documentation are mostly outdated

Added by Jared Dillard 6 months ago. Updated 26 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
03/06/2019
Due date:
% Done:

0%

Estimated time:
Affected Documentation:
pfSense Documentation site (Wiki)

Description

Github user: https://github.com/Augustin-FL

Feedback:

The FreeRadius 2.X documentation, https://www.netgate.com/docs/pfsense/usermanager/index.html, and its related page Captive Portal RADIUS configuration, https://www.netgate.com/docs/pfsense/captiveportal/using-captive-portal-with-freeradius.html are outdated and are giving misleading/bizzare information.

I would quote the "disconnect after Amount of Time/ Amount of Traffic" method, https://www.netgate.com/docs/pfsense/captiveportal/using-captive-portal-with-freeradius.html#amount-of-time, which still indicate to use the controversial Stop/Start accounting method, or the full FreeRadius MySQL page, https://www.netgate.com/docs/pfsense/usermanager/using-mysql-with-freeradius.html which does not give any information on how to use MySQL with the FreeRADIUS package...

FreeRadius 2.X also don't exist anymore, it has been replaced by FreeRadius3 in pfSense Packages as FreeRADIUS 2.X end of life was in 2015, https://freeradius.org/older_releases/.

Since authentication has been recently updated on the Captive Portal, it would be nice to update the corresponding documentation pages.

I drop here some note about the stop/start accounting method...as it may be usefull for re-write FreeRADIUS doc.

I made some research, this option has been introduced 14 years ago at m0n0wall time, https://github.com/pfsense/pfsense/commit/c980716edb28b33e6340f00ab37ab36f5b860950, at the very begining of RADIUS accounting.

This accounting method caused many, https://forum.netgate.com/topic/112249/solved-radius-accounting-packets-seem-to-be-broken/3, various, https://redmine.pfsense.org/issues/2957, issues since it does not correspond to the way a RADIUS server expect to recieve accounting updates. These various issues even lead to the creation of a new setting, stop/start (FreeRadius). I could not find any good usage of this accounting method. (All examples written in the documentation can now be done in a better/cleaner way)

I spent many time to understand the reason why this method had ever been implemented. The only reason i found was about to overcome the bugs of a (now deprecated) FreeRADIUS module (rlm_counter) that was not supporting accounting updates at all :

Quoting from https://redmine.pfsense.org/issues/2164#note-8

The rlm_counter module is just counting on accounting stop packets.
This module is used for time based accounting.
It does not work with interim-updates.

Given that :
- The counter module is now deprecated (replaced by rlm_sqlcounter) and will be removed in the next version of FreeRADIUS, https://github.com/FreeRADIUS/freeradius-server/commit/a2ea088000fe85a9c05cd439a6de522936682822.
- rlm_sqlcounter does handle Accounting updates correctly
- In general, pfSense should not implement bizzare workaround to overcome bugs of another software

I would vote for completley remove this accounting method from pfSense in the future. The first step would be to stop mentioning it in the official documentation.

History

#1 Updated by Jared Dillard 6 months ago

  • Description updated (diff)

#2 Updated by Jared Dillard 6 months ago

Jimp commented:

I think we've had some discussion about this in the past on the forum. Since we don't support having an SQL server on the firewall, requiring the user to use SQL server counters was a problem. The current counter and scripts worked fine last time I tested them using the start/stop FreeRADIUS option I added a couple years ago.

If we can determine a way to make it all work on the current code without relying on an SQL server (sqlite maybe?) or the freeradius-specific start/stop option then I'm all for updating the docs to follow.

Keep in mind that when doing time/data limits the user will also have to have the option enabled to reauthenticate users every minute, so that when they go over the time or data limit their access can be rejected and they get kicked off.

#3 Updated by Jared Dillard 6 months ago

Github User, https://github.com/Frotty, commented:

Also perhaps see https://redmine.pfsense.org/issues/8251
I have had bugs with this for a long time now, trying all methods available.

#4 Updated by A FL 26 days ago

This issue can be now marked as resolved I think

#5 Updated by Jim Pingle 26 days ago

  • Status changed from New to Resolved

Also available in: Atom PDF