Reauthenticate Every minute

Mutheu mutheu at lavabit.com
Sun Mar 25 22:03:39 CEST 2012


Dear White,

Thank you for your email. I have read your website about grasehotspot and it looks very complete.
If I had not commited to my current setup for the last few weeks, I would have given it a short right a way, but
I am going to setup a sample and see how it will measure up against what I have now.

Regarding my query to the list, I think, you did not understand my question well. Any way, I figured out the
problem through pfsense forum. It has to do with simoultanious check, where I should let pfsense captive portal worry about it.

As mentioned normal function of the setup works perfectly. Freerad gives Session-Timeout to NAS and NAS kicks out client after expirey of Session-timout value (this is how its done worldwide). What I am doing is in addition to normal hotspot billing, to be able to make a payment system of some sort - Where user logs in to  browsing the web, then freeradius gives session-timout as 30min (offcourse in seconds). The user may want to buy a scratch card, so he clicks on a link that adds a new record to 'radacct' table which will cost the user 'minutes' equivalent to, say, 20mins. In the next minute reauthentication, freeradius will issue a session-timout of 10mins (or 9mins) - since user has reduced his online time when he "bought" a scratch card.

pfsense/Monowall have 'reauthentication' feature and contrary to what many people think, the user is only presented the login screen once and the NAS 'remembers' the infor and each minute, it resends the infor to freeradius and until radius gives "access-reject". So I can "sell" to the client so long as he has balance. A user who started with 30mins (session-timeout) may end up using internet for less than 10mins or so if he 'bought' items.

I hope this sheds light.

BTW. Nows its working as I wanted - as described above - was a problem with "simoultanious use" setting.


Mutheu






On Sat, 24 Mar 2012 07:56:41 +1000
Tim White <timwhite88 at gmail.com> wrote:

> On 21/03/12 18:44, Mutheu wrote:
> > My Setup:
> >
> > -->  FreeRADIUS:  Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct3 2011 at 21:39:42
> > -->  Mysql: Server version: 5.1.51 Source distribution
> > -->  NAS: pfSense 2.0.1 release
> >
> >
> > My Query:
> > I am a bit new to freeradius and I am trying to create a setup where an active session is
> > re-authenticated everyminute and a user is kicked if no enough credit.
> To me, this shouldn't require you to re-authenticate every minute. If 
> you are only allowing a single session at a time, then the user should 
> be kicked when ether their time or data limit is reached. How do you 
> decied if they have enough "credit"?
> >
> >
> > More Details:
> > Using 'norestcounter' with mysql works very well without the above.
> > Now I would like to implement this idea : http://computing-tips.net/M0n0wall_Captive_Portal_Logout_URL/#onlinestore).
> 
> No offence to this article, but if you have to force a user to relogin, 
> to logout, there is something wrong with the software you are using.
> 
> I'm not sure what monowall/pfsense use to implement a captive portal, 
> but I highly suggest you look at a solution that uses Coova Chilli 
> (chillispot/wifidog, etc) to do captive portals, as it's much better at 
> what it does.
> 
> I'm the developer of the Grase Hotspot project, which internally uses 
> Coova Chilli, I can easily setup easy to remember logout links for 
> users. We can use a domain name that resolves to a special ip address 
> for an instant logout, or just tell the users the ip address (we can 
> define it ourselves).
> 
> Going back to the re-authenticate very minute stuff, we can use 
> something similar for users who are allowed multiple sessions and you 
> still want to enforce data/time limits, however it gets very complex, so 
> we tell hotspot owners they can only have single sessions if they want 
> limits enforced.
> 
> I'm just really confused why you'd try to do it the way you are 
> describing, when there are much easier ways out there that work very 
> well, and are used in thousands of hotspots around the world.
> 
> Feel free to describe to me what you are trying to do from a 
> customer/owner point of view and I'll let you know how I'd set it up for 
> a client.
> 
> Tim
> http://grasehotspot.org/


-- 
Mutheu <mutheu at lavabit.com>


More information about the Freeradius-Users mailing list