Dear White, Thank you for your email. I have read your website about grasehotspot and it looks very complete. If I had not commited to my current setup for the last few weeks, I would have given it a short right a way, but I am going to setup a sample and see how it will measure up against what I have now. Regarding my query to the list, I think, you did not understand my question well. Any way, I figured out the problem through pfsense forum. It has to do with simoultanious check, where I should let pfsense captive portal worry about it. As mentioned normal function of the setup works perfectly. Freerad gives Session-Timeout to NAS and NAS kicks out client after expirey of Session-timout value (this is how its done worldwide). What I am doing is in addition to normal hotspot billing, to be able to make a payment system of some sort - Where user logs in to browsing the web, then freeradius gives session-timout as 30min (offcourse in seconds). The user may want to buy a scratch card, so he clicks on a link that adds a new record to 'radacct' table which will cost the user 'minutes' equivalent to, say, 20mins. In the next minute reauthentication, freeradius will issue a session-timout of 10mins (or 9mins) - since user has reduced his online time when he "bought" a scratch card. pfsense/Monowall have 'reauthentication' feature and contrary to what many people think, the user is only presented the login screen once and the NAS 'remembers' the infor and each minute, it resends the infor to freeradius and until radius gives "access-reject". So I can "sell" to the client so long as he has balance. A user who started with 30mins (session-timeout) may end up using internet for less than 10mins or so if he 'bought' items. I hope this sheds light. BTW. Nows its working as I wanted - as described above - was a problem with "simoultanious use" setting. Mutheu On Sat, 24 Mar 2012 07:56:41 +1000 Tim White <timwhite88@gmail.com> wrote:
On 21/03/12 18:44, Mutheu wrote:
My Setup:
--> FreeRADIUS: Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct3 2011 at 21:39:42 --> Mysql: Server version: 5.1.51 Source distribution --> NAS: pfSense 2.0.1 release
My Query: I am a bit new to freeradius and I am trying to create a setup where an active session is re-authenticated everyminute and a user is kicked if no enough credit. To me, this shouldn't require you to re-authenticate every minute. If you are only allowing a single session at a time, then the user should be kicked when ether their time or data limit is reached. How do you decied if they have enough "credit"?
More Details: Using 'norestcounter' with mysql works very well without the above. Now I would like to implement this idea : http://computing-tips.net/M0n0wall_Captive_Portal_Logout_URL/#onlinestore).
No offence to this article, but if you have to force a user to relogin, to logout, there is something wrong with the software you are using.
I'm not sure what monowall/pfsense use to implement a captive portal, but I highly suggest you look at a solution that uses Coova Chilli (chillispot/wifidog, etc) to do captive portals, as it's much better at what it does.
I'm the developer of the Grase Hotspot project, which internally uses Coova Chilli, I can easily setup easy to remember logout links for users. We can use a domain name that resolves to a special ip address for an instant logout, or just tell the users the ip address (we can define it ourselves).
Going back to the re-authenticate very minute stuff, we can use something similar for users who are allowed multiple sessions and you still want to enforce data/time limits, however it gets very complex, so we tell hotspot owners they can only have single sessions if they want limits enforced.
I'm just really confused why you'd try to do it the way you are describing, when there are much easier ways out there that work very well, and are used in thousands of hotspots around the world.
Feel free to describe to me what you are trying to do from a customer/owner point of view and I'll let you know how I'd set it up for a client.
-- Mutheu <mutheu@lavabit.com>
On Mon, Mar 26, 2012 at 6:03 AM, Mutheu <mutheu@lavabit.com> wrote: <snip>
pfsense/Monowall have 'reauthentication' feature and contrary to what many people think, the user is only presented the login screen once and the NAS 'remembers' the infor and each minute, it resends the infor to freeradius and until radius gives "access-reject". So I can "sell" to the client so long as he has balance. A user who started with 30mins (session-timeout) may end up using internet for less than 10mins or so if he 'bought' items.
I hope this sheds light.
This makes sense Mutheu. I investigated a similar system and didn't continue due to complexity (and it didn't solve the problem cleanly we wanted to solve). We use the coaport in Coova Chilli (Change of Authorisation) which allows the radius server to send authentication changes to the users session, i.e. reducing the users allowed time. The problem at the time, was that it became difficult to recalculate all the details for the user when there were multiple active sessions. Having said that, it is possible to make it work, just not as nicely. Part of the issue is having to reissue all the attributes for the session, not just the changed ones, if you could just issue the changes or the changed attributes, it would be great. Imagine, your "selling" system just sends a -10 minutes to the NAS and the NAS just substracts 10 from it's session timer. It's something I hope to be able to do in the future, but maybe we need an extension to the COA system to make it more usable. The reason the Coova Chilli system can't "reauthenticate" is that it never has the password in plain text, the login system does the CHAP challenge/response in javascript, then transmits the CHAP response, so Coova Chilli only gets the CHAP response, and can't "replay" the login to reauthenticate. It's a security feature. The correct way to do it, is the COA system, it's just not elegant yet. Tim
participants (2)
-
Mutheu -
Timothy White