On Mon, Mar 26, 2012 at 6:03 AM, Mutheu <mutheu@lavabit.com> wrote: <snip>
pfsense/Monowall have 'reauthentication' feature and contrary to what many people think, the user is only presented the login screen once and the NAS 'remembers' the infor and each minute, it resends the infor to freeradius and until radius gives "access-reject". So I can "sell" to the client so long as he has balance. A user who started with 30mins (session-timeout) may end up using internet for less than 10mins or so if he 'bought' items.
I hope this sheds light.
This makes sense Mutheu. I investigated a similar system and didn't continue due to complexity (and it didn't solve the problem cleanly we wanted to solve). We use the coaport in Coova Chilli (Change of Authorisation) which allows the radius server to send authentication changes to the users session, i.e. reducing the users allowed time. The problem at the time, was that it became difficult to recalculate all the details for the user when there were multiple active sessions. Having said that, it is possible to make it work, just not as nicely. Part of the issue is having to reissue all the attributes for the session, not just the changed ones, if you could just issue the changes or the changed attributes, it would be great. Imagine, your "selling" system just sends a -10 minutes to the NAS and the NAS just substracts 10 from it's session timer. It's something I hope to be able to do in the future, but maybe we need an extension to the COA system to make it more usable. The reason the Coova Chilli system can't "reauthenticate" is that it never has the password in plain text, the login system does the CHAP challenge/response in javascript, then transmits the CHAP response, so Coova Chilli only gets the CHAP response, and can't "replay" the login to reauthenticate. It's a security feature. The correct way to do it, is the COA system, it's just not elegant yet. Tim