newbie questions using freeradius as wifi access point

[Will Carter]

Hi,

First, sorry for the long post...

I am new to radius in general and freeradius and am attempting to set up a
credit card based wifi access point where you can buy time to surf the
internet for certain alotments of time. The configuration should kick them
off when their alloted paid for time expires and redirect them to a web page
so that they can buy more time.

I have some questions the progress we have made and would very much
appreciate any information anyone could provide.

I apologize for any ignorance or assumptions about how the set up would
work, as I am just fumbling through.

I have set up freeradius on a linux server and I have it successfully
talking to a mySQL database that has radcheck, radreply, radacct tables,
etc. I am able to use the natradping utility to get accept/reject messages
from it based on entries in radcheck.

I have a NAS device (nomadix ag-2000w) that I can get it to correctly
recognize a wireless laptop and authenticate against entries in the radius
database.

I am sending a session-timeout attribute in my reply message and my nas is
correctly coming up with an expiration time based on that.

Basically my process is like this.

Login:
1. I have a separate database from radius that authenticates the user's
login/password. I delete all rows from from radcheck for this user. I delete
all rows from radreply for this user. I add back a radcheck record and
radreply session-timeout record that corresponds to how much time left that
they have paid for. Now I log them in (using an xml command to my nas). My
nas correctly reports the expire time based on the session-timeout that I
inserted. After the user is logged in, I add another row to radcheck that is
an auth-type reject. This is so that when the nas time expires and it tries
to reauthenticate with radius, it will get a reject message and not allow
surfing to continue. I believe this is the wrong way to be doing things and
I think radacct is the table for this but I do not understand how that table
fits in or if the nas device is supposed to be inserting into radacct or
what. My question here is that should I be using radacct in some way to
influence the reject/accept response when the session times out for the
user.

By the way, if the user tries to login again, they wont be hit with the
auth-type reject in their response because I am clearing out radcheck and
radreply first.

User is trying to add time:
I update my non-radius database with how much time they have purchased. I
log the user out of my nas device (using an xml command). I delete
everything from radcheck and radreply for this user. I add back a radcheck
record for this user. I add a session-timout record to radreply for this
user that corresponds to how much additional time they just purchased. I log
the user back in, resyncing the nas with the session-timeout in radius.
After they are logged in again I add back a auth-type reject to radcheck so
that when their time runs out again they will be kicked off.

The underlying problem with this set up is that the order of the
logout/login/insert reject into radcheck bits seem not to happen in order. I
am issuing xml commands to my nas to do the login/logout. So sometimes it
seems that the logout happens after the login xml command or the login
happens after the reject row is inserted, effectively blocking the user
incorrectly.

Basically, I would like some advice as to where I am going wrong in the
process and what is the correct way that radacct comes into play. I have my
nas set up to have accounting enabled and I see radacct getting written to
but I don't understand how AcctStartTime, AcctStopTime comes into play
although that looks interesting. Any guidance here would be great.

Thanks for any info or direction you can provide.
-will