pfSense » pfSense Docs

Github user: https://github.com/Augustin-FL

Feedback:

The FreeRadius 2.X documentation, https://www.netgate.com/docs/pfsense/usermanager/index.html, and its related page Captive Portal RADIUS configuration, https://www.netgate.com/docs/pfsense/captiveportal/using-captive-portal-with-freeradius.html are outdated and are giving misleading/bizzare information.

I would quote the "disconnect after Amount of Time/ Amount of Traffic" method, https://www.netgate.com/docs/pfsense/captiveportal/using-captive-portal-with-freeradius.html#amount-of-time, which still indicate to use the controversial Stop/Start accounting method, or the full FreeRadius MySQL page, https://www.netgate.com/docs/pfsense/usermanager/using-mysql-with-freeradius.html which does not give any information on how to use MySQL with the FreeRADIUS package...

FreeRadius 2.X also don't exist anymore, it has been replaced by FreeRadius3 in pfSense Packages as FreeRADIUS 2.X end of life was in 2015, https://freeradius.org/older_releases/.

Since authentication has been recently updated on the Captive Portal, it would be nice to update the corresponding documentation pages.

I drop here some note about the stop/start accounting method...as it may be usefull for re-write FreeRADIUS doc.

I made some research, this option has been introduced 14 years ago at m0n0wall time, https://github.com/pfsense/pfsense/commit/c980716edb28b33e6340f00ab37ab36f5b860950, at the very begining of RADIUS accounting.

This accounting method caused many, https://forum.netgate.com/topic/112249/solved-radius-accounting-packets-seem-to-be-broken/3, various, https://redmine.pfsense.org/issues/2957, issues since it does not correspond to the way a RADIUS server expect to recieve accounting updates. These various issues even lead to the creation of a new setting, stop/start (FreeRadius). I could not find any good usage of this accounting method. (All examples written in the documentation can now be done in a better/cleaner way)

I spent many time to understand the reason why this method had ever been implemented. The only reason i found was about to overcome the bugs of a (now deprecated) FreeRADIUS module (rlm_counter) that was not supporting accounting updates at all :

Quoting from https://redmine.pfsense.org/issues/2164#note-8

The rlm_counter module is just counting on accounting stop packets.
This module is used for time based accounting.
It does not work with interim-updates.

Given that :
- The counter module is now deprecated (replaced by rlm_sqlcounter) and will be removed in the next version of FreeRADIUS, https://github.com/FreeRADIUS/freeradius-server/commit/a2ea088000fe85a9c05cd439a6de522936682822.
- rlm_sqlcounter does handle Accounting updates correctly
- In general, pfSense should not implement bizzare workaround to overcome bugs of another software

I would vote for completley remove this accounting method from pfSense in the future. The first step would be to stop mentioning it in the official documentation.